On Sat, 12 Feb 2000, Michael H. Warfield wrote: : Portsentry <www.psionic.com> does this for Unix/Linux systems : as well. You can select what classes of services it will react to. I : don't advice UDP or "stealth TCP" because it's spoofable, but connected : TCP port scans works great. Portsentry works well _if_ you are not running ipchains (or other firewalling code) on your Linux/*NIX box. Portsentry will not even have an opportunity to look at packets as they come in if you are running ipchains since the firewall code is integrated directly into the kernel. Hence, if you want any kind of IDS functionality on a firewalled Linux box, you need an IDS that works with ipchains. I have written such a system and it is going to be included in the next release of Bastille Linux (see www.bastille-linux.org). It features a response system that will block all traffic from an offending IP only if the IP has tripped a set of higly configurable thresholds that the admin defines. --Mike http://www.math.umd.edu/~mbr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:23 PDT