Any of you using Portsentry and ipchais out there? I bet a lot of you are... Well for some reason if i have my firewall running, and go to any of those sites that scan your pc for free, portsentry does not seems to "sense" any hits on the ports and it will not ad anything to the following files:
/usr/local/psionic/portsentry/portsentry.history
/usr/local/psionic/portsentry/portsentry.blocked.stcp
/usr/local/psionic/portsentry/portsentry.blocked.sudp
/etc/hosts.deny

If i turn off the firewall(i know, not to wise) for a little bit while the test is being performed i will get logs and the deny file will have more ip to block ;') Is this normal? Do i have to do something special in order to have ipchains and portsentry to work together?

Of course i have edit the deny file and clear the portsentry log files after testing to make sure those ip's where not been block(the ones doing the test)

BTW- Do i have to do anything after manually editing the host.deny file. I added some ip's last night that where trying my telnet, ftp and some trojan ports and during the morning i saw one of those ip on the ipchain log again. Should i see the ip even if i have it on the host.deny file?

Thanks,

Nandy

PS- The Linux i have install is the Red Hat 6.2 distribution...

I don't see why it should matter that much. Even if one is working before the other, they are both accomplishing the same goal: to keep out people you don't want to (well, sort of). IPCHAINS will come into play first, blocking specific ports you don't want access to, and also sites, and well, a ton of other stuff.. after that, portsentry will come into play 'stealthing' (or whatever mode you have it set to) ports.. think of it as two layers of defense.. why should you bother testing your security without one of the two? i would think you would want to test with whatever security settings you have that you do your everday stuff on.. and if it holds up.. then all the better.. no?

When you have your ipchains firewall and portsentry up and running at the same time, all packets hit ipchains first. So portsentry doesn't see it. If you like, you can run ipchains but not have it watch certain ports, and then let portsentry watch those ports instead.

Fandelem what i like about Portsentry is that it will automaticaly add the ip's address to the host.deny of the people trying to get in my ports. Therefore i might not need to add them manually. Also this services scan a handfull of the ports, unless you pay. So in order to allow this low ports to be succesfully scanned i have to take the firewall down. Actually what i do is run a modified firewall, leaving some specific ports open.

X_console, that sounds like a great idea. There are some daemons i have turn off from the inetd, i might use those. Specially the ftp port, next to the telnet port is the one most scaned. Since i don't have ftp running i shouldn't be risking anything leaving port 21 open, Right?

Nandy

you should have "ALL:ALL" in your hosts.deny file anyways, so adding people to it shouldn't really matter =) it's much easier (well, erm, safer..) to have a friend ask you for access, and you add his IP address (or a very specific block of IP addresses, if he uses DHCP from his ISP) to your firewall ruleset http://www.linuxnewbie.org/ubb/smile.gif

You are right, i have ALL:ALL on my deny, adding the ip to this file is a little redundancy. I might still try leaving the ftp port open in order to have portsentry people going there and provide me the list...

Nandy

If you want to know who's connecting to your FTP port, then you can have PortSentry monitor it, but not have the daemon actually running. Is that what you're asking?

Yep!!!! That is what i plan to do, i think it will be ok. They can run my ftp if is not no enabled. What i wonder is if there is any trojan or security isue other that the ftp listening to the ftp port.

Nandy