Saturday, 26 July 2008

Portsentry

The Portsentry Daemon binds to a selection of unused network ports. The goal is to log any attempts to access those ports. Portsentry can also do any of the following when it recieves a packet to a port it is monitoring:

  1. "Null route" the packet to nowhere,
  2. add a block rule to the local firewall (a cheap IDS/IPS to block hosts attacking you), or
  3. run an arbitary command defined in the configration.
You would use this on ports that are commonly attacked to detect attacks on your systems. An example would be monitoring access to TCP 1433 inside a network. An employee or contractor who is "looking around" the network for SQL servers without authorisation may end up being logged as accessing this system. As no access to this port on the Portsentry system should ever occur, it is at the least worth asking the question why the individual was connecting to it...

Portsentry can be used to detect half-open and other sealth scans against a network and host.

Details on how to configure Portsentry may be found at:

No comments: