On Wed, 16 Aug 2006 12:07:18 -0400, David Cary Hart wrote: > On Wed, 16 Aug 2006 11:34:25 -0400, "Amadeus W. M." > <amadeus84@xxxxxxxxxxxxxx> opined: >> On Wed, 16 Aug 2006 04:25:38 -0600, Ashley M. Kirchner wrote: >> >> >> The answer to your question is portsentry. It runs in the >> background, monitoring a list of ports for incoming connections. If >> an attacker hits a port so many times in a short amount of time, >> portsentry bans the offending machine, by introducing the >> appropriate rule in iptables. Of course, the list of ports, and the >> threshold for the number of hits are configurable. >> >> That said, cool as it may sound, portsentry has a major drawback >> which made me and many others prefer a non-dynamic approach to >> security. Portsentry can be used to produce a denial of service >> attack. Suppose you connect regularly from your work.com machine >> to your home.net machine, and malicious.com knows that. Then >> malicious.com can send packets to home.net pretending to originate >> from work.com. Then for all it knows, portsentry running on your >> home.com will cut off acces to work.com. Sounds complicated, but >> it's trivial to do that, with things like nc or nmap. >> > Using the swatch (perl) to execute a script is far more > flexible and controllable (IMO). > -- > Do NOT Send Email to <spam trap> Fedora@TQMcube,com > Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com > Don't Subsidize Criminals: http://boulderpledge.org I don't care to defend portsentry, but I'll say that portsentry is highly configurable too. However you configure a dynamic firewall, I think you can still lock yourself out, if you try. I don't think the DoS scenario I outline above is portsentry specific. I'm not familiar with swatch though, so I may be wrong. After my portsentry days, I completely dropped any dynamic approach to security.