l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2001 Dec 30 16:58

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
RE: [vox-tech] Running PortSentry
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [vox-tech] Running PortSentry

On Sat, 21 Oct 2000, D K Huckaba wrote:

> Jessica, Please elaborate if you would. This an area (net security) that
> fascinates me, however I never have the time (well I never make the time) to
> dive into it very much. I know the basics (ports use, firewalling, routing,
> etc) but what do you mean about "analyzing raw sockets" v. "binding to the
> socket"?

To be honest, For the most part I was just regurgitating information on
the psionic web page :) Like I said, I've only played with it a little

Let's start with binding to the port, since I actually have a good idea
about what that is. In that case, portsentry actually opens the port and
sits their waiting for a connection, in the same way a server would. There
are at least two problems with this. One is that it makes the output of
netstat next to useless, the other is that it can leak information - 
unless you set it to the most paranoid setting (blocking at the first
hit), a scan will show a port (or more, depending on how insensetivly you
have it set) open, and then the computer would seem to disappear. Someone
familiar with that behaviour would recognize that as a fingerprint of

Actually, this is probably fine for the average user, who is protecting
their home computer on a dsl connection from impersonal script kiddies who
aren't targetting their computer in particular. At least not until some
exploit is written and a script written to detect portsentried hosts, or
something :) In any case, the less information you give out, the better.

I'd assume that analyzing the raw socket would mean that portsentry is
acting similar to ipchains, and looking at information sent to the port
without actually opening the port. This is the more intelligent way to do
it (for a single-platform solution, at least), since the port isn't
sitting around open and it doesn't give any sign to the outside world
(even at a less paranoid setting).

What bugs me most about portsentry (in any of the modes) is that it's a
reactive solution - the attacking host isn't blocked until it does
something. I prefer the proactive approach of ipchains, where everything
is blocked unless I specifically allow it. The plus side of portsentry is
that it's easier to configure, and the log entries are easier to
understand (and possibly more complete. I don't know how good ipchains is
at detecting stealth scans).


LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.