Re: security/portsentry removal

On 2023-04-08 0:47, Andrea Venturoli wrote:
> On 4/8/23 04:56, Mel Pilgrim wrote:
>>> Can anyone suggest something equivalent in the port tree?
>>
>> Have a look at fail2ban.  It's design intent is monitoring running
>> services, but really it's just a set of log file regex filters. Anything
>> that logs network activity can feed it.
> 
> Hello and thanks for answering.
> In fact I'm already using fail2ban for "running" services.
> 
> Portsenty is a bit different, in that it's conceived to listen on ports
> used by non-running services.
> I.e.
> Got a SMTP server? Let fail2ban check its logs.
> No? Let portsentry listen on port 25.
> 
> I thought about writing regexes for fail2ban to check if ipfw denied
> access to ports where portsentry used to listen.
> So far it's the best idea I've come up with, but I hoped for something
> simpler (i.e. more close to how portsentry worked).

That's exactly what I suggest.  IME dropping/ignoring packets to closed 
ports slows scanners down enough as it is, and the result is the same: 
they just see a non-responsive host.

But completeness, peace of mind, etc.

FWIW, you can still build and use portsentry either extratree or copy 
the port to your local category.