Re: security/portsentry removal

In reply to: Andrea Venturoli : "Re: security/portsentry removal"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dan Mahoney (Ports) <freebsd_at_gushi.org>
Date: Sun, 09 Apr 2023 16:18:31 UTC

> On Apr 8, 2023, at 9:01 AM, Andrea Venturoli <ml@netfence.it> wrote:
> 
> On 4/8/23 16:40, Helge Oldach wrote:
> 
>> I wonder why that would provide anything useful though.
> 
> Main reason is to react to port scans or swiping attempts at well-known service.
> I.e. Someone (or some bot) connect to port 22, 25, 110, etc... when there's no such service available and he/she/it gets banned.
> 
> I too am wondering whether this still makes sense today (after more that 20 years since portsentry was conceived).
> Yey I'm currently tasked to replace it, with possible questions being asked later :)

From a security point of view, detecting when someone is running a portscan on you is still useful.  Especially when FreeBSD is running on a NAT box or a router, so it has visibility for more than just its own host.

If I had to implement this today, I’d simply do it with ipfw log rules (for any list of closed ports), and fail2ban, which could be used to block subnets after any N attempts.  As a bonus, you don’t need a daemon listening on the ports to do this.

-Dan