Content area
Full Text
Abstract - Using PortSentry with an iptables/netfilter firewall is a well-known means of implementing an active firewall that can provide a robust defense against many broad-spectrum port scans. More targeted scans, however, are more difficult to prevent: in practice, certain services must be available, and although some may be restricted to authorized users, others, such as web and mail servers, are usually unrestricted. This poster describes two novel uses of PortSentry to enhance security, providing an efficient, active, enumeration-resistant layer that permits access to both restricted and unrestricted services while protecting those services from targeted enumeration.
Keywords: PortSentry, active intrusion detection system, firewall, iptables, enumeration, port scanning
1 The role of port scanning and enumeration in a cyberattack
Attackers often scan IP address blocks and then enumerate target machines before carrying out an attack. During the port-scanning phase, the attacker might use a tool such as nmap to identify potential target hosts in a specified IP address block. Then, during the enumeration phase, the attacker might use a tool such as Nessus to collect more detailed information about a particular target system's vulnerabilities.
PortSentry (in its default configuration) paired with a firewall provides an active intrusion detection system that...