Well, we have this gentoo guide for portsentry:[1] This seem a bit dated. I'd be curious for any information folks use including config file snippets or deployment strategies, particularly in a multi-layered scheme. There is only basic configuration/deployment ideas in /usr/share/doc/portsentry/. Something newer/better than portsentry to watch the ports?
I'm building up a small soho with 5 static ips, including (2) dns servers, mail and a small (less than 10 domains) webserver all in a "dmz' and the then a few dozen systems behind a second firewall. Certainly the minimal ports to leave open (via iptables on each of these servers systems) as well as the specific list of which ports to set portsentry to monitor by category (DNS(bind) :: Web(apache) :: mail(postfix)) would be keen. Should I put the port scanning on the the systems behind the published (routed) ip address too just to see what (if anythying) get thru? Nothing but return traffic should get through to the lan (no ssh into lan systems or such will be allowed). Reference diagrams of typical soho (< 50 systems) are of keen interest just to get some ideas. In fact suggestions on FOSS to use to draw up some generic diagrams, a wee bit nicer than dia, would be keen suggestions too. Tripwire vs AIDE? Perhaps a iptables protecting the dmz systems and main gateway (single homed) but a nftables [2] based firewall/gw/router to the internal lan? Note: This is more of a project than a collection of simple (syntax) answers to specific questions (although all information is appreciated just to complete the discussion). Any sensitive information can be send to me privately for assured confidence. Your ideas are welcome, James [1] https://wiki.gentoo.org/wiki/PortSentry [2] https://wiki.gentoo.org/wiki/Nftables
