I want to answer some questions regarding PortSentry. I have been told that to do its job, PortSentry binds every port, thus advertising that the port is open to the outside world. I would like to verify this by using a Nessus Scan to see how a PortSentry box looks to the outside world.

Is there anybody with PortSentry installed and no firewall that would allow me to scan their box. I would send you the report and post the results here.

I have Nessus already setup on one of our boxes -- I would rather not have to install PortSentry (being lazy) to do this test.

If you are willing to have your box scanned, please PM me with your IP address or post it here publicly.

Also, let me know if you have any other types of port security installed that my influence the results.

Thanks.

um.. why don't you just install port sentry on a test box and do an extensive network/security testing . . :confused:

I've went ahead an installed portsentry on a test box.

I will post details later, but portsentry opens about 30 or more ports than are open without it. This is using the default configuration. Using a syn attack with a dynamically changing IP, I was able to add over 1000 entries into the hosts.deny within a few minutes. I am not sure if portsentry can keep up with a syn flood or simply stops processing the information. With a little bit of knowledge regarding users IPs or even other info, you could easily block an entire range of IPs from using certain services.

Maybe you can try Snort instead of PortSentry.
Snort does not open any port (it is an IDS - Intrusion Detection System) and I found it very reliable.
It may, howevery, give too many security warnings if misconfigured.

Cheers,