What PortSentry vs. APF conflict?
Thanks much for your post/reply.
I am aware that I should keep the deny files down to logical lengths, and of course not put on a hair trigger with any automated security system. However, I am not sure that I agree that PortSentry with APF is overkill, although I do understand that this is the general consensus.
How exactly would PortSentry and APF conflict? I really don't get it. A blocked IP of someone attacking the server, is still a blocked IP of someone attacking the server. Yes? No? So how can two different defence systems, each using there own parameters for detection and enforcement, be in conflict with one another??? They certainly do not look at one-another! They do not interfere with each other's capacity for detection and enforcement, or do they?
I am not a firewall and security expert so bear with me, but we used PortSentry for years successfully for years fending off attacks from a bunch of Cobalt servers. I think PortSentry is quite effective using it, particularly in stealth mod to watch certain ports for unusual activity. Apparently so does Oricle who I believe bought all the licensing for the software at one point and tried to take it completely off the market in order to use the core program in their own proprietary system. Okay, this could be a rumor, but when I was finally ready to employ a sister product, HostSentry, any access to the official PortSentry site took me to Oricle.... But I digress.
I am just now getting into switching on, and working with the anti-DoS features of APF, but please just look at the two config files between APF and PortSentry. PortSentry appears to be the clear winner in terms of being more configurable, and in terms of being a much more of a dedicated application for fending off attacks. To bring APF/anti-DoS feature up to this level of control I believe we would need to install and use Snort with APF, (which is something else we may look at in the near future.)