[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fw: [cobalt-users] RaQ4 - Help with Portsentry on Cobalt RaQ4r
- Subject: Fw: [cobalt-users] RaQ4 - Help with Portsentry on Cobalt RaQ4r
- From: "Gerald Waugh" <gerald@xxxxxxxxx>
- Date: Tue Feb 20 08:14:08 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> "tony simpson" <tonysimpson123@xxxxxxxxxxx> wrote
> > I'm having some problems setting up Logcheck and Portsentry on my Cobalt
> > RaQ4r. The following log is emailed to me:
> >
> >
> > Feb 20 10:06:06 www portsentry[15570]: attackalert: Connect from host:
> > 192.168.1.1/192.168.1.1 to UDP port: 69
> > Feb 20 10:06:06 www portsentry[15570]: attackalert: Host: 192.168.1.1 is
> > already blocked. Ignoring
> > Feb 20 10:06:10 www portsentry[15570]: attackalert: Connect from host:
> > 192.168.1.1/192.168.1.1 to UDP port: 69
> > Feb 20 10:06:10 www portsentry[15570]: attackalert: Host: 192.168.1.1 is
> > already blocked. Ignoring
> >
> The port is tftp.
>
> Which may be used by some computers to boot up. Unlikely that you have any
> units
> on your LAN that need a tftp server.
>
> The IP address is a local IP, which probably means you have local network
> computer
> at 192.168.1. 1 that is connected to your LAN, these local network
computers
> should
> not be connected to eth1 on your server. Or do you have your eth0
listening
> to 192.168.1.1?
>
> If your local lan is the source, the IP address for one thing should be
> masqueraded.
>
Another thought, if you are using logcheck, where did you put the script to
run logcheck?
Normally it is put in cron.daily, although I put it in cron.hourly.
Or, are you usig the script for PortSentry that someone posted on the list?