At 12:31 PM 3/21/01 -0500, you wrote:
On Wed, 21 Mar 2001, Ian C. Walmsley wrote: > Hi, > > Portsentry is currently reporting repeated attacks from IP's in the range > 192.168.20.0 to 192.168.20.255 - I am sure that this is not a usual IP > address range. It's in the reserved range for local use... >> Any idea how I can track this IP down, and is it possible to block an entire> range with an '*'- or is it even wise to do that? packet sniffer ;) If you want to just blackhole it route add -net 192.168.0.0 netmask 255.255.0.0 reject (Make sure you aren't uing it yurself somewhere ;) gsh
If you are using the 192.168.0.0 range within your local network (are you using NAT and DHCP?) you may want to investigate the IPs. It is possible this could be an internal attack on the server.
You can check DHCP assignments (unfortunately, you'll need to know the MAC addresses of the local machines to match to a specific user) at /etc/dhcpd.leases
If you suspect an internal attack (in fact it could be a compromised machine in your network acting as a launchpad from outside), you might want to log your dhcpd.leases to see if someone is frequently changing their lease (although I'm not certain you can force a lease change from the client). You could easily set up a cron script to mail the leases file to yourself (or store the files locally and compare using diff).
Maybe someone in your company is trying to do you a favor and checking whether your box is vulnerable ;o)
Peter