Re: [cobalt-users] Portsentry Queston Port 161

[flash22@xxxxxxx]

On Thu, 12 Apr 2001, Wayne Sagar wrote:

> I've got portsentry running and had a message from the log report that I'd
> had a probe on the SNMP port 161... and it blocked them.. one problem, the
> probe was from my server farm's IP block.. Could this be interpreted as a
> possible "should have happened" query by the farm and their DNS service?

Some of the SNMP applications have an option to scan an IP block for
machines to manage...so it could well have been accidental...But i'd
mention it to them anyhow, if they aren't running SNMP software then you
shouldn't have seen it ;)

There are attcks on SNMP is it's configured wrong...

> I did order an additional domain added to my virt list yesterday... Since
> they handle the DNS for the box... do I need to leave this port open for
> them? Or should I be asking this question of them (probably both here and
> there would not hurt I guess)

They shouldn't *need* SNMP to add a DNS entry, but you should ask them if
they monitor via SNMP....(It's possibly usefull if they do, they may be
able to check status and tell you if the machine died, is unhappy etc.)

The question also is, was the source IP a host or one of their NOC
machines? (see if the machine has a web page on it)

I've been hearing of accidental port trips from ISP's that are trying to
check for hosed machines also...eg scanning internal IP's for certain open
ports that shouldn't be open, you should ask them if they do this, and if
so, what machine of theirs you should ignore so it can scan you safely...

gsh