[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] hosts.deny listing

At 03:12 PM 4/13/01 -0400, you wrote:
>Here's my hosts.deny for your enjoyment.  This is from 60 days of Port
>Sentry.

Entertaining, indeed <g>!

Mine is growing way too fast!! At least one per hour, most on port 111 and
now I'm seeing quite a few on port 137...

Most are coming in either from @home... or the European Internet Registry
or... the Pacific Asian Registry... 

Nice.... 

Anybody get hit by the "cyber cafe" in Europe? Whatever you do.. don't send
an email to the host system asking for them to investigate... !!

I did this last evening after several hits by their system and received a
little "mini DOS" attack in return.. 

I happened to be logged on and did a netstat and at one point they were
hitting every port on the machine about every 1/10th of a second (counting
down through the ports) I showed about 300 connects from them at one time
on one refresh of netstat... They were counting down from above the level
which portsentry watches.

I kept waiting for portsentry to block them but I eventually just took the
machine off line for a few seconds and it stopped it.. or more likely, they
finally hit a port that was monitored and were blocked, as the IP was in
the deny file.. these guys are *NASTY* 

On that subject.. portsenty is set to monitor from something like 1200 or
so down.. there's a lot of ports above this.. how many of the "old hands"
here are changing the defaults to higher? What problems does this cause?

Question for those who have been monitoring their systems longer than I
have.. is this a normal level of activity we're currently seeing or is this
growing very rapidly? It seems amazing that we can even keep a machine
online with the current level.... 

WS