[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] log/messages after Portsentry install

Subject: [cobalt-users] log/messages after Portsentry install
From: "Zarrir Junior" <zarrir@xxxxxxxxxxxx>
Date: Fri May 4 13:57:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

      Hi,

    I have successfully installed Portsentry 1.0 on my Raq3. Some minutes
later, this was logged:

: SYN/Normal scan from host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[13837]: attackalert: Host 213.154.148.60 has
been blocked via wrappers with string: "ALL: 213.154.148.60"
May  4 23:57:39 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[14621]: attackalert: Host 213.154.148.60 has
been blocked via wrappers with string: "ALL: 213.154.148.60"
May  4 23:57:39 ns portsentry[14621]: attackalert: Host 213.154.148.60 has
been blocked via dropped route using command: "/sbin/route add -host
213.154.148.60 reject"
May  4 23:57:39 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[14621]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[13837]: attackalert: Host 213.154.148.60 has
been blocked via dropped route using command: "/sbin/route add -host
213.154.148.60 reject"
May  4 23:57:39 ns portsentry[13837]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[13837]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[13837]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[13837]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[13837]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[13837]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[13837]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[13837]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[14621]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[14621]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:39 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:39 ns portsentry[14621]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:41 ns portsentry[13837]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:41 ns portsentry[13837]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:41 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111
May  4 23:57:41 ns portsentry[14621]: attackalert: Host:
213.154.148.60/213.154.148.60 is already blocked Ignoring
May  4 23:57:46 ns portsentry[13837]: attackalert: SYN/Normal scan from
host: 213.154.148.60/213.154.148.60 to TCP port: 111

       Then this other one:

portsentry[13837]: attackalert: SYN/Normal scan from host:
64-60-55-84-cust.telepacific.net/64.60.55.84 to TCP port: 111
May  5 00:02:34 ns portsentry[13837]: attackalert: Host 64.60.55.84 has been
blocked via wrappers with string: "ALL: 64.60.55.84"
May  5 00:02:34 ns portsentry[14621]: attackalert: SYN/Normal scan from
host: 64-60-55-84-cust.telepacific.net/64.60.55.84 to TCP port: 111
May  5 00:02:34 ns portsentry[14621]: attackalert: Host 64.60.55.84 has been
blocked via wrappers with string: "ALL: 64.60.55.84"
May  5 00:02:34 ns portsentry[14621]: attackalert: Host 64.60.55.84 has been
blocked via dropped route using command: "/sbin/route add -host 64.60.55.84
reject"
May  5 00:02:34 ns portsentry[13837]: attackalert: Host 64.60.55.84 has been
blocked via dropped route using command: "/sbin/route add -host 64.60.55.84
reject"

        Both on port 111. My question is: Are these false alarms or what?
Some more minutes later, my server IP got included in the hosts.deny file as
i started to have problems with SSL certificates when trying to log via
ssh2. Now, sometimes it logs in correctly and sometimes it presents a
message saying something about the certificate not being correctly
recognized but it ends accepting the connection. I changed ssh from port 22
to another but the messages keep on appearing. Anyone experienced these
weird ones after Portsentry install?
           Regards,
                 Zarrir

Follow-Ups:
- Re: [cobalt-users] log/messages after Portsentry install
  - From: flash22

References:
- Re: [cobalt-users] Reverse Lookup for Same IP Domains
  - From: Heather Heller
- Re: [cobalt-users] Reverse Lookup for Same IP Domains
  - From: Carrie Bartkowiak

Prev by Date: Re: [cobalt-users] Email Question
Next by Date: Re: [cobalt-users] Webmail on cobalt raq3? Advice needed
Previous by thread: Re: [cobalt-users] Reverse Lookup for Same IP Domains
Next by thread: Re: [cobalt-users] log/messages after Portsentry install

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index