[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Portsentry again
- Subject: [cobalt-users] Portsentry again
- From: "Zarrir Junior" <zarrir@xxxxxxxxxxxx>
- Date: Tue Jun 5 15:17:42 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
I was searching the archives regarding hosts.deny growing too quick
(which is my case) and i found this message from Kevin which had no further
comments on:
"Probably it has grown over the last few years, due to the growth of the
internet in general. This is just script kiddie behavior... kids who scan
ports 111 and 137-9 are looking for common vulnerabilities on unix and
windows systems (respectively). With a decent portscanner, its easy to scan
thousands of IP addresses in seconds to find vulnerable systems.
This is not something you should worry about. If you are concerned that your
hosts.deny file is too large, remove ports 111 and 137 from the portsentry
list. Your box doesn't run services on these ports anyway, and generally if
this is the only port the kiddies are hitting, they don't have the knowledge
to hack your box."
I have never messed with port 111 on my rack so i guess it has never
been used. Is it that simple, i mean could i just uncomment port 111 in the
portsentry.conf file? Why then do they keep on insisting on this port?
I also examined my hosts.deny file and i found, among 200 listed ips, one
ip which is repeated 20 times in 20 consecutive lines. How can that happen
if it should have been instantly blocked since the first scan? One last
question:
Is it wise to include all my virtual sites ips to portsentry.ignore file
or it does not matter if i dont?
Thanks,
Zarrir