[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] RAQ3 Portsentry PKG Questions
- Subject: [cobalt-users] RAQ3 Portsentry PKG Questions
- From: "Render-Vue" <sales@xxxxxxxxxxxxxx>
- Date: Wed Oct 24 20:32:07 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi Yah,
Can anyone shed light on the following:-
First Message arrives...
Portsentry had an alert from the following IP address and port:
208.155.66.37 69
------- RIPE results to follow -------
--------------------------------------
End of notification - Alerter for portsentry by Andy@xxxxxxxxxxxxxxxxxxxxx
Cobalt Raq edition!
www.linuxnetworking.co.uk
No problem with that one but...
Logcheck came with this...
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Oct 24 18:12:36 ns portsentry[22442]: attackalert: UDP scan from host:
e0.br3.visuallink.com/208.155.66.37 to UDP port: 69
Oct 24 18:12:37 ns portsentry[22442]: attackalert: External command run for
host: 208.155.66.37 using command: "/etc/portsentry/port.alert 208.155.66.37
69"
Oct 24 18:12:37 ns portsentry[22442]: attackalert: Host 208.155.66.37 has
been blocked via wrappers with string: "ALL: 208.155.66.37"
Oct 24 18:12:37 ns portsentry[22442]: attackalert: Host 208.155.66.37 has
been blocked via dropped route using command: "/sbin/route add -host
208.155.66.37 gw 127.0.0.1"
Oct 24 18:12:40 ns portsentry[22442]: attackalert: UDP scan from host:
e0.br3.visuallink.com/208.155.66.37 to UDP port: 69
Oct 24 18:12:40 ns portsentry[22442]: attackalert: Host:
e0.br3.visuallink.com/208.155.66.37 is already blocked Ignoring
log then reports :
Oct 24 18:12:40 ns portsentry[22442]: attackalert: UDP scan from host:
e0.br3.visuallink.com/208.155.66.37 to UDP port: 69
Oct 24 18:12:40 ns portsentry[22442]: attackalert: Host:
e0.br3.visuallink.com/208.155.66.37 is already blocked Ignoring
every 3-4 seconds :<
Does this mean that my host is scanning for portsentry via port 69 ? (still
green at this), I know that portsentry has added the IP to the audp file and
the IP is being blocked.
I've used Andy's Portsentry pkg to install portsentry and it went on no
problem, but I'm buggered if I can find the portsentry.conf to remove port
69 monitoring or can't find the portsentry.ignore file to add visuallink to
and to also add the netmask of IP's on the server.
I've emailed Andy but UK is 12 hours behind us so just wondering if anyone
has any clues/suggestions
Regards from Auckland
Chae