[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] RAQ3 Portsentry PKG Questions
- Subject: RE: [cobalt-users] RAQ3 Portsentry PKG Questions
- From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
- Date: Thu Oct 25 01:46:08 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>
> Hi Yah,
>
> Can anyone shed light on the following:-
>
> First Message arrives...
>
> Portsentry had an alert from the following IP address and
> port: 208.155.66.37 69
> ------- RIPE results to follow -------
> --------------------------------------
> End of notification - Alerter for portsentry by
> Andy@xxxxxxxxxxxxxxxxxxxxx Cobalt Raq edition!
> www.linuxnetworking.co.uk
>
> No problem with that one but...
>
> Logcheck came with this...
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Oct 24 18:12:36 ns portsentry[22442]: attackalert: UDP scan
> from host: e0.br3.visuallink.com/208.155.66.37 to UDP port:
> 69 Oct 24 18:12:37 ns portsentry[22442]: attackalert:
> External command run for
> host: 208.155.66.37 using command:
> "/etc/portsentry/port.alert 208.155.66.37 69" Oct 24 18:12:37
> ns portsentry[22442]: attackalert: Host 208.155.66.37 has
> been blocked via wrappers with string: "ALL: 208.155.66.37"
> Oct 24 18:12:37 ns portsentry[22442]: attackalert: Host
> 208.155.66.37 has been blocked via dropped route using
> command: "/sbin/route add -host 208.155.66.37 gw 127.0.0.1"
> Oct 24 18:12:40 ns portsentry[22442]: attackalert: UDP scan
> from host: e0.br3.visuallink.com/208.155.66.37 to UDP port:
> 69 Oct 24 18:12:40 ns portsentry[22442]: attackalert: Host:
> e0.br3.visuallink.com/208.155.66.37 is already blocked Ignoring
>
> log then reports :
> Oct 24 18:12:40 ns portsentry[22442]: attackalert: UDP scan
> from host: e0.br3.visuallink.com/208.155.66.37 to UDP port:
> 69 Oct 24 18:12:40 ns portsentry[22442]: attackalert: Host:
> e0.br3.visuallink.com/208.155.66.37 is already blocked Ignoring
>
> every 3-4 seconds :<
>
> Does this mean that my host is scanning for portsentry via
> port 69 ? (still green at this), I know that portsentry has
> added the IP to the audp file and the IP is being blocked.
>
> I've used Andy's Portsentry pkg to install portsentry and it
> went on no problem, but I'm buggered if I can find the
> portsentry.conf to remove port 69 monitoring or can't find
> the portsentry.ignore file to add visuallink to and to also
> add the netmask of IP's on the server.
>
> I've emailed Andy but UK is 12 hours behind us so just
> wondering if anyone has any clues/suggestions
>
> Regards from Auckland
>
> Chae
>
I'll post to here also, as other may be asking the same questions!
Yes the package is different from the standard portsentry installation,
the executable is put under /usr/sbin
This is because the package available from RedHat RPM's operates in this
way, and it is simply this RPM that I've repackaged for the Raqs.
Configuration files are in /etc/portsentry/
The files are as follows:
port.alert - my own addition which emails portsentry blocks to the admin
account (You may need to edit this and point it to a different email
address as I've had some reports that the admin account doesn't always
work correctly on the RaQ3's, if you need help, let me know!)
portsentry.conf - the main portsentry configuration file
portsentry.ignore - hosts to ignore from the portsentry blocking no
matter what!
portsentry.modes - holds the startup modes for portsentry.
This is slightly different from the standard portsentry configuration
files, but basically this is the parameters that get added to the
command-line as in the documentation.
Hope that helps people out, I've got the portsentry package running on
our RaQ 3's here, (and also on my other 'classic' linux boxes) happily
blocking portscanning script kiddies.
Regards,
Andy Brown
andy@xxxxxxxxxxxxxxxxxxxxx
http://ineedlinux.info/