Well, since I don't do tunnel to/from this machine the socks was never defined in the services file. However, portsentry was configured to watch the port for the attempted hackers. Yes I'm sure tcpdump was triping on portsentry. I shutdown port sentry, and the continuous log stop of course, however, there still was no activity on the tcpdump. I restarted portsentry after 10 minutes, and now the continuous logging has stop. I believe portsentry got hung in a loop. No packets comming in from the same address, not even an unknown address, not even internal. After restarting portsentry they stopped. Portsentry will detect a syn flood attack and log the IP address in the IP TABLES and the host.deny file (if it can find a valid IP address attachted).
Robert Canary wrote: > > I've tried tcpdump. However, this is a stealth syn attack. I used > #>tcpdump -u root -i any port 1080 > > I can watch the log files as portsentry continues to log the attempts, > but tcpdump shows nothing. > > Any more ideas? > > MKlinke wrote: > > > > On Saturday 16 August 2003 18:14, Robert Canary wrote: > > > I am getting continuously hit on port 1080. Nothing is happening > > > because the services (proxy) has been disabled, port sentry is seeing > > > the attack but it reports "unknown" as the attacker. Most all my > > > machines have seen this activity, but nothing like this one. > > > > > > It fills up the log files, causes the system to crunch the log file a > > > little more often than usuall...other than that it isjust a nuisance, > > > sort like that fly buzzing around your head when your try to eat > > > dinner. > > > > > > I have tried to trap the IP address in ntop, but it isn't showing a > > > port 1080... > > > > > > Any ideas how to find the IP address... > > > > > > Malicious ideas are welcome as well :-) > > > > Robert, > > > > tcpdump dst port 1080 > > > > should display any traffic destined for port 1080 > > > > Regards, Mike Klinke > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED] > > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
