Re: portsentry, WAS: RE: I've been hacked

Fri, 13 Oct 2000 20:05:34 -0700 


> That is not weirdness, that is someone trying to find an exploit.  
> The portmapper, port 111, has had a number of issues.  Some script
> kiddie has found you and is trying to see if they can get to port 111.  
> The way I handle such things is I have portsentry set to add an
> ipchains deny rule when this happens.  You would have seen the first
> line in that case, but then other 600000 hits it is complaining about
> would have been denied up-front.

What IP address are you running portsentry from? I'd love to use nmap's IP
decoy option to pretend to be AOL, or your ISP, or google.com, or
sourceforge, or....

Make sure it's based on, say, the Nth attack after P period time...

dave




> 
> On Fri, 13 Oct 2000, buggz wrote:
> 
> > 
> > Speaking of portsentry...
> > Does anyone know what to do w/ this wierdness I get from it ?
> > 
> > /var/log/messages snippet:
> > Oct 10 08:32:07 buggz1 portsentry[694]: attackalert: Possible stealth scan
> > from unknown h
> > ost to TCP port: 111 (accept failed)
> > Oct 10 08:32:37 buggz1 last message repeated 110318 times
> > Oct 10 08:33:38 buggz1 last message repeated 224336 times
> > Oct 10 08:34:39 buggz1 last message repeated 222811 times
> > Oct 10 08:35:02 buggz1 last message repeated 81037 times
> > 
> > That's rediculous.
> > grep 111 /etc/services
> > sunrpc          111/tcp         portmapper      # RPC 4.0 portmapper TCP
> > sunrpc          111/udp         portmapper      # RPC 4.0 portmapper UDP
> > I'm guess that's nfs somehow ?
> > 
> > On Fri, 13 Oct 2000, Steve Curry wrote:
> > 
> > > Also when you have time go to www.freshmeat.net and do a search for
> > > portsentry. This program will automatically put the IP of anyone doing a
> > > portscan on your system into the hosts.deny and also blackhole them in your
> > > route table. I use this program on all our boxes and it works great. It can
> > > also be setup to fire an email at you when "events" happen.
> > > 
> > 
> > --
> > 
> >  Ed June             
> > 
> >  [EMAIL PROTECTED]
> >  Linux: An open choice for free people worldwide.
> > 
> > 
> > 
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> > 
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
> 



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to