Logcheck Alert Questions
Erich S.
sharky at websharx.com
Tue Jun 19 12:52:12 PDT 2001
Hiya Folks!
I've jut recently installed logcheck and portsentry on a test machine and
although I was expecting to see a bit of scan activity notices, I was a
bit suprised at how many are showing up. Before getting too paranoid I was
wondering if these are really probes, or I'm just picking up 'noise'.
Port 111 seems to be popular. I've noticed quite a few scans from what
appear to be DNS servers to my port 53. Is it normal for them to try and
talk to my box on this port? (Port 53 is DNS right?) Are that many
machines out there 'owned'...*yikes*
Below is a snippet from logchecks email to me.
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jun 19 07:24:39 mako portsentry[20214]: attackalert: UDP scan from host: 198.64.193.60/198.64.193.60 to UDP port: 53
Jun 19 07:24:39 mako portsentry[20214]: attackalert: Host 198.64.193.60 has been blocked via wrappers with string: "ALL: 198.64.193.60"
Jun 19 07:24:39 mako portsentry[20214]: attackalert: Host 198.64.193.60 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 198.64.193.60 -j DENY -l"
Jun 19 07:29:46 mako portsentry[20212]: attackalert: SYN/Normal scan from host: ADSLP1-PT-p8.adsl.netvision.net.il/212.143.55.8 to TCP port: 21
Jun 19 07:29:46 mako portsentry[20212]: attackalert: Host 212.143.55.8 has been blocked via wrappers with string: "ALL: 212.143.55.8"
Jun 19 07:29:46 mako portsentry[20212]: attackalert: Host 212.143.55.8 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 212.143.55.8 -j DENY -l"
Thanks in advance for any links to more info or explanations!
Aloha,
Sharky
More information about the LUAU
mailing list