Logcheck Alert Questions

Erich S. sharky at websharx.com
Tue Jun 19 15:33:55 PDT 2001


Aloha!

Thanks Warren! I had a feeling that portsentry might be reacting a bit
quickly with shutting stuff down so quickly. I've already entered in some
trusted machines (hehe good thing I was local to server while
testing, since I managed to get my remote machine blacklisted pretty
quickly while doing an nmap against the box)

I see also what you mean by the spoofing and blocking issue. Hmmm...

Thanks again for replying! I really appreciate the fast and informative
answers. For now, I'll leave it as is, and get a feel for what portsentry
is doing...as well as bone up more on my reading.

BTW, is portsentry pretty common, or does anyone have any favorite tools
for monitoring for folks rattling your Linux cages?

Aloha,
	Erich

On Tue, 19 Jun 2001, Warren Togami wrote:

> Search for port information here.
> http://www.snort.org/Database/portsearch.asp
> 
> >From this information, you can decide if that particular port is "normal"
> random traffic or not.  You appear to be using ipchains and route dropping,
> so you want to minimize dropping to *real* threats, or risk losing important
> hosts and rendering your machine useless.  Also be aware that it is possible
> for people to DoS your machine by sending spoofed IP addresses while
> bombarding your machine with packets.  One workaround is to add important
> hosts to the "trust list", like your gateway, DNS servers, and I think
> 0.0.0.0, but you can imagine the damage people can do by selectively forcing
> you to block other hosts that they choose.  I wish portsentry could possibly
> be a little more configurable and smarter about the decision to block.
> 



More information about the LUAU mailing list