IPCHAINS Help

Warren Togami warren at togami.com
Fri Oct 19 02:00:08 PDT 2001 

Re: [luau] Re: IPCHAINS HelpPortsentry WONT miss anything, but be careful to
clear your TCP wrappers and routes every few weeks or so, because the list
may become very long and increasingly hamper performance over time.  There
is also the chance that through spoofing erroneous hosts were added to your
blacklist, effectively cutting yourself off from those hosts.

I highly recommend turning off the automatic portsentry blacklisting,
because it is far too easy for someone to add hundreds or even thousands of
hosts to your blocks.  A few months ago there was an link from LinuxToday
about this guy who wrote a daemon that will allow you to auto-block hosts
for a certain period of time, say 1-6 hours, then unblock them.  That would
cut off attacks in progress, while not clogging up your system with many
permanent blocks.

----- Original Message -----
From: Ben Beeson
To: Linux & Unix Advocates & Users
Sent: Thursday, October 18, 2001 8:06 PM
Subject: [luau] Re: IPCHAINS Help

Brian,

 The answer to your question is the scans are coming from arbitrary
ports and showing up on my port 53.  My firewall logs have messages
like these:

portsentry[726]: attackalert: Unknown Type: Packet Flags: SYN: 1 FIN: 1
ACK: 0 PSH: 0 URG: 0 RST: 0 from host: 211.157.248.34/211.157.248.34 to
TCP port: 53
portsentry[726]: attackalert: Host 211.157.248.34 has been blocked via
wrappers with string: "ALL: 211.157.248.34 : DENY"
portsentry[726]: attackalert: Host 211.157.248.34 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 211.157.248.34
-j DENY -l"

portsentry[726]: attackalert: SYN/Normal scan from host:
210.97.3.254/210.97.3.254 to TCP port: 53
portsentry[726]: attackalert: Host 210.97.3.254 has been blocked via
wrappers with string: "ALL: 210.97.3.254 : DENY"
portsentry[726]: attackalert: Host 210.97.3.254 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 210.97.3.254
-j DENY -l"

So, I just wanted to take an extra step to keep them out in case my
PortSentry misses something.

Thanks,

Ben

More information about the LUAU mailing list