No subject


Fri May 9 02:17:39 PDT 2014 

random traffic or not.  You appear to be using ipchains and route dropping,
so you want to minimize dropping to *real* threats, or risk losing important
hosts and rendering your machine useless.  Also be aware that it is possible
for people to DoS your machine by sending spoofed IP addresses while
bombarding your machine with packets.  One workaround is to add important
hosts to the "trust list", like your gateway, DNS servers, and I think
0.0.0.0, but you can imagine the damage people can do by selectively forcing
you to block other hosts that they choose.  I wish portsentry could possibly
be a little more configurable and smarter about the decision to block.

----- Original Message -----
From: "Erich S." <sharky at websharx.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Tuesday, June 19, 2001 9:52 AM
Subject: [luau] Logcheck Alert Questions


> Hiya Folks!
>
> I've jut recently installed logcheck and portsentry on a test machine and
> although I was expecting to see a bit of scan activity notices, I was a
> bit suprised at how many are showing up. Before getting too paranoid I was
> wondering if these are really probes, or I'm just picking up 'noise'.
>
> Port 111 seems to be popular. I've noticed quite a few scans from what
> appear to be DNS servers to my port 53. Is it normal for them to try and
> talk to my box on this port? (Port 53 is DNS right?) Are that many
> machines out there 'owned'...*yikes*
>
> Below is a snippet from logchecks email to me.
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Jun 19 07:24:39 mako portsentry[20214]: attackalert: UDP scan from host:
198.64.193.60/198.64.193.60 to UDP port: 53
> Jun 19 07:24:39 mako portsentry[20214]: attackalert: Host 198.64.193.60
has been blocked via wrappers with string: "ALL: 198.64.193.60"
> Jun 19 07:24:39 mako portsentry[20214]: attackalert: Host 198.64.193.60
has been blocked via dropped route using command: "/sbin/ipchains -I
input -s 198.64.193.60 -j DENY -l"
> Jun 19 07:29:46 mako portsentry[20212]: attackalert: SYN/Normal scan from
host: ADSLP1-PT-p8.adsl.netvision.net.il/212.143.55.8 to TCP port: 21
> Jun 19 07:29:46 mako portsentry[20212]: attackalert: Host 212.143.55.8 has
been blocked via wrappers with string: "ALL: 212.143.55.8"
> Jun 19 07:29:46 mako portsentry[20212]: attackalert: Host 212.143.55.8 has
been blocked via dropped route using command: "/sbin/ipchains -I input -s
212.143.55.8 -j DENY -l"
>
> Thanks in advance for any links to more info or explanations!
>
> Aloha,
> Sharky
>
>
> ---
> You are currently subscribed to luau as: warren at togami.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>

More information about the LUAU mailing list