i agree that this is a very useful product. unfortunately the additions to the iptables will be lost at reboot. if you also create entries in /etc/hosts.deny it is possible to create a simple script which reads information from /etc/hosts.deny and recreate the iptable entries. --- Stijn Vander Maelen wrote:

I know, I've been using it for several months now. It works great but you have to warn your users. I had several DSL users who connected just for fun to all kinds of different ports and they were locked out. Their route was dropped...gives really friendly messages in your mailbox when you wake up :-(

regards, stijn

On Fri, 15 Mar 2002, Michael Garabedian wrote:

...

I would just like to tell you all about a great product.

Portsentry...I just installed it on a test server and this is the output I got in an email

Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP"

Security Violations =-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP"

Unusual System Events =-=-=-=-=-=-=-=-=-=-= Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) File /var/log/secure cannot be read. File /var/log/maillog cannot be read.

Cool ...my first security project.

Mike

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

__________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/