I know, I've been using it for several months now. It works great but you have to warn your users. I had several DSL users who connected just for fun to all kinds of different ports and they were locked out. Their route was dropped...gives really friendly messages in your mailbox when you wake up :-( regards, stijn On Fri, 15 Mar 2002, Michael Garabedian wrote:
I would just like to tell you all about a great product.
Portsentry...I just installed it on a test server and this is the output I got in an email
Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP"
Security Violations =-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP"
Unusual System Events =-=-=-=-=-=-=-=-=-=-= Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) File /var/log/secure cannot be read. File /var/log/maillog cannot be read.
Cool ...my first security project.
Mike
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here