I would just like to tell you all about a great product. Portsentry...I just installed it on a test server and this is the output I got in an email Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Security Violations =-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Unusual System Events =-=-=-=-=-=-=-=-=-=-= Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) File /var/log/secure cannot be read. File /var/log/maillog cannot be read. Cool ...my first security project. Mike