Portsentry...

15 Mar 2002

      I would just like to tell you all about a great product.

Portsentry...I just installed it on a test server and this is the output
I got in an email

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
dropped route using command: "/usr/local/bin/iptables -I INPUT -s
24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Host 24.159.174.26 has been blocked via dropped route using
command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar
15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has
been blocked via dropped route using command: "/usr/local/bin/iptables
-I INPUT -s 24.159.174.26 -j DROP"

Security Violations
=-=-=-=-=-=-=-=-=-=
Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
dropped route using command: "/usr/local/bin/iptables -I INPUT -s
24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Host 24.159.174.26 has been blocked via dropped route using
command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar
15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has
been blocked via dropped route using command: "/usr/local/bin/iptables
-I INPUT -s 24.159.174.26 -j DROP"

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address
already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind:
Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp
(2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]:
finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva
inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15
02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in
use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address
already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind:
Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp
(2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]:
finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva
inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15
02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in
use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address
already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind:
Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp
(2): bind: Address already in use Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port:
111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from
host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26
sheeva portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
dropped route using command: "/usr/local/bin/iptables -I INPUT -s
24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Host 24.159.174.26 has been blocked via dropped route using
command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar
15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has
been blocked via dropped route using command: "/usr/local/bin/iptables
-I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:57:36 sheeva inetd[1251]:
finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva
inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15
02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in
use Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly) 
Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly) 
Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly) 
Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD (
/bin/sh^I/usr/local/etc/logcheck.sh) 
Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD (
/bin/sh^I/usr/local/etc/logcheck.sh) 
Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD (
/bin/sh^I/usr/local/etc/logcheck.sh) 
File /var/log/secure cannot be read.
File /var/log/maillog cannot be read.

Cool ...my first security project.

Mike

Portsentry...

Michael Garabedian