Hmm..... i wouldnt block a host. Someone could spoof its ip, and there you go . . . Mario Ohnewald p.s. But i still love Portsentry in combination with logcheck
I would just like to tell you all about a great product.
Portsentry...I just installed it on a test server and this is the output I got in an email
Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP"
Security Violations =-=-=-=-=-=-=-=-=-= Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP"
Unusual System Events =-=-=-=-=-=-=-=-=-=-= Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via dropped route using command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD ( /bin/sh^I/usr/local/etc/logcheck.sh) File /var/log/secure cannot be read. File /var/log/maillog cannot be read.
Cool ...my first security project.
Mike
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here