Re: [suse-security] Portsentry...

15 Mar 2002


      Hmm..... i wouldnt block a host.
Someone could spoof its ip, and there you go . . .

Mario Ohnewald
p.s. But i still love Portsentry in combination with logcheck
...
I would just like to tell you all about a great product.
Portsentry...I just installed it on a test server and this is the output
I got in an email
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
dropped route using command: "/usr/local/bin/iptables -I INPUT -s
24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Host 24.159.174.26 has been blocked via dropped route using
command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar
15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has
been blocked via dropped route using command: "/usr/local/bin/iptables
-I INPUT -s 24.159.174.26 -j DROP"
Security Violations
=-=-=-=-=-=-=-=-=-=
Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
dropped route using command: "/usr/local/bin/iptables -I INPUT -s
24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Host 24.159.174.26 has been blocked via dropped route using
command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar
15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has
been blocked via dropped route using command: "/usr/local/bin/iptables
-I INPUT -s 24.159.174.26 -j DROP"
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind: Address
already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp (2): bind:
Address already in use Mar 15 02:07:36 sheeva inetd[1251]: finger/tcp
(2): bind: Address already in use Mar 15 02:17:36 sheeva inetd[1251]:
finger/tcp (2): bind: Address already in use Mar 15 02:17:36 sheeva
inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15
02:17:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in
use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind: Address
already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp (2): bind:
Address already in use Mar 15 02:27:36 sheeva inetd[1251]: finger/tcp
(2): bind: Address already in use Mar 15 02:37:36 sheeva inetd[1251]:
finger/tcp (2): bind: Address already in use Mar 15 02:37:36 sheeva
inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15
02:37:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in
use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind: Address
already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp (2): bind:
Address already in use Mar 15 02:47:36 sheeva inetd[1251]: finger/tcp
(2): bind: Address already in use Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Connect from host: 24.159.174.26/24.159.174.26 to TCP port:
111 Mar 15 02:54:26 sheeva portsentry[96]: attackalert: Connect from
host: 24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26
sheeva portsentry[96]: attackalert: Connect from host:
24.159.174.26/24.159.174.26 to TCP port: 111 Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
wrappers with string: "ALL: 24.159.174.26" Mar 15 02:54:26 sheeva
portsentry[96]: attackalert: Host 24.159.174.26 has been blocked via
dropped route using command: "/usr/local/bin/iptables -I INPUT -s
24.159.174.26 -j DROP" Mar 15 02:54:26 sheeva portsentry[96]:
attackalert: Host 24.159.174.26 has been blocked via dropped route using
command: "/usr/local/bin/iptables -I INPUT -s 24.159.174.26 -j DROP" Mar
15 02:54:26 sheeva portsentry[96]: attackalert: Host 24.159.174.26 has
been blocked via dropped route using command: "/usr/local/bin/iptables
-I INPUT -s 24.159.174.26 -j DROP" Mar 15 02:57:36 sheeva inetd[1251]:
finger/tcp (2): bind: Address already in use Mar 15 02:57:36 sheeva
inetd[1251]: finger/tcp (2): bind: Address already in use Mar 15
02:57:36 sheeva inetd[1251]: finger/tcp (2): bind: Address already in
use Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
Mar 15 02:59:00 sheeva /USR/SBIN/CRON[3533]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD (
/bin/sh^I/usr/local/etc/logcheck.sh)
Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD (
/bin/sh^I/usr/local/etc/logcheck.sh)
Mar 15 03:00:00 sheeva /USR/SBIN/CRON[3536]: (root) CMD (
/bin/sh^I/usr/local/etc/logcheck.sh)
File /var/log/secure cannot be read.
File /var/log/maillog cannot be read.
Cool ...my first security project.
Mike
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

Re: [suse-security] Portsentry...

spiekey