[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: ipchains vsv portsentry (Was: Attack Alert)

From: Chuck Mead <chuck moongroup com>
To: redhat-list redhat com
Subject: Re: ipchains vsv portsentry (Was: Attack Alert)
Date: Sun, 31 Oct 1999 15:41:08 -0500 (EST)

On Sun, 31 Oct 1999, Gustav Schaffter said:

GS>Chuck,
GS>
GS>I've seen lots of talk about portsentry.
GS>
GS>I have setup my ipchains so that any incomming traffic that is not
GS>explicitly ACCEPT'ed will in the last ppp rule be quietly DENY'ed.
GS>And logged.
GS>
GS>Please, enlighten me to what advantage portsentry would give over the
GS>ipchains logging in this matter.

The issue here is really with the type of host. The host whose logs you see
below is a dedicated net host so I have no use for ipchains on it... but
portsentry does a fine job anyway. What happens is that the instant any kind
of access hits one of my ports portsentry is paying attention. In my config
of portsentry there are a few machines which are ignored but the rest of the
net, should they hit a port where services are not running, is routed to
loopback (so the machine becomes a blackhole to them) on the instant. I do
have another host which is running ipchains and there I run ipchains and
portsentry both. I have never had a problem with either of them but I do pay
attention to all of the updates and I only run essential services. I
recommend portsentry and have installed it for a pile of clients as well...
it's a very good tool!


GS>On Sun, 31 Oct 1999, Chuck Mead wrote:
GS>> A bit odd this one... it's been happening for several days now from the same
GS>> source... they're hitting port 0 ????? Weird...
GS>> 
GS>> Oct 30 23:15:12 server portsentry[440]: attackalert: Unknown Type: Packet
GS>> Flags: SYN: 0 FIN: 0 ACK: 0 PSH:
GS>> 1 URG: 1 RST: 0 from host: punt-10.mail.demon.net/194.217.242.35 to TCP
GS>> port: 0
GS>> Oct 30 23:15:12 server portsentry[440]: attackalert: Host:
GS>> punt-10.mail.demon.net/194.217.242.35 is already
GS>> blocked Ignoring
GS>> 
GS>> -- 
GS>> Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com> 
GS>> Mail problems? Send "s-u-b-s-c-r-i-b-e mailhelp" (no quotes and no
GS>> hyphens) in the body of a message to mailhelp-request moongroup com 
GS>> Public key available at: wwwkeys.us.pgp.net                              
GS>> 
GS>> 
GS>> -- 
GS>> To unsubscribe: mail redhat-list-request redhat com with "unsubscribe"
GS>> as the Subject.
GS>

-- 
Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com> 
Mail problems? Send "s-u-b-s-c-r-i-b-e mailhelp" (no quotes and no
hyphens) in the body of a message to mailhelp-request moongroup com 
Public key available at: wwwkeys.us.pgp.net

Follow-Ups:
- Re: ipchains vsv portsentry (Was: Attack Alert)
  - From: Gustav Schaffter

References:
- ipchains vsv portsentry (Was: Attack Alert)
  - From: Gustav Schaffter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]