[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Portsentry and iptables
- From: Devon <devon tuxfan homeip net>
- To: redhat-list redhat com
- Subject: Re: Portsentry and iptables
- Date: Sun, 30 Sep 2001 20:21:44 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 28 September 2001 10:29 pm, Bill Johnson wrote:
> Here are some samples of messages I'm getting:
> Sep 28 22:23:41 dhcp024-166-087-068 portsentry[784]: attackalert:
> Possible stealth scan from unknown host to TCP port: 111 (accept
> failed)
> Sep 28 22:23:44 dhcp024-166-087-068 last message repeated 2478
> times
Sorry for the delay, I posted my reply and promptly vanished for the
weekend. :)
As Chuck Mead already pointed out, if you're running portmap and don't
need it, turn it off. However, I have another question. Is this
portsentry installed via rpm? If so, did you modify the configuration?
The default config included in the redhat rpm doesn't listen on port 111.
When you start portsentry, it outputs info as it binds to all the ports.
You should see log messages similar to:
Sep 19 00:01:02 roswell portsentry[14009]: adminalert: Going into listen
mode on TCP port: 111
In your case, do you see an attempt to bind to port 111? If it can't bind
to a port , that should be reflected in the log as well.
If you're looking for an rpm for portsentry, look at ftp.redhat.com.
It's in /pub/redhat/linux/7.1/en/powertools/i386/RedHat/RPMS/
portsentry-1.0-11.i386.rpm
<Shameless plug>
Also, I've built an rpm from the portsentry 1.1 source. It's here:
http://www.tuxfan.homeip.net/rpms/portsentry-1.1-0.i386.rpm
http://www.tuxfan.homeip.net/rpms/portsentry-1.1-0.src.rpm
</Shameless plug>
> Sep 28 22:23:44 dhcp024-166-087-068 kernel: IN=eth0 OUT=
> MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
> DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=26107 DF
> PROTO=TCP SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
The default config doesn't listen on port 139 either. However, unless
you need it, you should probably block port 139 from the internet via
your firewall.
Hope that helps,
- -D
- --
pgp key: http://www.tuxfan.homeip.net:8080/pgpkey.txt
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7t7cYeMAUbzJhSVcRAku7AKCwA5qcn2R1XvohrOC0pltin+h3wwCfTgHF
2QPDZ4y3G/eNyHEER7B53Fc=
=awWm
-----END PGP SIGNATURE-----
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]