[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Portsentry and iptables

From: Bill Johnson <wejohnson usa net>
To: <redhat-list redhat com>
Subject: Re: Portsentry and iptables
Date: Fri, 28 Sep 2001 22:29:08 -0400 (EDT)

Here are some samples of messages I'm getting:
Sep 28 22:23:41 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:44 dhcp024-166-087-068 last message repeated 2478 times
Sep 28 22:23:44 dhcp024-166-087-068 kernel: IN=eth0 OUT=
MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=26107 DF PROTO=TCP
SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 28 22:23:44 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:51 dhcp024-166-087-068 last message repeated 5183 times
Sep 28 22:23:51 dhcp024-166-087-068 kernel: IN=eth0 OUT=
MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=27490 DF PROTO=TCP
SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 28 22:23:51 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan from unknown host to TCP port: 111 (accept failed)
Sep 28 22:24:21 dhcp024-166-087-068 last message repeated 23519 times
Sep 28 22:25:22 dhcp024-166-087-068 last message repeated 108384 times
Sep 28 22:26:23 dhcp024-166-087-068 last message repeated 139680 times



On Fri, 28 Sep 2001, Devon wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Friday 28 September 2001 03:58 pm, Bill Johnson wrote:
> > I am running RH 7.1, and have iptables running via Firestarter.   I
> > also have Portsentry running.  Is there any reason why I need
> > Portsentry?  I ask because it is eating a huge percentage of CPU, and
> > spewing out tons of messages.  With iptables in place, is it giving
> > me any extra protection or is it just redundant?
> >
> > Thanks in advance for any advice.
>
> I keep port sentry around as part of a 'defense in depth' stratagy. If
> there is a hole in the firewall, portsentry may be able to catch it.
>
> In my case, it uses next to 0 resources, and never generates messages.
> (Other than start up and shut down messages)
> The firewall is catching anything that would trigger portsentry.
>
> 14009 root       9   0    72    4     4 S     0.0  0.0   0:00 portsentry
> 14013 root       9   0    76    4     4 S     0.0  0.0   0:00 portsentry
>
> What kind of messages are you seeing? If portsentry is seeing traffic,
> it's probably because your firewall is allowing it through. This is a
> perfect example of why using both might not be a bad idea.
>
> Hope that helps,
>
> - -D
>
> - --
>
> pgp key:  http://www.tuxfan.homeip.net:8080/pgpkey.txt
>
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7tOR9eMAUbzJhSVcRAvD1AKC6iYYSgGjcRLBH9aU+sWVJ90njxwCdGMYx
> EhMxpJvvXZQnKe9947zLLL4=
> =JGgr
> -----END PGP SIGNATURE-----
>
>
>
>

-- 
William E. Johnson
_____________________________

Gort - klatu, barada, nikto!

Follow-Ups:
- Re: Portsentry and iptables
  - From: Chuck Mead

References:
- Re: Portsentry and iptables
  - From: Devon

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]