Re: Portsentry and iptables

[Bill Johnson <wejohnson usa net>]

Here are some more examples or what I'm seeing - this time from the email
sent produced by PortSentry:

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sep 28 22:09:27 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:09:30 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:16:28 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:21:43 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:20 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:21 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:22 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:23 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:24 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:36 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan
from unknown host to TCP port: 111 (accept failed)
Sep 28 22:23:37 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
stealth scan

On Fri, 28 Sep 2001, Devon wrote:

>... snip ...

> What kind of messages are you seeing? If portsentry is seeing traffic,
> it's probably because your firewall is allowing it through. This is a
> perfect example of why using both might not be a bad idea.
>