[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Portsentry and iptables

From: Chuck Mead <csm MoonGroup com>
To: <redhat-list redhat com>
Subject: Re: Portsentry and iptables
Date: Sat, 29 Sep 2001 09:06:45 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You're running portmap on the host that's running portsentry aren't you?  
Turn it off. You do not need to run it on a host that touches the
internet. Bad juju! Just FYI:

The portmapper manages RPC connections, which are used by
protocols such as NFS and NIS. The portmap server must be 
running on machines which act as servers for protocols 
which make use of the RPC mechanism.

If it's not running on the host running portsentry then it must be running 
on something else inside your network and it should be ignored.

On Fri, 28 Sep 2001, Bill Johnson posted the following:

BJ>Here are some samples of messages I'm getting:
BJ>Sep 28 22:23:41 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
BJ>stealth scan from unknown host to TCP port: 111 (accept failed)
BJ>Sep 28 22:23:44 dhcp024-166-087-068 last message repeated 2478 times
BJ>Sep 28 22:23:44 dhcp024-166-087-068 kernel: IN=eth0 OUT=
BJ>MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
BJ>DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=26107 DF PROTO=TCP
BJ>SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
BJ>Sep 28 22:23:44 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
BJ>stealth scan from unknown host to TCP port: 111 (accept failed)
BJ>Sep 28 22:23:51 dhcp024-166-087-068 last message repeated 5183 times
BJ>Sep 28 22:23:51 dhcp024-166-087-068 kernel: IN=eth0 OUT=
BJ>MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
BJ>DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=27490 DF PROTO=TCP
BJ>SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
BJ>Sep 28 22:23:51 dhcp024-166-087-068 portsentry[784]: attackalert: Possible
BJ>stealth scan from unknown host to TCP port: 111 (accept failed)
BJ>Sep 28 22:24:21 dhcp024-166-087-068 last message repeated 23519 times
BJ>Sep 28 22:25:22 dhcp024-166-087-068 last message repeated 108384 times
BJ>Sep 28 22:26:23 dhcp024-166-087-068 last message repeated 139680 times

- -- 
csm
Free Dmitry!
Boycott Adobe!
Repeal the DMCA!
Stop the SSSCA!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAju1x2gACgkQv6Gjsf2pQ0r3DQCfRf7Rt9xfeBPTfPliVaCe1hjm
L2UAn37rtTsO3ToJ1OB6Cl5L4jSGGkfg
=hNvz
-----END PGP SIGNATURE-----

References:
- Re: Portsentry and iptables
  - From: Bill Johnson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]