I installed portsentry lately, and I'm being constantly warned about UDP connect attempts that I can't otherwise detect, from a machine that (as far as I can tell) isn't trying to connect.
I installed portsentry on the machine 'izzy' with "apt-get portsentry". Default settings. The machine 205.XXX.216.233 is the gateway given to me by the co-location facility. I've been getting constant messages like the following: > Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: >205.XXX.216.233/205.XXX.216.233 to UDP port: 9 > Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already >blocked. Ignoring > Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Connect from host: >205.XXX.216.233/205.XXX.216.233 to UDP port: 9 > Feb 20 08:02:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already >blocked. Ignoring > Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: >205.XXX.216.233/205.XXX.216.233 to UDP port: 9 > Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already >blocked. Ignoring > Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Connect from host: >205.XXX.216.233/205.XXX.216.233 to UDP port: 9 > Feb 20 08:05:32 izzy portsentry[8280]: attackalert: Host: 205.XXX.216.233 is already >blocked. Ignoring It used to warn me about UDP port 69, but I edited /etc/portsentry/portsentry.conf and changed the UDP_PORTS line. Now it's warning me about port 9. Thing is, I've used tcpdump and ngrep to listen for any UDP traffic to find out what the content of port 69 (Trivial FTP) or port 9 (discard) might be... but I'm not detecting traffic destined for either port, despite this warning-storm. The warnings themselves are cluttering up my syslogs, I'll have to switch to something else. Can someone explain to me why portsentry is giving what looks like false postitives? Alternately, can someone suggest an alternative? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
