On Tuesday 29 October 2002 01:02 am, Jean Christophe ANDRÉ wrote: > Hi, > > ben écrivait : > > way overkill. 16001 isn't being scanned and 111 is the most common target > > after 25. you're suggesting that the guy turn his server into a > > honeypot--to what end? disable portmap and nothing can get at 111. > > there's a difference between simply securing a box and assuming a role as > > cyber-detective. the former solves the problem, the latter has no end. > > Please read the full thread before posting (or even only the first post). > > He actually *is* asking for tracking the *internal* process trying > to connect *localy* to its port 111. > > He knows about such attempts because he had filtered them. > But he can't guess which process attempt to connect to it. > And he just *want* to know. > > Tracking connection attempts *is* part of security, since it allow you > to know how things work, and better tune it once you understand it. >
you're missing the point. running a portmap daemon is the only vulnerability that the 111 port scans are attempting to exploit. that attempted exploit is part of the weather of being hooked up, in the same way that 25 is attempted to be used as a mail relay. there are--to the best of my knowledge--no internal apps or daemons that will cause the fashion of log alarm that the op is concerned to address. you're assuming that internal apps attempt external connections. for that to be a possibility, you'd have to have a mighty weird local setup. if you, or anybody, can give me a real example to justify your hypothesis, please do. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]