On Mon, 03 Oct 2005 19:44:38 -0400 Gene Heskett <[EMAIL PROTECTED]> wrote:
> Somebody mentioned portsentry, and I don't know why so many admins > seem to hate it. I've been running it here for probably 6-7 years, > and its automaticly dropped lots of connection attempts back when I And portsenty is simple enought to set up so that the first bad attempt gets the IP locked out. Maybe at some future time, you'll make it OK for that IP to access your system, that's up to you. After all, some IPs tend to get recycled. I wonder why it's missing (but not hard to find) on some Linux distributions. Mandriva/Mandrake used to include it, but it got dropped. > was using dialup on ppp. But now I've a dsl connection, with a > router between the modem and the firewall, the firewall is 2 nics > with iptables between them. In 3 years+ of dsl, I've been hit 3 I've been hit a few times as well - had this ip here since Dec 2000 (dsl) which is not too bad. I found portsentry (once I discovered it, and how it would fix things) invaluable when the slapper vairants were in vogue. Once I came to my system, and found that internet activity was severely impaired - thanks to all the funny stuff going on, I could barely get enough bandwidth to load up a web page. Once I figured out what was going on, I employed portsentry -- it stopped all that stuff in a few minutes. The other two times - was running a less than secure redhat system, someone telnetted in (hate telnet) and was able to get through a backdoor (insecure password on one of the admin "users"). The other time was through a security hole in one of the smtp related apache services. That one took a little while to recover from - basically some persons unknown had used the exploit to use my box to send spam & they did it using obscenely long www addresses to do it. One thing - check logs. Any big increase in log size is a clue that something fishy is going on. I noticed the activity first by seemingly high activity on /dev/eth0 as reported by gkrellm -- after all, I wasn't doing much of anything, no ftp, no big mail downloads, etc., yet the meter was being pinged. But the real clue was an auth.log.0 of >1.2 megabytes, where typically it's a couple of K. > times hard enough to make it to the logs, and 2 of them -- ------------------------------------------------------------------------ David E. Fox Thanks for letting me [EMAIL PROTECTED] change magnetic patterns [EMAIL PROTECTED] on your hard disk. ----------------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
