During the last couple of weeks portsentry is producing a lot of alerts on connects to ports 540 and 635:
<quote-syslog>
Feb 17 10:04:11 <hostname> portsentry[949]: attackalert: Connect from host: <fqdn>/<ip> to TCP port: 635
Feb 17 10:04:11 <hostname> portsentry[949]: attackalert: Host <ip> has been blocked via wrappers with string: "ALL: <ip> : DENY"
Feb 17 10:04:11 <hostname> portsentry[949]: attackalert: Host <ip> has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s <ip> -j DROP && /sbin/iptables -I INPUT -s <ip> -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
</quote-syslog>
The following rules were added to netfilter (iptables) to explicitly block those ports (iptables-save output format):
-A INPUT -i eth0 -p tcp -m tcp --dport 635 -j LOG --log-prefix "TEST: dport 635 drop." --log-level 7
-A INPUT -i eth0 -p tcp -m tcp --dport 635 -j DROP
However the rule doesn't seem to match (no TEST:... entries in the logs) even though portsentry continues to report the same attack alerts.
Any idea on what kind of connect attempts are being made as reported by the portsentry? Can those connects be blocked by the netfilter?
I didn't try the '-m state' extension yet.
We are running woody/2.4.24/x86.
Thanks, Sarunas Burdulis
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
