This is for those who were asking question about ipchian. This is a
snapshot of my system log report that Abacus Logcheck sends me.
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 25 06:43:32 rand portsentry[402]: attackalert: Connect from host:
209.250.161.156/209.250.161.156 to UDP port: 161
Jan 25 06:43:32 rand portsentry[402]: attackalert: Host 209.250.161.156
has been blocked via wrappers with string: "ALL: 209.250.161.156"
Jan 25 06:43:32 rand portsentry[402]: attackalert: Host 209.250.161.156
has been blocked via dropped route using command: "/sbin/ipchains -A
input -s 209.250.161.156 -j DENY -l"
As you can see some dillweed hit port 161, a watched port via portsentry
and portsentry responded with a F*&K You very much and dropped his
sniffing ass into the deny list in ipchains and tcp wrappers. I do not
use tcp wrappers but the ipchains rule means my system ignores this host
on all ports/all protocols. :)
This is not a perfect solution but anyone who scans then attacks is
denied and anyone who attacks specific known active ports is denied. I
highly recommend this tool to anyone who's box has internet access.
My only complaint is the ipchains rules port sentry adds are not
permanent. If the box is rebooted or the ipchains rules are flushed
these disappear. Anyone know how to get ipchains to dump it current
rules so they can be loaded later?
Scott
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe lug-nuts"
* in the message body to majordomo@saclug.org. Please direct other
* questions, comments, or problems to lug-nuts-owner@saclug.org.
This archive was generated by hypermail 2b29 : Fri Feb 25 2000 - 14:29:11 PST