[NCLUG] Two easy? security questions...

J. Paul Reed preed at sigkill.com
Mon Sep 4 03:49:44 MDT 2000


On Mon, 4 Sep 2000, dobbster wrote:

> Second, I seem to have regular hacking attempts which I find rather
> frightening.  At the suggestion of a previous NCLUG user, I use
> "portsentry", which seems to definitely help.  A typical log shows
> something like
> 
> messages:Sep  1 04:30:45 dipole portsentry[601]: attackalert: Connect
> from host: 209.75.219.165/209.75.219.165 to TCP port: 143
> messages:Sep  1 04:30:45 dipole portsentry[601]: attackalert: Host
> 209.75.219.165 has been blocked via wrappers with string: "ALL:
> 209.75.219.165"
> messages:Sep  1 04:30:45 dipole portsentry[601]: attackalert: Connect
> from host: 209.75.219.165/209.75.219.165 to TCP port: 143
> messages:Sep  1 04:30:45 dipole portsentry[601]: attackalert: Host:
> 209.75.219.165 is already blocked. Ignoring
> secure:Sep  1 04:30:45 dipole in.telnetd[7560]: connect from
> 209.75.219.165
> secure:Sep  1 04:30:45 dipole in.telnetd[7561]: connect from
> 209.75.219.165
> secure:Sep  1 04:30:45 dipole in.telnetd[7562]: refused connect from
> 209.75.219.165
> 
> etc...  They seem to try to get telnetd going numerous times (maybe
> 100?) and it fills up my logs quickly.  This has happened several times,
> from different IPs, and they always seem to go for port 143.  This is
> presumably IMAP, which I don't use on the server (I could disable it.)
> 
> Any suggestions?

If you don't care about the IPs (i.e. you're too busy to do the legwork to
complain to their ISP), recompile the kernel with ipchains support
(assuming you're using 2.2), install ipchains, and setup a deny rule for
services you don't use, and ignore people trying to 'sploit your
non-existant IMAP server.

http://www.linux-firewall-tools.com has more info, including an automated
firewall script generator.

The fine folks over at tummy.com also have IsinGlass, which works quite
nicely: http://www.tummy.com/isinglass

Later,
Paul
  ----------------------------------------------------------------------
  J. Paul Reed                preed at sigkill.com || web.sigkill.com/preed
  If you put a gun to my head and said  "Name ten great bands that have 
  come out in the last 5 years," you'd be wiping my brains off the wall.
                                                         -- Trent Reznor




More information about the NCLUG mailing list