[NCLUG] Two easy? security questions...
dobbster
dobbster at verinet.com
Mon Sep 4 00:18:09 MDT 2000
Hi, I have a couple of probably easy questions...
First of all, I cannot get "lastb" to work. /var/log/btmp
exists(-rw-r--r-- root root), but I get
[root at dipole log]# lastb
btmp begins Fri Apr 21 23:49:28 2000
...and nothing else. "last" seems to work.
Second, I seem to have regular hacking attempts which I find rather
frightening. At the suggestion of a previous NCLUG user, I use
"portsentry", which seems to definitely help. A typical log shows
something like
messages:Sep 1 04:30:45 dipole portsentry[601]: attackalert: Connect
from host: 209.75.219.165/209.75.219.165 to TCP port: 143
messages:Sep 1 04:30:45 dipole portsentry[601]: attackalert: Host
209.75.219.165 has been blocked via wrappers with string: "ALL:
209.75.219.165"
messages:Sep 1 04:30:45 dipole portsentry[601]: attackalert: Connect
from host: 209.75.219.165/209.75.219.165 to TCP port: 143
messages:Sep 1 04:30:45 dipole portsentry[601]: attackalert: Host:
209.75.219.165 is already blocked. Ignoring
secure:Sep 1 04:30:45 dipole in.telnetd[7560]: connect from
209.75.219.165
secure:Sep 1 04:30:45 dipole in.telnetd[7561]: connect from
209.75.219.165
secure:Sep 1 04:30:45 dipole in.telnetd[7562]: refused connect from
209.75.219.165
etc... They seem to try to get telnetd going numerous times (maybe
100?) and it fills up my logs quickly. This has happened several times,
from different IPs, and they always seem to go for port 143. This is
presumably IMAP, which I don't use on the server (I could disable it.)
Any suggestions?
Mark (dobbster at verinet.com)
More information about the NCLUG
mailing list