Dennis and Tony, On Tuesday 07 January 2003 01:08 pm, Dennis Stephens wrote: > Saw the following in my syslog > > Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External > command run for host: 218.156.227.172 using command: "/root/add2chain > 218.156.227.172 12345" > > Did that command actually run, or did portsentry prevent it from running?
It has been ages since I have used portsentry, but it looks more like portsentry was running (or attempting to run) the /root/add2chain command, presumably to block connections from 218.156.227.172 on port 12345. That's speculation without knowing your portsentry configuruation, so if you really want to know you should do more investigation of the portsentry setup or post it to the list for help. More below... On Wed, 08 Jan 2003 08:42:33 EST Tony wrote: > Well, my thought is...why not just reboot to be sure. I mean, your LEAF box > is running out of RAM disk right? The disk is write protected isn't it? > Now, that doesn't mean that it can't happen again, so I would continue to > investigate but I would copy all relevant log files to a disk and reboot. The problem with that approach is that it a) erases the logs of the incident (unless you save offline copies first) and b) prevents all further forensic analysis. Granted, in some situations those aren't concerns of the firewall administrator. --Brad ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html