> Saw the following in my syslog > > Jan 3 15:17:12 ardentpursuit portsentry[1120]: attackalert: External > command run for host: 218.156.227.172 using command: "/root/add2chain > 218.156.227.172 12345" > > Did that command actually run, or did portsentry prevent it from running?
No, you weren't hacked. This is the normal output of Portsentry when it detects a portscan. You don't have to worry about that! BUT you have to worry about your Portsentry configuration. The "command run for host" is defined in /etc/portsentry.conf with the "KILL_ROUTE" statement. On my Dachstein box, it looks as follows: KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" I don't know if you're using Portsentry 2.0 and probably 2.0 has a "add2chain" script but usually, you use the normal ipchains command to add a "bad" host to the blacklist. If there isn't a file "add2chain" in /root then Portsentry does nothing because the command it executes to block a host is not valid/there. If there IS such a file, I'd check what it does.... (perhaps it just contents the same line as I have (/sbin/ipchains ....)) Hope this helps -- Sandro ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
