You really ought to look in to PortSentry... It sees someone hitting
multiple ports successively, & automatically adds them to hosts.deny, and
adds a rule to your ipchains to dump their packets... After they tri[ it's
protection, your machine becomes a black hole... You can also set up
specific ports.
> -----Original Message-----
> From: J. Scott Kasten [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, August 29, 2000 3:39 PM
> To: Scott Kindley
> Cc: [EMAIL PROTECTED]
> Subject: Re: I'd say this is someone trying to find an expolit
>
>
> Yeah, it's anoying, but he's probably done no harm yet. The best things
> to do are to go through your /etc/rc.d/rcX.d where 'X' is your default run
> level and make sure you've got any uncesary services removed from startup
> there (the symlinks starting with 'S'). Go through your /etc/inetd.conf
> and comment out everything you don't absolutely need from there.
> Particularly ftp if you are not using it. Then go into your hosts.deny
> and put "ALL : ALL" then in hosts.allow put "ALL : 127.0.0.1 X.X.X.X"
> where X.X.X.X is a list of fixed IP addresses that you'll allow
> connections from. That will make it quite secure. The finally, if you
> run X on that box, add in an ipchains rule to your /etc/rc.d/rc.local to
> drop IP traffic that comes in for sockets in the 6000 block (the X
> server). Now you should be really tight.
>
> I've had people try and send buffer overflow exploits to my ftp daemon 6
> times in the past month.
>
> On Tue, 29 Aug 2000, Scott Kindley wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Aug 29 04:21:12 ns1 in.telnetd[11975]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11977]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11976]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11978]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11979]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11980]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11981]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11982]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11983]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11984]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11988]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11987]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11985]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11986]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11989]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11990]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11991]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11992]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:15 ns1 in.telnetd[11993]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:15 ns1 imapd[11994]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 imapd[11995]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 imapd[11996]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 imapd[11997]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[11998]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[11999]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12000]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12001]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12002]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12003]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:19 ns1 in.telnetd[12004]: refused connect from
> > 63.145.81.31
> >
> >
> > Not one of my IP's. Don't know anybody using any IP on that network.
> > Any suggestions o how to handle this? It's my first attempt at being
> > hacked. I have him blocked with wrappers after a telnet attempt a few
> > days ago that I thought looked funny. So for now I think I'm ok. I have
> > checked me logs and verified nothing has changed on the system. So
> > entry wasn't made. Still the attempt is bugging me.
> >
> > - -----
> > Scott Kindley
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.2
> >
> > iQA/AwUBOav+xdWX5RP8v4x6EQJz1ACg6Nfqhv9GFc+XjLBXgFc4+nh4UqUAnidp
> > SCLYRw1deJdSu6VUI4Y4TxEQ
> > =kYu/
> > -----END PGP SIGNATURE-----
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
