I'm running portsentry on a test application server which is outside our firewall (we had no choice.. our custom app needed this to work properly). I have it setup to automatically add any system that portscan's us into our IPCHAINS deny policy. I have done a whois and contacted the admin who "claims" they never port scanned us (I don't believe him of course). This may have been stupid but as he is the network admin of his company I gave him the IP address of the server which was portscanned. Attached is the part in our messages log I am concerned about. Anyway... I'm bringing the machine down today anyway. We've completed the work it was intended to do so it's a moot point. Still for educational purposes I was hoping someone could confirm. Greatly Appreciated. Frank.
Feb 12 00:54:17 testapp_001 portsentry[1883]: attackalert: UDP scan from host: djinn-open.gene.com/192.12.78.2 to UDP port: 9 Feb 12 00:54:17 testapp_001 portsentry[1883]: attackalert: Host 192.12.78.2 has been blocked via wrappers with string: "ALL: 192.12.78.2" Feb 12 00:54:18 testapp_001 portsentry[1883]: attackalert: Host 192.12.78.2 has been blocked via dropped route using command: "/sbin/ipfwadm -I -i deny -S 192.12.78.2 -o" Feb 12 00:54:18 testapp_001 kernel: Packet log: inp DENY eth0 PROTO=17 192.12.78.2:3205 166.70.202.30:27015 L=40 S=0x00 I=43300 F=0x0000 T=17 (#1) Feb 12 00:54:20 testapp_001 kernel: Packet log: inp DENY eth0 PROTO=17 192.12.78.2:3205 166.70.202.30:27015 L=40 S=0x00 I=44870 F=0x0000 T=17 (#1) Feb 12 00:54:22 testapp_001 kernel: Packet log: inp DENY eth0 PROTO=17 192.12.78.2:3205 166.70.202.30:27015 L=40 S=0x00 I=45274 F=0x0000 T=17 (#1) Feb 12 00:54:24 testapp_001 kernel: Packet log: inp DENY eth0 PROTO=17 192.12.78.2:3205 166.70.202.30:27015 L=40 S=0x00 I=45647 F=0x0000 T=17 (#1)
