Re: [newbie] Portsentry reporting
On Tuesday 02 January 2001 00:55, you wrote: On Sun, 31 Dec 2000, Dennis Myers wrote: Should be in /var/log/messages You can also take a look at /etc/portsentry.history to see what ended up being blocked. Hi again everyone, this has been puzzling me for a while. I have portsentry installed and configured on two machines (in conjunction with pmfirewall) and have not been able to determine where to look for reports on possible attacks or unauthorized access attempts. Where should I look for this information? Does portsentry send e-mail to root? Thanks for any info available. -- Alex (Go easy on me, I'm a COBOL programmer in real life)
Re: [newbie] Portsentry reporting
On Sun, 31 Dec 2000, Dennis Myers wrote: Should be in /var/log/messages Hi again everyone, this has been puzzling me for a while. I have portsentry installed and configured on two machines (in conjunction with pmfirewall) and have not been able to determine where to look for reports on possible attacks or unauthorized access attempts. Where should I look for this information? Does portsentry send e-mail to root? Thanks for any info available. -- Q: How many Klingons does it take to change a lightbulb? A: None. Klingons are not afraid of the dark. http://nlpagan.net - ICQ 147208 - Registered Linux User 174403 Linux Mandrake 7.2 - Pine 4.31
RE: [newbie] Portsentry reporting
In the standard configuration it sends all reports to /var/log/messages. Unless you changed the logging facility which it uses during the configuration all your portsentry reports should be listed there. I understand that there is a way to redirect it's reports but I have been unable to get it working. Some of the more experienced users might be able to help with that one. I would actually be very interested to find out how to change it's logging properties. Portsentry dumps too much clutter into the messages file for me to look past when I'm reviewing my weekly logs. Regards - Ben --Original Message-- From: Dennis Myers [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: January 1, 2001 4:42:29 AM GMT Subject: [newbie] Portsentry reporting Hi again everyone, this has been puzzling me for a while. I have portsentry installed and configured on two machines (in conjunction with pmfirewall) and have not been able to determine where to look for reports on possible attacks or unauthorized access attempts. Where should I look for this information? Does portsentry send e-mail to root? Thanks for any info available. -- Dennis M. Registered Linux user #180842 __ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Re: [newbie] Portsentry Config
John Wheat wrote: I have installed and configured portsentry to my likings but after following the tutorial at www.linuxnewbie.org/nhf/intel/security/portsentry1.html and adding the lines /usr/local/psionics/portsentry/portsentry -atcp /usr/local/psionic/portsentry/portsentry -udp the program does not load and run at boot up. Any ideas on this? Thanks, John Wheat Those lines should be appended the very end of /etc/rc.d/rc.local. Also - possibly a typo - check the syntax of against what you wrote above. Cheers -- ICQ#: 89345394 Mailto: [EMAIL PROTECTED]
Re: [newbie] portsentry help
ed wrote: Hi all I was wondering does anyone here use portsentry cause I have it on my boxx and it works fine except for the wav.file that is supposed to warn me when someone scans me the ip is blocked and put in the host.deny file but I never hear the wav.file does anyone here know how I can correct this. thanks all The address to the .wav file is right at the bottom of the portsentry.conf file, which if memory serves is: /usr/local/psionic/portsentry. The default sound file is very vanilla - I suggest you change it to something which is more likely to grab your attention if you work in a noisy environment. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry traps
Mark Weaver wrote: Definately! I'm all ears...rather I'm all eyes since I can't see with my ears. My wife would tell you that when I'm sitting in front of this monitor I can't hear with my ears either! :) Mine used to say that too but she was always referring to the newpaper or the roadsigns or the other driver who was about to sideswipe me. Fixed the problem by redesigning my deaf-aid - turned her off!! Cheers -- Mark /* I never worry about the to-jams. * Once I've stuck my foot in my mouth * it's already too late...just make sure * you chew them thoroughly before swallowing! */ Registered Linux user #182496 * Pine 4.21 * On Mon, 16 Oct 2000 7:00am ,John Rye spake passionately in a message: Greg Stewart wrote: Portsentry usually adds the offending host IP to the route tables, but this isn't always the best option anymore. you can change the KILL_ROUTE command in /usr/local/psionic/portsentry/portsentry.conf to the following and it will add the host IP to your ipchains rules (if you're using ipchains--which, really, you should be): KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" If you still want these probes logged, add "-l" (lower-case "L") to the line before the last quotation mark.With this rule added to your ipchains, all hits from that host will be dropped regardless of type. Hopefully portsentry is not the only protection you have against intruders. It's a great utility, but not complete enough on it's own to rely on. I'm well protected.. using ipchains, I already have your suggestion setup. It was more a question of whether one should attempt to 'deal to' the offender. I used to be continually probed when I used ICQ and Jammer on that other opsys, and had some good results by attacking the source-site owner, but those were not of this type. ?? What/why would a socks proxy port port be probed ?? Suggestions and further discussion might be useful to other list members. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry traps
Greg Stewart wrote: Hell, I'm so blind (and probably deaf, too) my co-workers think the only way I can see what's on a computer screen is by smelling the damned thing! --Greg Sorry to butt in on this thread - Greg, but (sic), that takes "scratch and sniff" to a whole new level! smile PS Just as an aside, didn't they predict/do studies on the concept of having your monitor release pheremones (sp?) in response to game situations? ;-) Catch ya later... -- /\ DarkLord \/
Re: [newbie] Portsentry traps
A good start would be to report them to your ISP. -- Mark /* I never worry about the to-jams. * Once I've stuck my foot in my mouth * it's already too late...just make sure * you chew them thoroughly before swallowing! */ Registered Linux user #182496 * Pine 4.21 * On Sun, 15 Oct 2000 11:43pm ,John Rye spake passionately in a message: During the past five days Portsentry has reported several probes on port 1080 along with some DNS information. I understand this is the Socks Proxy port. Without disclosing (at this time) the origin of these probes, could someone advise me on how (or if) I should deal with/to them? Also, out of this, does anyone remember the 'Flint' movies from the 60's - I'm interested in getting hold of the alarm sound which was used. I think it may have been used in other spy spoofs but can't remember which. I'd like to use that as my Portsentry alarm signal. Cheers
Re: [newbie] Portsentry traps
Definately! I'm all ears...rather I'm all eyes since I can't see with my ears. My wife would tell you that when I'm sitting in front of this monitor I can't hear with my ears either! :) -- Mark /* I never worry about the to-jams. * Once I've stuck my foot in my mouth * it's already too late...just make sure * you chew them thoroughly before swallowing! */ Registered Linux user #182496 * Pine 4.21 * On Mon, 16 Oct 2000 7:00am ,John Rye spake passionately in a message: Greg Stewart wrote: Portsentry usually adds the offending host IP to the route tables, but this isn't always the best option anymore. you can change the KILL_ROUTE command in /usr/local/psionic/portsentry/portsentry.conf to the following and it will add the host IP to your ipchains rules (if you're using ipchains--which, really, you should be): KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" If you still want these probes logged, add "-l" (lower-case "L") to the line before the last quotation mark.With this rule added to your ipchains, all hits from that host will be dropped regardless of type. Hopefully portsentry is not the only protection you have against intruders. It's a great utility, but not complete enough on it's own to rely on. I'm well protected.. using ipchains, I already have your suggestion setup. It was more a question of whether one should attempt to 'deal to' the offender. I used to be continually probed when I used ICQ and Jammer on that other opsys, and had some good results by attacking the source-site owner, but those were not of this type. ?? What/why would a socks proxy port port be probed ?? Suggestions and further discussion might be useful to other list members. Cheers
Re: [newbie] Portsentry traps
My wife would tell you that when I'm sitting in front of this monitor I can't hear with my ears either! :) Hell, I'm so blind (and probably deaf, too) my co-workers think the only way I can see what's on a computer screen is by smelling the damned thing! --Greg - Original Message - From: "Mark Weaver" [EMAIL PROTECTED] Definately! I'm all ears...rather I'm all eyes since I can't see with my ears. My wife would tell you that when I'm sitting in front of this monitor I can't hear with my ears either! :) -- Mark /* I never worry about the to-jams. * Once I've stuck my foot in my mouth * it's already too late...just make sure * you chew them thoroughly before swallowing! */ Registered Linux user #182496 * Pine 4.21 * On Mon, 16 Oct 2000 7:00am ,John Rye spake passionately in a message: Greg Stewart wrote: Portsentry usually adds the offending host IP to the route tables, but this isn't always the best option anymore. you can change the KILL_ROUTE command in /usr/local/psionic/portsentry/portsentry.conf to the following and it will add the host IP to your ipchains rules (if you're using ipchains--which, really, you should be): KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" If you still want these probes logged, add "-l" (lower-case "L") to the line before the last quotation mark.With this rule added to your ipchains, all hits from that host will be dropped regardless of type. Hopefully portsentry is not the only protection you have against intruders. It's a great utility, but not complete enough on it's own to rely on. I'm well protected.. using ipchains, I already have your suggestion setup. It was more a question of whether one should attempt to 'deal to' the offender. I used to be continually probed when I used ICQ and Jammer on that other opsys, and had some good results by attacking the source-site owner, but those were not of this type. ?? What/why would a socks proxy port port be probed ?? Suggestions and further discussion might be useful to other list members. Cheers __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
Re: [newbie] Portsentry traps
John; The sound was also used in "Hudson Hawk" with Bruce Willis. I remember the "Our Man Flint" movies as well ! Anyway the sound was used for the electronic handcuffs in the show. Maybe That info will help ? Have U tried " www.freethemes.com " ?? Check out the "Unix Themes" section, dude. L 8 R, - Original Message - From: "John Rye" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 15, 2000 6:43 AM Subject: [newbie] Portsentry traps During the past five days Portsentry has reported several probes on port 1080 along with some DNS information. I understand this is the Socks Proxy port. Without disclosing (at this time) the origin of these probes, could someone advise me on how (or if) I should deal with/to them? Also, out of this, does anyone remember the 'Flint' movies from the 60's - I'm interested in getting hold of the alarm sound which was used. I think it may have been used in other spy spoofs but can't remember which. I'd like to use that as my Portsentry alarm signal. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry traps
Portsentry usually adds the offending host IP to the route tables, but this isn't always the best option anymore. you can change the KILL_ROUTE command in /usr/local/psionic/portsentry/portsentry.conf to the following and it will add the host IP to your ipchains rules (if you're using ipchains--which, really, you should be): KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" If you still want these probes logged, add "-l" (lower-case "L") to the line before the last quotation mark.With this rule added to your ipchains, all hits from that host will be dropped regardless of type. Hopefully portsentry is not the only protection you have against intruders. It's a great utility, but not complete enough on it's own to rely on. --Greg - Original Message - From: "John Rye" [EMAIL PROTECTED] During the past five days Portsentry has reported several probes on port 1080 along with some DNS information. I understand this is the Socks Proxy port. Without disclosing (at this time) the origin of these probes, could someone advise me on how (or if) I should deal with/to them? Also, out of this, does anyone remember the 'Flint' movies from the 60's - I'm interested in getting hold of the alarm sound which was used. I think it may have been used in other spy spoofs but can't remember which. I'd like to use that as my Portsentry alarm signal. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.) __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
Re: [newbie] Portsentry traps
Dan LaBine wrote: John; The sound was also used in "Hudson Hawk" with Bruce Willis. I remember the "Our Man Flint" movies as well ! Anyway the sound was used for the electronic handcuffs in the show. Maybe That info will help ? Have U tried " www.freethemes.com " ?? Check out the "Unix Themes" section, dude. L 8 R, Thanks Dan - I'll start another hunt. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry traps
Greg Stewart wrote: Portsentry usually adds the offending host IP to the route tables, but this isn't always the best option anymore. you can change the KILL_ROUTE command in /usr/local/psionic/portsentry/portsentry.conf to the following and it will add the host IP to your ipchains rules (if you're using ipchains--which, really, you should be): KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" If you still want these probes logged, add "-l" (lower-case "L") to the line before the last quotation mark.With this rule added to your ipchains, all hits from that host will be dropped regardless of type. Hopefully portsentry is not the only protection you have against intruders. It's a great utility, but not complete enough on it's own to rely on. I'm well protected.. using ipchains, I already have your suggestion setup. It was more a question of whether one should attempt to 'deal to' the offender. I used to be continually probed when I used ICQ and Jammer on that other opsys, and had some good results by attacking the source-site owner, but those were not of this type. ?? What/why would a socks proxy port port be probed ?? Suggestions and further discussion might be useful to other list members. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry traps
?? What/why would a socks proxy port port be probed ?? Socks is a network proxy protocol used to provide NAT access for one section of a network to another. It is possible that the machine from which the packets came is hitting you or everyone (I haven't seen your packet log entry, so I can't decipher it) in an attempt to detect its proxy. This probably indicates a mis-configured machine on your segment of your ISP's network, or that is less than a certain number of hops distance from your machine so that the packets do not time out before getting to you. Socks and DNS, even DHCP hits on your machine usually don't pose a threat at all. It's just that someone seems not to know what they're doing--most often on Windows machines. Check to see (or include the packet log entry) that the destination is 255.255.255.255, or "broadcast". If this is so, then it's definitely not an attack. If otherwise, I would guess it's a mis-configuration. --Greg - Original Message - From: "John Rye" [EMAIL PROTECTED] I'm well protected.. using ipchains, I already have your suggestion setup. It was more a question of whether one should attempt to 'deal to' the offender. I used to be continually probed when I used ICQ and Jammer on that other opsys, and had some good results by attacking the source-site owner, but those were not of this type. ?? What/why would a socks proxy port port be probed ?? Suggestions and further discussion might be useful to other list members. Cheers -- __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
Re: [newbie] Portsentry traps
John Rye wrote: Greg Stewart wrote: Portsentry usually adds the offending host IP to the route tables, but this isn't always the best option anymore. you can change the KILL_ROUTE command in /usr/local/psionic/portsentry/portsentry.conf to the following and it will add the host IP to your ipchains rules (if you're using ipchains--which, really, you should be): KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" If you still want these probes logged, add "-l" (lower-case "L") to the line before the last quotation mark.With this rule added to your ipchains, all hits from that host will be dropped regardless of type. Hopefully portsentry is not the only protection you have against intruders. It's a great utility, but not complete enough on it's own to rely on. I'm well protected.. using ipchains, I already have your suggestion setup. It was more a question of whether one should attempt to 'deal to' the offender. I used to be continually probed when I used ICQ and Jammer on that other opsys, and had some good results by attacking the source-site owner, but those were not of this type. ?? What/why would a socks proxy port port be probed ?? Suggestions and further discussion might be useful to other list members. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.) Some IRCd's check for open socks servers
Re: [newbie] Portsentry traps
Greg Stewart wrote: ?? What/why would a socks proxy port port be probed ?? Socks is a network proxy protocol used to provide NAT access for one section of a network to another. It is possible that the machine from which the packets came is hitting you or everyone (I haven't seen your packet log entry, so I can't decipher it) in an attempt to detect its proxy. This probably indicates a mis-configured machine on your segment of your ISP's network, or that is less than a certain number of hops distance from your machine so that the packets do not time out before getting to you. Socks and DNS, even DHCP hits on your machine usually don't pose a threat at all. It's just that someone seems not to know what they're doing--most often on Windows machines. Check to see (or include the packet log entry) that the destination is 255.255.255.255, or "broadcast". If this is so, then it's definitely not an attack. If otherwise, I would guess it's a mis-configuration. Thanks Greg. Yes it does seem to be mis-config. There is no consistancy in the source IPs and the entry does show up as 'broadcast' as well. My curiousity was in that all the other probes have been pretty obvious as to what they were - these just seemed a bit different. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry traps
If you do a whois on the network IP's and can actually resolve some owner of the network to which these IP's belong, you might drop them a note about their clients' broadcasting...if they belong to your ISP's subscribers, contact your technical support. You won't necessarily get anything done, but at least they will be aware of the issue. --Greg - Original Message - From: "John Rye" [EMAIL PROTECTED] Thanks Greg. Yes it does seem to be mis-config. There is no consistancy in the source IPs and the entry does show up as 'broadcast' as well. My curiousity was in that all the other probes have been pretty obvious as to what they were - these just seemed a bit different. Cheers __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
Re: [newbie] Portsentry traps
Greg Stewart wrote: If you do a whois on the network IP's and can actually resolve some owner of the network to which these IP's belong, you might drop them a note about their clients' broadcasting...if they belong to your ISP's subscribers, contact your technical support. You won't necessarily get anything done, but at least they will be aware of the issue. --Greg - Original Message - From: "John Rye" [EMAIL PROTECTED] Thanks Greg. Yes it does seem to be mis-config. There is no consistancy in the source IPs and the entry does show up as 'broadcast' as well. My curiousity was in that all the other probes have been pretty obvious as to what they were - these just seemed a bit different. Cheers __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif Been there dun that anyway - see what comes of it. Cheers -- ICQ# 89345394 Mailto: [EMAIL PROTECTED] "The number of UNIX installations has grown to 10, with more expected" (The UNIX Programmer's Manual, 2nd Edition, June 1972.)
Re: [newbie] Portsentry
Why, what did you do to the config files that's making portsentry complain? I've never had a problem editing the config files in portsentry, and it's never complained about a single thing I've done. Be more specific about the problem you're experiencing and maybe we can walk through a correction. --Greg - Original Message - From: "Vic" [EMAIL PROTECTED] I think portsentry should be made so that it actyually works (screw typos) and pays attention to its config files, so that when you edit them, it makes the changes instead of ignoring them and then lying and saying that the configfiles are corrupt __ Vous avez un site perso ? 2 millions de francs à gagner sur i(france) ! Webmasters : ZE CONCOURS ! http://www.ifrance.com/_reloc/concours.emailif
Re: [newbie] Portsentry
Vic [EMAIL PROTECTED] on 09/13/2000 09:53:42 AM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: (bcc: Lonny Selinger/SaskPower) Subject: [newbie] Portsentry Hrmm maybe your files _are_ corrupted I've ben using it on all my machines (configured over and over again) and have never had a problem. Have you checked their site to verify your claim? Lonny I think portsentry should be made so that it actyually works (screw typos) and pays attention to its config files, so that when you edit them, it makes the changes instead of ignoring them and then lying and saying that the configfiles are corrupt
Re: [newbie] Portsentry
Vic this is Charley, sorry for using your computer without asking, I forgot my password and you were not here when I got back from class. Dude, its cool man just sit back, and drink a pop, have a smoke, I looked at the config files, they look all ok _except_ the Makefile, and from the looks of that core file, that editor you are trying to write is still in beta, don't use it for serious or critical work yet, we still got to work some serious bugs out of it, dude, use Vi, you know how to use it, I seen you do it, just use Vi to edit the Makefile instead of that beta editor of yours for now, change the directories in it and test it, if it still does not work, call me on my cel phone if I'm not here when you get back and I will help you when I get home. Aiight homey?? L8R! -- Charley On Wed, 13 Sep 2000, you wrote: I think portsentry should be made so that it actyually works (screw typos) and pays attention to its config files, so that when you edit them, it makes the changes instead of ignoring them and then lying and saying that the configfiles are corrupt