I just love watching /etc/hosts.deny grow automatically, and then
looking in the syslogs to see what folks did to trip it up. I have Portsentry
set with a very low tolerance, so that folks can access what I've told
them about, and maybe what I haven't, but if they try telnetting in
for example, they're automatically blocked. Anyhow, I had the
following log entries from earlier tonight which confused me:
Oct 2 20:25:02 ethereal portsentry[149]: attackalert: SYN/Normal scan from host:
resnet-43-124.dorm.utexas.edu/129.116.43.124 to TCP port: 23
Oct 2 20:25:02 ethereal portsentry[149]: attackalert: Host 129.116.43.124 has been
blocked via wrappers with string: "ALL: 129.116.43.124"
Oct 2 20:25:02 ethereal portsentry[149]: attackalert: Host 129.116.43.124 has been
blocked via dropped route using command: "/sbin/ipfwadm -I -i deny -S 129.116.43.124
-o"
Ok, that doesn't confuse me; I'm just setting the stage. User x tries
scanning 23 which, even though that isn't inherently evil, I don't
want happening. The interesting part though, after another scan of
port 23, is:
Oct 2 20:25:02 ethereal portsentry[149]: attackalert: Unknown Type:
Packet Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
resnet-43-124.dorm.utexas.edu/129.116.43.124 to TCP port: 23
And then a slightly different packet:
Oct 2 20:25:02 ethereal portsentry[149]: attackalert: Unknown Type: Packet Flags:
SYN: 0 FIN: 0 ACK: 0 PSH: 1 URG: 0 RST: 0 from host:
resnet-43-124.dorm.utexas.edu/129.116.43.124 to TCP port: 23
So, what are these two packets which have been thrown at me? Obviously
they aren't that big of a deal, since I haven't experienced any
problems, and the offending host is blocked and thus can't communicate
or be communicated with. I just like to know what is being tossed at
me.
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
