Hello,
I believe you should stop portsentry to startwith, use ipchains to configure
things. killall -HUP portsentry and then remove lines from the
/etc/rc.d/rc.local.
Portsentry is probably not that useful, I installed it but I think it is more
trouble than it is worth. ipchains is extremely useful, as well as just
making sure to shut down services you are not using.
you can probably delete your dead.letter, and you can
tail -f dead.letter and the other log files to see what is going on that
is making them grow so fast
>From your questions earlier on:
1. yes you can rm dead.letter if it doesn't have anything interesting in it,
also not sure why it is in dead.letter, I don't get it there you might want to
double check logcheck.sh.
2. killall and then remove lines from rc.local
3. portsentry is a silly marginally useful port-sentry that when it sees
someone scan
you locks them out, logcheck is a very useful tool, though unless you
configure it
right it can spam you with hoards of messages. The easy solution is run it
only like
a few times a day.
4. no you don't ignore ports: they either have something running on them
netstat -alnp
or they do not and you close them. What is running on them is either a
trojan, a backdoor,
or it is your mail server, your web server... so it is tricky. I am not an
expert... I just
try closing a port with ipchains, and see if everything is still working,
and tail the
log files to see that nothing is complaining. And i man the program that is
tied to that
port... eventually I rule out evil programs and am left with usual
services, so I release
the port again. read /etc/services and /etc/inetd.conf
5. Netmask is not just an option... and it is too fundamental knowledge,
you really need
to read some introduction to tcpip, and it could really affect your machine
in strange
ways.
David Yates Buckley,
Unit9 Ltd.
At 02:54 PM 9/20/01 +1200, you wrote:
>After installing portsentry it was logging an attack every second if not
>more...
>
>
><snip previous post>
>I then went to root and viewed the dead.letter and it's of course 10Mb in
>size and all it shows is 10Mb of the following:-
>
>Sep 19 15:48:11 ns portsentry[19597]: attackalert: Host: 208.155.xx.xx is
>already blocked. Ignoring
>Sep 19 15:48:11 ns portsentry[19597]: attackalert: Connect from host:
>e0.br3.xxxxxxx.com/208.155.xx.xx to UDP port: 69
>
>The xxx is the company from whom we lease the servers from.
>
>I then started getting emails from admin like...
>
>Subject: Cron <root@ns> /usr/local/etc/logcheck.sh
>
>Message exceeds maximum fixed size (10485760)
>/root/dead.letter... Saved message in /root/dead.letter
>
>I then got an email from admin stating...
>
>is getting very close to full. This is very dangerous for the server
>and can cause unexpected errors to occur. You either need to move some
>files to another storage device and delete them from the Cobalt server
>or delete them altogether. Consult the documentation for help adding
>storage to your Cobalt server.
>
>Total disk space: 726.04 MB
>Free disk space: 45.03 MB
>Percent Used: 93 %
>
>Now I've quickly jumped into the server and noticed the following:-
>
>/root - dead.letter is 41Mb
>/var/log/messages - 25Mb < --- growing as I type this
>/var/log/xferlog - 25Mb < ----- growing as I type this
>
>
>I need to know before the server goes tits up how do I kill the logs and get
>them back to what they were before portsentry started. I've renamed the file
>portsentry to portsentry.old for now to see if that stops the quick
>generation of log files and dead.letter. Can I delete dead/letter from /root
>
>Regards from Auckland
>
>Chae
>
>
>_______________________________________________
>cobalt-security mailing list
>[EMAIL PROTECTED]
>http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
