first of all, when something like this happens you should do this:
/etc/httpd/logs @ dualpro: grep 513 /etc/services
login 513/tcp
who 513/udp whod
whod lets a client run rwho and see who is logged in to your machine.
(I think.) You shouldn't have it turned on. This is not a case for
reporting. To answer your question re: why the host can connect, please
run /sbin/route and show the output. My guess is you don't have portsentry
configured to block hosts in the manner you desire. (I don't even know if
it's possible without installing ip wrappers. I think route can only
block outgoing packets.)
You can always run nmap or something and try to figure out what sort of
host is trying to connect. I suspect it is some silly windows program w/ a
badly designed protocol.
--
Where will it all end? Probably somewhere near where it all began.
On Thu, 27 Apr 2000, Nolan Darilek wrote:
> Seeing as my last two security concerns were due to innocent
> misunderstandings, and that I carried one a bit too far and was told
> that I 'might be out of line' by one of the folks who responded, I
> thought I'd toss this at you all and add in a question or two for good
> measure, and see if I should complain about this. :)
>
> I'm running portsentry and logcheck on my box. For the past three
> hours, I've gotten email reports similar to the following:
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Apr 27 15:02:27 ethereal portsentry[394]: attackalert: Connect from host:
>resnet-21-178.dorm.utexas.edu/129.116.21.178 to UDP port: 513
> Apr 27 15:02:27 ethereal portsentry[394]: attackalert: Host: 129.116.21.178 is
>already blocked. Ignoring
> Apr 27 15:05:27 ethereal portsentry[394]: attackalert: Connect from host:
>resnet-21-178.dorm.utexas.edu/129.116.21.178 to UDP port: 513
> . . .
>
> First of all, should I be concerned about the fact that this host is
> able to connect even though portsentry has blocked it? I thought that
> once a host was blocked, it wouldn't be able to connect at
> all. Is this something to worry about?
>
> And, has anyone seen something of this sort before? My understanding
> of UDP is that packets are sent with no guarantee of being received,
> and that servers for UDP-based protocols should send back some sort of
> acknowledgment of receipt. So this doesn't seem like a good means of
> cracking a box, since you lack the instantaneous results of a TCP
> connection. So, does anyone have an idea what this person may be
> attempting? Should I have him/her investigated, or should I simply
> strengthen my defenses and realize that stuff like this will happen
> occasionally? And, if I should investigate, who should I mail/call
> about the logs? Since my embarrassing mistake last time (I was
> receiving pings from multiple random hosts roughly every 30 seconds,
> and didn't realize that Napster was the cause) I'd like to make sure
> that this is a genuine concern before bringing it to anyone's
> attention.
> ---------------------------------------------------------------------------
> Send administrative requests to [EMAIL PROTECTED]
>
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
