Well I don't think you need ipchains (that's what I meant by ip wrappers,
sorry) for this case. You could try emailing root@hostname_attacking_you
and maybe tell the guy to cut it out or something. There is also the
possibility that someone broke into HIS computer and installed a worm that
attacks through that port. Who knows? You could also try packet sniffing
and filter just his host and try to figure out who it is...
There is a portsentry option to automatically add routes (checked w/
route) to block outgoing packets to this host... That makes you a bit
safer. My understanding of ipchains is that it blocks the packets before
they could even get to any services that might be running. I don't know
much about it. There is an ipchains HOWTO or firewalling HOWTO that might
help.
In my situation, I dial-in through my employer, and about 1/3 of the time
I get a portsentry warning that a host is connecting to the SNMP port
(which is not running a service) and I see a line in route blocking
outgoing packets to this host. (and I see the same messages as you.) It is
quite harmless.
Even though I think it is unnecessary in this case, if you are on the big
fast university network, you might want to install ipchains anyways b/c
your host would be desirable to a cracker. (i.e. it's a fast un*x box on a
fast network.) (then portsentry can use ipchains, etc.) this can get quite
complex as you can see. O'Reilly & Associates produces some decent Unix
security books if you are in the mood for that.
--
Man is an animal that makes bargains: no other animal does this--
no dog exchanges bones with another.
-- Adam Smith
On Thu, 27 Apr 2000, Nolan Darilek wrote:
> >>>>> ""Paul" == "Paul Sack <[EMAIL PROTECTED]>" <[EMAIL PROTECTED]> writes:
>
> "Paul> question re: why the host can connect, please run
> "Paul> /sbin/route and show the output. My guess is you don't have
> "Paul> portsentry configured to block hosts in the manner you
> "Paul> desire. (I don't even know if it's possible without
> "Paul> installing ip wrappers. I think route can only block
> "Paul> outgoing packets.) You can always run nmap or something
>
> Hrm. Doesn't show anything, but running ipchains/ipfwadm reveals that
> my kernel doesn't support firewall chains. I enabled network
> firewalls and IP firewalling; what else should I enable to get
> ipchains working?
>
> "Paul> and try to figure out what sort of host is trying to
> "Paul> connect. I suspect it is some silly windows program w/ a
> "Paul> badly designed protocol.
>
> Actually, nmap reports it as a Linux 2.1/2.2 box. Anyhow, I'll just
> let the guy keep it up; he should get tired eventually. :) AFAIK it
> isn't causing any problems with the exception of the logcheck reports
> indicating dozens of system attacks, but ah well. :)
> ---------------------------------------------------------------------------
> Send administrative requests to [EMAIL PROTECTED]
>
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
