[plug] How to stop scanning

Craig Foster fostware at iinet.net.au
Thu Mar 4 07:51:50 WST 2004


 

> -----Original Message-----
> From: plug-bounces at plug.linux.org.au 
> [mailto:plug-bounces at plug.linux.org.au] On Behalf Of Jon Miller
> Sent: Thursday, 4 March 2004 8:11 AM
> To: plug at plug.linux.org.au
> Subject: [plug] How to stop scanning
> 
> In my /var/log/message file I'm seeing scanning attempts and 
> portsentry to dropping the scan ip address.  Is there a way 
> to prevent these scans from happing in the first place?  I 
> ask because when portsentry kicks in it also seems to stop 
> all outgoing traffic as we as incoming traffic.
> 
> example:
> 
> Mar 4 07:47:15 gateway portsentry[10336]: attackalert: TCP 
> SYN/Normal scan from host: 
> cae31-216-192.sc.rr.com/24.31.216.192 to TCP port: 135 Mar 4 
> 07:47:15 gateway portsentry[10336]: attackalert: Host 
> 24.31.216.192 has been blocked via dropped route using 
> command: "/sbin/iptables -I INPUT -s 24.31.216.192 -j DROP"
> 
> Thanks
> 
> Jon L. Miller, MCNE, CNS, ASE
> Director/Sr Systems Consultant
> MMT Networks Pty Ltd
> http://www.mmtnetworks.com.au


Portsentry has different options for reactions... Look into using the
iptables options and do it for incoming only instead of the given example.

Regards,

CraigF.




More information about the plug mailing list