Re: warning message from portsentry

To: debian-user@lists.debian.org
Subject: Re: warning message from portsentry
From: rick@niof.net
Date: Fri, 21 Dec 2001 08:36:21 -0500
Message-id: <[🔎] 20011221083621.E713@tc.niof.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20011220194451.C1379@lilypad.shadypond.com>
References: <[🔎] 20011220140409.D713@tc.niof.net> <"from <[🔎] 20011220193309.A1379@lilypad.shadypond.com> <[🔎] 20011220194451.C1379@lilypad.shadypond.com>

On Thu, Dec 20, 2001 at 07:44:51PM +0000, Pollywog wrote:
> On 2001.12.20 19:33 Pollywog wrote:
> >On 2001.12.20 19:04 rick@niof.net wrote:
> >>What does this warning mean and what is causing it?
> >>
> >>> Dec 20 12:02:10 tc portsentry[540]: attackalert: Possible stealth
> >>> scan from unknown host to TCP port: 111 (accept failed)
> >>
> >>I get it when I run a 2.4 kernel but not when I run a 2.2 kernel so
> >>I believe it's something internal to my system. There are hundreds
> >>of them every hour.

Correction. Make that hundreds of *thousands*. As in daemon.log entries:

Dec 21 08:31:03 tc portsentry[12063]: attackalert: Possible stealth scan
from unknown host to TCP port: 111 (accept failed)
Dec 21 08:31:33 tc last message repeated 98235 times
Dec 21 08:32:34 tc last message repeated 196030 times
Dec 21 08:33:33 tc last message repeated 187197 times

> >That appears to be Portmapper.  If you are not using it, disable it
> >or remove it.  Otherwise  go into your Portsentry config and remove
> >port 111 from the list of ports Portsentry monitors.

I stopped portmapper and still get the messages. (I ran
'/etc/init.d/portmap stop' and portmap no longer shows in a ps.)

> Instead of removing the port from the list of ports being watched, you
> can also add the host to portsentry.ignore if you think that best.  In
> mine, I have:
> 
> # IPs from /etc/portsentry/portsentry.ignore.static:
> 127.0.0.1
> 0.0.0.0
> 192.168.1.1
> 
> I am not sure why 0.0.0.0 is present and I believe it was added by
> debconf but it doesn't seem to hurt.

Those were already there.

Besides, I really don't want to just *ignore* the problem. I'd like to
know what's causing it.

Why does it happen when I run 2.4.16 and not when I run 2.2.16?

-- 
You contend that I am wrong to teach my son science and
philosophy; I believe you are wrong to teach yours Greek and
Latin. Let us both follow the dictate of our conscience. Let us
allow the law of responsibility to operate for our families. It
will punish the one who is wrong. Let us not call in human law; it
could well punish the one who is not wrong.
	-- Frédéric Bastiat (1801-1850)
    Rick Pasotto    rickp@telocity.com    http://www.niof.net

Reply to:

Follow-Ups:
- SOLVED! Re: warning message from portsentry
  - From: rick@niof.net

References:
- warning message from portsentry
  - From: rick@niof.net
- Re: warning message from portsentry
  - From: Pollywog <croak@shadypond.com>
- Re: warning message from portsentry
  - From: Pollywog <croak@shadypond.com>

Prev by Date: debian 2.1 -> 2.2 upgrade woes
Next by Date: Re: Implications of using g++-3.0
Previous by thread: Re: warning message from portsentry
Next by thread: SOLVED! Re: warning message from portsentry
Index(es):
- Date
- Thread