SOLVED! Re: warning message from portsentry

To: debian-user@lists.debian.org
Subject: SOLVED! Re: warning message from portsentry
From: rick@niof.net
Date: Sat, 22 Dec 2001 13:08:37 -0500
Message-id: <[🔎] 20011222180837.GA7704@tc.niof.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20011221083621.E713@tc.niof.net>
References: <[🔎] 20011220140409.D713@tc.niof.net> <[🔎] 20011220193309.A1379@lilypad.shadypond.com> <[🔎] 20011220194451.C1379@lilypad.shadypond.com> <[🔎] 20011221083621.E713@tc.niof.net>

Problem solved. Upgrading portsenty to the current woody fixed it.

On Fri, Dec 21, 2001 at 08:36:21AM -0500, rick@niof.net wrote:
> On Thu, Dec 20, 2001 at 07:44:51PM +0000, Pollywog wrote:
> > On 2001.12.20 19:33 Pollywog wrote:
> > >On 2001.12.20 19:04 rick@niof.net wrote:
> > >>What does this warning mean and what is causing it?
> > >>
> > >>> Dec 20 12:02:10 tc portsentry[540]: attackalert: Possible stealth
> > >>> scan from unknown host to TCP port: 111 (accept failed)
> > >>
> > >>I get it when I run a 2.4 kernel but not when I run a 2.2 kernel so
> > >>I believe it's something internal to my system. There are hundreds
> > >>of them every hour.
> 
> Correction. Make that hundreds of *thousands*. As in daemon.log entries:
> 
> Dec 21 08:31:03 tc portsentry[12063]: attackalert: Possible stealth scan
> from unknown host to TCP port: 111 (accept failed)
> Dec 21 08:31:33 tc last message repeated 98235 times
> Dec 21 08:32:34 tc last message repeated 196030 times
> Dec 21 08:33:33 tc last message repeated 187197 times
> 
> > >That appears to be Portmapper.  If you are not using it, disable it
> > >or remove it.  Otherwise  go into your Portsentry config and remove
> > >port 111 from the list of ports Portsentry monitors.
> 
> I stopped portmapper and still get the messages. (I ran
> '/etc/init.d/portmap stop' and portmap no longer shows in a ps.)
> 
> > Instead of removing the port from the list of ports being watched, you
> > can also add the host to portsentry.ignore if you think that best.  In
> > mine, I have:
> > 
> > # IPs from /etc/portsentry/portsentry.ignore.static:
> > 127.0.0.1
> > 0.0.0.0
> > 192.168.1.1
> > 
> > I am not sure why 0.0.0.0 is present and I believe it was added by
> > debconf but it doesn't seem to hurt.
> 
> Those were already there.
> 
> Besides, I really don't want to just *ignore* the problem. I'd like to
> know what's causing it.
> 
> Why does it happen when I run 2.4.16 and not when I run 2.2.16?
> 
> -- 
> You contend that I am wrong to teach my son science and
> philosophy; I believe you are wrong to teach yours Greek and
> Latin. Let us both follow the dictate of our conscience. Let us
> allow the law of responsibility to operate for our families. It
> will punish the one who is wrong. Let us not call in human law; it
> could well punish the one who is not wrong.
> 	-- Frédéric Bastiat (1801-1850)
>     Rick Pasotto    rickp@telocity.com    http://www.niof.net
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
If you wish to prosper, let your customer prosper. This is a
lesson it has taken you a very long time to learn.
When people have learned this lesson, everyone will seek his
individual welfare in the general welfare. Then jealousies between
man and man, city and city, province and province, nation and
nation, will no longer trouble the world.
	-- Frédéric Bastiat (1801-1850)
    Rick Pasotto    rickp@telocity.com    http://www.niof.net

Reply to:

References:
- warning message from portsentry
  - From: rick@niof.net
- Re: warning message from portsentry
  - From: Pollywog <croak@shadypond.com>
- Re: warning message from portsentry
  - From: Pollywog <croak@shadypond.com>
- Re: warning message from portsentry
  - From: rick@niof.net

Prev by Date: Re: New user question
Next by Date: OT: which worm is this?
Previous by thread: Re: warning message from portsentry
Next by thread: XMMS bug
Index(es):
- Date
- Thread