[lug] Interesting Crash Report

Deva Samartha blug-receive at mtbwr.net
Tue Mar 20 21:20:25 MST 2001

Well, I tried postsentry (before I posted the question) - but since it's 
behind the firewall (on the firewall machine) and the 111 get blocked 
anyway - (and logged, me seeing the bloody portscans), portsentry does not 
even get to see the access since it's filtered out by the kernel.

The ability to block an IP automatically for every access after the first 
attempt based on some rules is something I am looking for. Maybe ipchains 
can do it with a separate chain but I have not looked into it.

portsentry is from www.psionic.com, their hostsentry looks good too.

other than that - it's similar to what D. Stimits does - looking at the 
firewall log and running a script to block an IP. But with this method - I 
am pretty sure to miss exactly the 3 minutes when somebody attempts 
something and succeeds.

All my 111 accesses are portscans running in sequence through all my IP 
numbers within fractions of a second and I bet that if somebody succeeds, 
they paste and run scripts in fractions of seconds too. I would think that 
having a working tool which adds rules to the firewall on the fly could be 

Tailing the firewall and grepping on the port does not do the trick since 
the whole event of scanning happens within a second and shellscript sleeps 
shortest period is one second.

At 07:18 PM 3/20/2001 -0700, you wrote:
>portsentry should take care of that for you. www.abacus.com (I believe)
>Deva Samartha wrote:
> > >  I've denied about two dozen
> > >/24 domains just because I dislike seeing anything hit port 111 (the
> > >first packet gets them blocked).
> >
> > That's really neat, if possible, would you mind sharing how you do that -
> > or name the software packages you use?
> >
> > Thanks,
> >
> > Samartha
> >

More information about the LUG mailing list