A month or so ago, a company that I am working with noted the existence of an actual working attack. Several weeks ago we moved the ssh port.
In response to my previous post, I configured portsentry to start with the -atcp option. This option starts up and dynamically determines which address:ports are listening, and does not monitor them.
Then I attempt to telnet from another machine to for instance, port 38. The message log looks like this:
Dec 13 15:00:36 multi portsentry[23886]: attackalert: TCP SYN/Normal scan from host:
tjackson-3.dsl.speakeasy.net/216.254.26.189 to TCP port: 38
Dec 13 15:00:36 multi portsentry[23886]: attackalert: Ignoring TCP response per
configuration file setting.
The portsentry.conf file is set to run a command when the tripwire is activated, and I have tried both of these separately, recompiling and restarting each time:
# ipchain support for Linux
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
or
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
Once the trap has been set, I can still connect to port 80, which leads me to believe that the command is not being run. I would think I should be able to see a route show up in the second case. The host name is multi.zmbh.com, in case you want to give it a try.
Also, I just tried running the route command above and it works. I wonder what I am doing wrong?
