[cobalt-security] [RaQ3] Portsentry - working but....

["Render-Vue" <sales@xxxxxxxxxxxxxx>]

Hi yah me again :>

Okay Portsentry seems to be running currently under the standard -udp & -tcp
modes

I've just had an email from Cron Daemon...(now be gentle with me I'm only a
windows man and learning :>)
Subject: Cron <root@ns> /usr/local/etc/logcheck.sh

Message exceeds maximum fixed size (10485760)
/root/dead.letter... Saved message in /root/dead.letter

I then went to root and viewed the dead.letter and it's of course 10Mb in
size and all it shows is 10Mb of the following:-

Sep 19 15:48:11 ns portsentry[19597]: attackalert: Host: 208.155.xx.xx is
already blocked. Ignoring
Sep 19 15:48:11 ns portsentry[19597]: attackalert: Connect from host:
e0.br3.xxxxxxx.com/208.155.xx.xx to UDP port: 69

The xxx is the company from whom we lease the servers from.

Now what I want to know is....

1. Can I safely delete the dead.letter from root?
2. If I want to switch off portsentry how do I do that?
3. Obviously portsentry & logcheck seem to be working together am I correct?
4. Do I simply ignore this port, add the IP to the ignore list in the config
or is it something I should be worried about?
5. In the manual it states that I not to put in every IP address on the
machine but to use a netmask, I haven't put any in at all just left it at
the default 127.0.0.1 & 0.0.0.0 - we have taken over this box and would like
to monitor all the IP's incase of inside compromises - is this okay to do?

Many thanks in advance & regards from Auckland

Chae


Charles Riley IEng MIED CCBW
Member of the International Webmasters Association
Member of the HTML Writers Guild
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Render-Vue - <http://render-vue.com>
Web Site Design - Web Site Hosting
"Letting the world see who you really are(tm)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
164 Maraetai Drive,
Maraetai Beach,
Auckland,
New Zealand. 1705
Tel:- +64 9 536 6367
Mobile:- 025 291 6894