[cobalt-security] [RaQ3] Major Panic On Now :<

["Render-Vue" <sales@xxxxxxxxxxxxxx>]

After installing portsentry it was logging an attack every second if not
more...


<snip previous post>
I then went to root and viewed the dead.letter and it's of course 10Mb in
size and all it shows is 10Mb of the following:-

Sep 19 15:48:11 ns portsentry[19597]: attackalert: Host: 208.155.xx.xx is
already blocked. Ignoring
Sep 19 15:48:11 ns portsentry[19597]: attackalert: Connect from host:
e0.br3.xxxxxxx.com/208.155.xx.xx to UDP port: 69

The xxx is the company from whom we lease the servers from.

I then started getting emails from admin like...

Subject: Cron <root@ns> /usr/local/etc/logcheck.sh

Message exceeds maximum fixed size (10485760)
/root/dead.letter... Saved message in /root/dead.letter

I then got an email from admin stating...

is getting very close to full.  This is very dangerous for the server
and can cause unexpected errors to occur.  You either need to move some
files to another storage device and delete them from the Cobalt server
or delete them altogether.  Consult the documentation for help adding
storage to your Cobalt server.

Total disk space:  726.04 MB
Free disk space:  45.03 MB
Percent Used:  93 %

Now I've quickly jumped into the server and noticed the following:-

/root   -   dead.letter is 41Mb
/var/log/messages   -   25Mb  < --- growing as I type this
/var/log/xferlog   -  25Mb < ----- growing as I type this


I need to know before the server goes tits up how do I kill the logs and get
them back to what they were before portsentry started. I've renamed the file
portsentry to portsentry.old for now to see if that stops the quick
generation of log files and dead.letter. Can I delete dead/letter from /root

Regards from Auckland

Chae