Re: [cobalt-security] newbie question about portsentry log

["E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>]

DTH> Date: Fri, 28 Feb 2003 09:54:40 -0500
DTH> From: "Dave @ The Hostworks"


AM> could someone explain whats happening here.
AM> I'm new to server admin in general.

New to server administration?

1. Read, read, read
2. Read more, read more, read more
3. Read the archives
4. Disable unused services
5. Keep up to date on patches
6. Install at least _some_ firewalling to protect against
   certain problems.

Nothing is a panacea.  Vigilant administration is the only way.


AM> Feb 27 23:15:15 (none) imapd[19811]: imap service init from 127.0.0.1
AM> Feb 27 23:15:15 (none) imapd[19811]: Logout user=??? host=localhost
AM> [127.0.0.1]

Probably Cobalt's monitoring, periodically checking to see if
IMAP is running.  Do you really need IMAP?


AM> Feb 27 23:23:06 (none) sendmail[20104]: NOQUEUE:
AM> dialpool.seattle.wa.ppp13.screaminet.com [208.186.188.179] (may be forged)
AM> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

DTH> from what i see, that looks like someone just scanning for
DTH> open relays?

No... someone just checking to see if 25/TCP is open.  Note that
they never gave a MAIL command, which _must_ be done if one is
warscanning for open relays.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.