tim1stEasy
01-03-2003, 05:30 AM
Hi,
We have recently set up PortSentry on a few of our RaQ4 servers.
We have also got a couple of RaQ550s and I notice that they come with port scanning detection software included.
At the moment, when port sentry detects a scan it adds the responsible IP address to our IP chains set and the IP is blocked. It then sends an email to notify us of this.
The RaQ550 software is currently set to log any detected port scans and email the information to us.
This morning, I had two emails - one from port sentry and one from a RaQ550's detection software.
The RaQ550 alert email read as follows:
This alert notification is to inform you of network activity occurring on your host.
Timestamp: Fri 03 Jan 2003 06:04:05 AM GMT
Alert Type: Port Scan Detected
Interface: eth0
Protocol: tcp
Packet Size (bytes): 40
Source Address: 213.***.***.***
Source port: 8081
Direction: outbound
Destination Address: 63.27.103.20
Destination Port: 3264
Log Entry: eth0:portscan: tcp 213.***.***.***/8081 -> 63.27.103.20/3264 40 rst (16)
So does this mean one of our customers has been port scanning somebody else?
After that email, there was then another one from port sentry saying that the 63.27.103.20 address had been detected scanniing one of our servers.
I'm not sure whether I am reading the RaQ550 alerts wrong. To me, that RaQ550 alert suggests that our server has been scanning another IP address, but then it seems strange that that IP then scans another one of our servers.
It would make more sense if I am just reading the RaQ550 alert the wrong way round - i.e.: the 63.27... address scanned both the RaQ550 and then our RaQ4 before port sentry blocked it.
Is that what has happened?
Cheers,
Tim
We have recently set up PortSentry on a few of our RaQ4 servers.
We have also got a couple of RaQ550s and I notice that they come with port scanning detection software included.
At the moment, when port sentry detects a scan it adds the responsible IP address to our IP chains set and the IP is blocked. It then sends an email to notify us of this.
The RaQ550 software is currently set to log any detected port scans and email the information to us.
This morning, I had two emails - one from port sentry and one from a RaQ550's detection software.
The RaQ550 alert email read as follows:
This alert notification is to inform you of network activity occurring on your host.
Timestamp: Fri 03 Jan 2003 06:04:05 AM GMT
Alert Type: Port Scan Detected
Interface: eth0
Protocol: tcp
Packet Size (bytes): 40
Source Address: 213.***.***.***
Source port: 8081
Direction: outbound
Destination Address: 63.27.103.20
Destination Port: 3264
Log Entry: eth0:portscan: tcp 213.***.***.***/8081 -> 63.27.103.20/3264 40 rst (16)
So does this mean one of our customers has been port scanning somebody else?
After that email, there was then another one from port sentry saying that the 63.27.103.20 address had been detected scanniing one of our servers.
I'm not sure whether I am reading the RaQ550 alerts wrong. To me, that RaQ550 alert suggests that our server has been scanning another IP address, but then it seems strange that that IP then scans another one of our servers.
It would make more sense if I am just reading the RaQ550 alert the wrong way round - i.e.: the 63.27... address scanned both the RaQ550 and then our RaQ4 before port sentry blocked it.
Is that what has happened?
Cheers,
Tim