scaning from non-existing network???

*** post for FREE via your newsreader at post.newsfeed.com ***

How can this be possible? I got this in my system log, but I don't have
any internal network, neither do I use NAT.
Is it possible to fake an internal IP? Or am I rooted?

=========================================
Jul 20 16:42:09 villabay portsentry[1255]: attackalert: SYN/Normal scan from ho
st: 192.168.1.10/192.168.1.10 to TCP port: 57
Jul 20 16:42:09 villabay portsentry[1255]: attackalert: Host 192.168.1.10 has b
een blocked via wrappers with string: "ALL: 192.168.1.10"
Jul 20 16:42:09 villabay portsentry[1255]: attackalert: Host 192.168.1.10 has b
een blocked via dropped route using command: "/sbin/ipchains -I input -s 192.16
8.1.10 -j DENY"
===========================================
So what's going on?


-----= Posted via Newsfeed.Com, Uncensored Usenet News =-----
http://www.newsfeed.com - The #1 Newsgroup Service in the World!
-----== 100,000 Groups! - 19 Servers! - Unlimited Download! =-----

oilman@mobster.org writes:

> *** post for FREE via your newsreader at post.newsfeed.com ***

No thanks; I already have a perfectly adequate news-server.

> How can this be possible? I got this in my system log, but I don't have
> any internal network, neither do I use NAT.
> Is it possible to fake an internal IP? Or am I rooted?
>
> =========================================
> Jul 20 16:42:09 villabay portsentry[1255]: attackalert: SYN/Normal scan
> from host: 192.168.1.10/192.168.1.10 to TCP port: 57
> Jul 20 16:42:09 villabay portsentry[1255]: attackalert: Host 192.168.1.10
> has been blocked via wrappers with string: "ALL: 192.168.1.10"
> Jul 20 16:42:09 villabay portsentry[1255]: attackalert: Host 192.168.1.10
> has b een blocked via dropped route using command: "/sbin/ipchains -I
> input -s 192.16 8.1.10 -j DENY"
> ===========================================
>
> So what's going on?

Looks pretty obvious to me. Portsentry has tripped based on a packet with
your own IP# as source-address, and added a firewall rule blocking your own
source IP#.

Now, it doesn't tell you what interface the packet was seen on, or any
other details about it, so I hope you've read the firewall log to find out
why it thought this was a bad packet. Either way, it seems your portsentry
is misconfigured or otherwise deranged if it can obviously add your own IP#
(wildcard, just `-s 192.168.1.10 -j DENY' - so no mention of specific ports
or interfaces) to the blocklist.

The logs barely make sense anyway - `dropped via route' is *NOT* the same
thing as adding such a daft firewall rule. Route-dropping is done with the
`route' command, for starters.

We've talked about this kind of impersonation potential regarding
portsentry for *years* on here, generally thinking it's a bad idea and that
a static firewall, dropping and logging everything by default and allowing
only what it must, is a far better option. Take portsentry out and bin it.

~Tim
--
I never knew that the |piglet@stirfried.vegetable.org.uk
light of ages breaks the way before us |http://spodzone.org.uk/cesspit/