About This Page This is a simple analysis of the portsentry history log. It only logs the first port hit by the server by default,
but you can pretty much tell what things are by the first port they hit anyway. For instance, everything hitting the 135
TCP port are most likely worms trying to exploit the Windows RPC vulnerability. Anyways, with this I can tell who's looking at my
computer. Nottice that ports 80, 443, and 22 are NOT logged since those ports are actually in use.
Update Due to a bug in dd-wrt which made some port forwards not work correctly while my server was set to the DMZ,
only certain ports not firewalled off can reach my network so portsentry won't see
anything beyond what's on my priviate network. I generated some sample
stuff below but you can download the code and try it out for yourself if you want.
The config I used for it was basically to anlayze everything below about port 60000 (1024 is recommended though) using
the advanced mode (ie #>portsentry -atcp) and then
I read the history file and syslog.
View PortSentry HistoryView PortSentry Logs
Beginning 08/24/2010 20:23:09 Host: 192.168.1.8/192.168.1.8 Port: 10000 TCP Blocked Analysis: Probably Webmin Connection Attempt - Probable Attacker Scan 20:13:06 Host: 192.168.1.14/192.168.1.14 Port: 1433 TCP Blocked Analysis: Probable Scan for MS SQL Server - Most likely malicious
Ignoring TCP response per configuration file setting. TCP SYN/Normal scan from host 192.168.1.8/192.168.1.8 to TCP port 10000
Host 192.168.1.14/192.168.1.14 is already blocked Ignoring TCP SYN/Normal scan from host 192.168.1.14/192.168.1.14 to TCP port 1433
Host 192.168.1.14/192.168.1.14 is already blocked Ignoring TCP SYN/Normal scan from host 192.168.1.14/192.168.1.14 to TCP port 1433
Ignoring TCP response per configuration file setting. TCP SYN/Normal scan from host 192.168.1.14/192.168.1.14 to TCP port 1433 PortSentry is now active and listening. PortSentry 1.2 is starting.
