One of my servers seem to have some kind of hickup I would like to figure out why the firewall crashes sometimes. This has happened couple times this month and would like to know if anyone else has this experience.
Linux version 2.6.18-128.1.10.el5 (firstname.lastname@example.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)) #1 SMP Thu May 7 10:39:21 EDT 2009
- I get an email:
Subject: Cron <root@host> /sbin/service iptables restart >/dev/null
Body: iptables-restore: line 106 failed
(I think this is my problem but 106 in my iptable save file in sysconfig reads, "COMMIT")
- I login and check the loaded table rules. All that is listed is the dropped hosts from portsentry. None of my normal rules. (see log)
- I restart iptables & we're back to normal
Log reads (in order):
Jul 21 07:59:57 kaden kernel: ****Dropped TCP: IN=eth0 OUT=
Jul 21 08:00:02 host kernel: Removing netfilter NETLINK layer.
Jul 21 08:00:02 host kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
WTF' Firewall down (time stamp is off?)
Then portsentry lights up as the packets are getting through:
Jul 21 06:00:02 host portsentry: attackalert: TCP SYN/Normal scan from host: 220.127.116.11/18.104.22.168 to TCP port: 445
Jul 21 06:00:02 host portsentry: attackalert: Host 22.214.171.124 has been blocked via wrappers with string: "ALL: 126.96.36.199"
Jul 21 06:00:02 host portsentry: attackalert: Host 188.8.131.52 has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s 88.244.8
2.90 -j DROP"
Jul 21 06:00:02 host portsentry: attackalert: External command run for host: 184.108.40.206 using command: "/bin/mail -s 'Portscan from 220.127.116.11 on
port 445' email@example.com < /dev/null"
The above goes on over and over for lots of different scanning machines. Infected windows probably as it's 445
Then this one I think this is me loading iptables (and the time stamp is off again?):
Jul 21 08:00:02 host kernel: Netfilter messages via NETLINK v0.30.