Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
One of my servers seem to have some kind of hickup I would like to figure out why the firewall crashes sometimes. This has happened couple times this month and would like to know if anyone else has this experience.
Background:
Linux version 2.6.18-128.1.10.el5 (mockbuild@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-44)) #1 SMP Thu May 7 10:39:21 EDT 2009
What happened:
- I get an email:
Subject: Cron <root@host> /sbin/service iptables restart >/dev/null
Body: iptables-restore: line 106 failed
(I think this is my problem but 106 in my iptable save file in sysconfig reads, "COMMIT")
- I login and check the loaded table rules. All that is listed is the dropped hosts from portsentry. None of my normal rules. (see log)
- I restart iptables & we're back to normal
I'm not familiar with PortSentry (I use psad instead), but could it perhaps be trying to load an iptables configuration from a file other than /etc/sysconfig/iptables? That might explain why when the problem occurs your own rules are absent.
// BTW Portsentry lacks functionality, is no longer developed, supported or unmaintained. Like my fellow moderator indicates you're not left without supported, maintained and better software.
PortSentry addes drop rule via iptables then every six hours flushes them out via cron job "service iptables restart".
I odd thing to me is when I manually run this command it works and should work when cron runs it. I do have the iptabes script to not save on stop or restart. I still would like to fix it but it looks like my best option to to research other means of protection.
Would the recommendation be "psad"? Once again Thanks guys/gals'
PortSentry addes drop rule via iptables then every six hours flushes them out via cron job "service iptables restart".
That's kinda weird, no? I mean, every six hours you lose your entire blacklist?
Quote:
I odd thing to me is when I manually run this command it works and should work when cron runs it. I do have the iptabes script to not save on stop or restart. I still would like to fix it but it looks like my best option to to research other means of protection.
Well, migrating to something maintained is definitely a good idea. It would still be nice to figure out just what exactly is causing this behavior, though. What does your crontab look like? BTW, what happened to the time stamps?
Quote:
Would the recommendation be "psad"? Once again Thanks guys/gals'
Sure, I can recommend it. I've been a very satisfied user for while.
That's kinda weird, no? I mean, every six hours you lose your entire blacklist?
Actually I forgot about the blocked.udp and blocked.tcp files it maintains. As well as history, ignore and modes files.
crontab looks like:
Code:
[root@xxx ~]# cat /etc/cron.d/portsentry
# Flush the entries added by portsentry every 6 hours on the hour
#00 */6 * * * root /sbin/service ipchains restart >/dev/null
00 */6 * * * root /sbin/service iptables restart >/dev/null
Quote:
BTW, what happened to the time stamps?
This is still a real mystery to me as when I manually restart I see the correct timestamps. When I look back on the day in question it seems as if the first whole minute of 8 oclock was restamped when this crash occured.
And when I look through it's as if some parts of the kernel are logging 2 hours ahead here's a snippit:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.