Hi


I am running Gentoo 2.6 kernel, with latest iptables and portsentry. I have setup portsentry exactly as the man page said and it doesn't work. I have used port scan tests from grc.com and from other hosts, and portsentry is not blocking them. Here is a sniplet of what /etc/portsentry/portsentry.history shouts about:


1090017851 - 07/16/2004 16:44:11 Host: pcp02820079pcs.lwrswt01.pa.comcast.net/68.85.240.218 Port: 10000 TCP Blocked
1090018696 - 07/16/2004 16:58:16 Host: scan.sygate.com/207.33.111.37 Port: 21 UDP Blocked
1090025286 - 07/16/2004 18:48:06 Host: proxyscan.freenode.net/82.96.96.3 Port: 10000 TCP Blocked
1091323222 - 07/31/2004 19:20:22 Host: shieldsup.grc.com/204.1.226.228 Port: 0 TCP Blocked

This is from the portsentry.conf:
KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
that is suppose to take the above lines and block them I had to changed iptables to be /sbin/iptables because thats where it is for me.
It is running in tcp udp mode.

Any help would be appreciated.

I think you can configure it to also use /etc/hosts.deny This works good. But I'm not sure why it's not creating the IPTABLE rule.

KILL_ROUTE="/bin/echo $TARGET$ >> /etc/hosts.deny"
is what I put in the config file. Is that right?
I scanned again from grc.com and it didn't block it .

help!; 0

it looked like it added
ALL: 207.33.111.37 : DENY
ALL: 82.96.96.3 : DENY
ALL: 204.1.226.228 : DENY
to /etc/hosts.deny
but no action has been taken when I rerun the scan

I have:

blah blah'

IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/etc/portsentry/portsentry.history"
BLOCKED_FILE="/etc/portsentry/portsentry.blocked"
RESOLVE_HOST = "1"
BLOCK_UDP="1"
BLOCK_TCP="1"
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
KILL_HOSTS_DENY="ALL: $TARGET$"
SCAN_TRIGGER="0"

Seems to work great.

Odd'

That is the exact configuration on my box.... *sniff*

This is cut from /var/log/messages
so I know its started correctly and is binding to each port that I set.
Does anyone know what I should do?
Aug 2 00:01:46 athlon postfix/qmgr[3162]: BCA781608038: removed
Aug 2 00:01:54 athlon portsentry[3035]: securityalert: PortSentry is shutting down
Aug 2 00:01:54 athlon portsentry[3035]: adminalert: PortSentry is shutting down
Aug 2 00:01:54 athlon portsentry[3037]: securityalert: PortSentry is shutting d

Are those the only messages from portsentry? try:
cat /var/log/messages | grep portsentry

Aug 2 13:22:55 athlon portsentry[3038]: securityalert: PortSentry is shutting d
own
Aug 2 13:22:55 athlon portsentry[3038]: adminalert: PortSentry is shutting down
Aug 2 13:22:55 athlon portsentry[3040]: securityalert: PortSentry is shutting d
own
Aug 2 13:22:55 athlon portsentry[3040]: adminalert: PortSentry is shutting down
Aug 2 13:22:56 athlon portsentry[8867]: adminalert: PortSentry 1.2 is starting.
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 1
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 7
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 9
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 69
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 161
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 162
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 513
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 635
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 640
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 641
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 700
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 37444
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 34555
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 31335
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 32770
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 32771
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 32772
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 32773
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 32774
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 31337
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: Going into listen mode on U
DP port: 54321
Aug 2 13:22:56 athlon portsentry[8868]: adminalert: PortSentry is now active an
d listening.
Aug 2 13:22:56 athlon portsentry[8869]: adminalert: PortSentry 1.2 is starting.
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 1
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 11
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 15
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 79
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 111
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 119
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 143
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 540
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 635
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 1080
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 1524
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 2000
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 5742
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 6667
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 12345
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 12346
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 20034
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 27665
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 31337
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 32771
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 32772
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 32773
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 32774
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 40421
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 49724
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: Going into listen mode on T
CP port: 54320
Aug 2 13:22:56 athlon portsentry[8870]: adminalert: PortSentry is now active an
d listening.

Thats what shows. it appears to work perfectly.
For now I made a script using snort that will add everything it finds in the /var/log/snort directory to iptables (a sorry sub.)

Hum. I don't know. You do have two portsentry processes running right? One for udp and another for tcp

Well I believe so... in /etc/conf.d/portsentry there is a line telling it to use "tcp udp" mode and since the log said it started ok... ya ;0

Check it out with:

ps waux | grep portsentry

root 3068 0.0 0.0 1356 476 ? Ss 14:00 0:00 /usr/bin/portsentry -udp
root 3070 0.0 0.0 1356 492 ? Ss 14:00 0:00 /usr/bin/portsentry -tcp
rjw 10415 0.0 0.1 1408 516 pts/2 S+ 23:08 0:00 grep portsentry