LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Confused about PortSentry (https://www.linuxquestions.org/questions/linux-security-4/confused-about-portsentry-32782/)

Jim Miller 10-14-2002 01:19 PM
Confused about PortSentry
 
I've installed PortSentry 2.0b1 (the latest release) on a machine (let's call it Machine S) running RedHat 7.1. The install went fine, and some scanners have indeed been detected and added to /etc/hosts.deny.

The problem: Machine S is also running a mail/POP3 server, and, when PortSentry is running, POP mail clients running on Machine C1 and Machine C2 can't get through to the POP server on port 110. If I turn PortSentry off, POP service is restored.

More clues:
* My network is running NAT, and Machines S, C1, and C2 are all configured with 10.1.1.x IP addresses. Host mapping in the router is used to connect Machine S to a static IP address, and so be internet-accessible.
* None of these local/NAT or static IP addresses are in /etc/hosts.deny.
* Port 110 is not in TCP_PORTS.

So, I'm confused about two things:
(1) Obviously, why access to port 110 is blocked, at all.
(2) I thought that PortSentry's job was just to watch for suspicious behavior and dump the corresponding addresses into hosts.deny and other such things. But it seems to be acting more actively here.

So, I'm confused. Can anyone help?

Thanks,
Jim Miller

unSpawn 10-14-2002 01:59 PM
Worked well before install of Portsentry/firewall not blocking?
Portsentry not in paranoid(?) mode and not using firewall to block access?
Are the addresses for C{1,2} in the ignore file?
Port not listen in advanced_mode when using paranoid mode?
Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"?

FWIW, IMO Portsentry shouldn't be used on production hosts, Snort is better a much more capable alternative because Portsentry just senses someone from some address accessing some port and can not "see" if a packet is hostile, stray or good.
Try for instance to remote nmap yourself with a decoy list comprising of a random list of 50 wellknown addresses like your ISP's 1st hop router, SMTP servers you regularly access, websites, internet banking, etc etc. Unless you're not using the route/fw blocking functions or have all these hosts in the ignore file you'll be effectively D0Ssing yourself.

Snort OTOH is capable of scrubbing packets for certain types of payload on any port. Constantly updated signatures ranges from obscure sliding-NOP ones to recent SSL/Bugbear etc etc stuff.

The question is, when filtering, would you prefer using a pitchfork or a sieve?..

Jim Miller 10-14-2002 03:08 PM
Quote:
Originally posted by unSpawn
Worked well before install of Portsentry/firewall not blocking?
>>> yes

Portsentry not in paranoid(?) mode...
>>> I'm using the "just to be aware" settings for tcp_ports and udp_ports, if that's what you mean. I've tried setting block_tcp and block_udp to both 0 and 1, with no differences

and not using firewall to block access?
>>> no

Are the addresses for C{1,2} in the ignore file?
>>> yes

Port not listen in advanced_mode when using paranoid mode?
>>> not sure what this is / how to do this (thus certifying my newbie status...)

Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"?
>>> yes
I'll also check out snort; thanks.

unSpawn 10-14-2002 03:51 PM
Hmm. Overlooked you stating the version. It's plainly beta, and mistah Rolands pages list some bugs in Portsentry 2.x. FWIW I d/l'ed the source to play with. Who knows what I'll find, don't keep your fingers crossed but exercise 'em at least a bit by compiling Snort I'd say :-]

Jim Miller 10-15-2002 12:03 AM
Problem solved, I think. A couple of configuration issues, and <blush>a user-headgap error or two</blush>. We'll see how things look in the morning.

In any case, thanks very much for your time and effort. It's appreciated....

Jim


All times are GMT -5. The time now is 02:40 PM.