Confused about PortSentry
I've installed PortSentry 2.0b1 (the latest release) on a machine (let's call it Machine S) running RedHat 7.1. The install went fine, and some scanners have indeed been detected and added to /etc/hosts.deny.
The problem: Machine S is also running a mail/POP3 server, and, when PortSentry is running, POP mail clients running on Machine C1 and Machine C2 can't get through to the POP server on port 110. If I turn PortSentry off, POP service is restored. More clues: * My network is running NAT, and Machines S, C1, and C2 are all configured with 10.1.1.x IP addresses. Host mapping in the router is used to connect Machine S to a static IP address, and so be internet-accessible. * None of these local/NAT or static IP addresses are in /etc/hosts.deny. * Port 110 is not in TCP_PORTS. So, I'm confused about two things: (1) Obviously, why access to port 110 is blocked, at all. (2) I thought that PortSentry's job was just to watch for suspicious behavior and dump the corresponding addresses into hosts.deny and other such things. But it seems to be acting more actively here. So, I'm confused. Can anyone help? Thanks, Jim Miller |
Worked well before install of Portsentry/firewall not blocking?
Portsentry not in paranoid(?) mode and not using firewall to block access? Are the addresses for C{1,2} in the ignore file? Port not listen in advanced_mode when using paranoid mode? Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"? FWIW, IMO Portsentry shouldn't be used on production hosts, Snort is better a much more capable alternative because Portsentry just senses someone from some address accessing some port and can not "see" if a packet is hostile, stray or good. Try for instance to remote nmap yourself with a decoy list comprising of a random list of 50 wellknown addresses like your ISP's 1st hop router, SMTP servers you regularly access, websites, internet banking, etc etc. Unless you're not using the route/fw blocking functions or have all these hosts in the ignore file you'll be effectively D0Ssing yourself. Snort OTOH is capable of scrubbing packets for certain types of payload on any port. Constantly updated signatures ranges from obscure sliding-NOP ones to recent SSL/Bugbear etc etc stuff. The question is, when filtering, would you prefer using a pitchfork or a sieve?.. |
Quote:
|
Hmm. Overlooked you stating the version. It's plainly beta, and mistah Rolands pages list some bugs in Portsentry 2.x. FWIW I d/l'ed the source to play with. Who knows what I'll find, don't keep your fingers crossed but exercise 'em at least a bit by compiling Snort I'd say :-]
|
Problem solved, I think. A couple of configuration issues, and <blush>a user-headgap error or two</blush>. We'll see how things look in the morning.
In any case, thanks very much for your time and effort. It's appreciated.... Jim |
All times are GMT -5. The time now is 02:40 PM. |