Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've installed PortSentry 2.0b1 (the latest release) on a machine (let's call it Machine S) running RedHat 7.1. The install went fine, and some scanners have indeed been detected and added to /etc/hosts.deny.
The problem: Machine S is also running a mail/POP3 server, and, when PortSentry is running, POP mail clients running on Machine C1 and Machine C2 can't get through to the POP server on port 110. If I turn PortSentry off, POP service is restored.
More clues:
* My network is running NAT, and Machines S, C1, and C2 are all configured with 10.1.1.x IP addresses. Host mapping in the router is used to connect Machine S to a static IP address, and so be internet-accessible.
* None of these local/NAT or static IP addresses are in /etc/hosts.deny.
* Port 110 is not in TCP_PORTS.
So, I'm confused about two things:
(1) Obviously, why access to port 110 is blocked, at all.
(2) I thought that PortSentry's job was just to watch for suspicious behavior and dump the corresponding addresses into hosts.deny and other such things. But it seems to be acting more actively here.
Worked well before install of Portsentry/firewall not blocking?
Portsentry not in paranoid(?) mode and not using firewall to block access?
Are the addresses for C{1,2} in the ignore file?
Port not listen in advanced_mode when using paranoid mode?
Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"?
FWIW, IMO Portsentry shouldn't be used on production hosts, Snort is better a much more capable alternative because Portsentry just senses someone from some address accessing some port and can not "see" if a packet is hostile, stray or good.
Try for instance to remote nmap yourself with a decoy list comprising of a random list of 50 wellknown addresses like your ISP's 1st hop router, SMTP servers you regularly access, websites, internet banking, etc etc. Unless you're not using the route/fw blocking functions or have all these hosts in the ignore file you'll be effectively D0Ssing yourself.
Snort OTOH is capable of scrubbing packets for certain types of payload on any port. Constantly updated signatures ranges from obscure sliding-NOP ones to recent SSL/Bugbear etc etc stuff.
The question is, when filtering, would you prefer using a pitchfork or a sieve?..
Originally posted by unSpawn
Worked well before install of Portsentry/firewall not blocking?
>>> yes
Portsentry not in paranoid(?) mode...
>>> I'm using the "just to be aware" settings for tcp_ports and udp_ports, if that's what you mean. I've tried setting block_tcp and block_udp to both 0 and 1, with no differences
and not using firewall to block access?
>>> no
Are the addresses for C{1,2} in the ignore file?
>>> yes
Port not listen in advanced_mode when using paranoid mode?
>>> not sure what this is / how to do this (thus certifying my newbie status...)
Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"?
>>> yes
Hmm. Overlooked you stating the version. It's plainly beta, and mistah Rolands pages list some bugs in Portsentry 2.x. FWIW I d/l'ed the source to play with. Who knows what I'll find, don't keep your fingers crossed but exercise 'em at least a bit by compiling Snort I'd say :-]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.