LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-14-2002, 01:19 PM   #1
Jim Miller
Member
 
Registered: Sep 2001
Posts: 35

Rep: Reputation: 15
Confused about PortSentry


I've installed PortSentry 2.0b1 (the latest release) on a machine (let's call it Machine S) running RedHat 7.1. The install went fine, and some scanners have indeed been detected and added to /etc/hosts.deny.

The problem: Machine S is also running a mail/POP3 server, and, when PortSentry is running, POP mail clients running on Machine C1 and Machine C2 can't get through to the POP server on port 110. If I turn PortSentry off, POP service is restored.

More clues:
* My network is running NAT, and Machines S, C1, and C2 are all configured with 10.1.1.x IP addresses. Host mapping in the router is used to connect Machine S to a static IP address, and so be internet-accessible.
* None of these local/NAT or static IP addresses are in /etc/hosts.deny.
* Port 110 is not in TCP_PORTS.

So, I'm confused about two things:
(1) Obviously, why access to port 110 is blocked, at all.
(2) I thought that PortSentry's job was just to watch for suspicious behavior and dump the corresponding addresses into hosts.deny and other such things. But it seems to be acting more actively here.

So, I'm confused. Can anyone help?

Thanks,
Jim Miller
 
Old 10-14-2002, 01:59 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Worked well before install of Portsentry/firewall not blocking?
Portsentry not in paranoid(?) mode and not using firewall to block access?
Are the addresses for C{1,2} in the ignore file?
Port not listen in advanced_mode when using paranoid mode?
Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"?

FWIW, IMO Portsentry shouldn't be used on production hosts, Snort is better a much more capable alternative because Portsentry just senses someone from some address accessing some port and can not "see" if a packet is hostile, stray or good.
Try for instance to remote nmap yourself with a decoy list comprising of a random list of 50 wellknown addresses like your ISP's 1st hop router, SMTP servers you regularly access, websites, internet banking, etc etc. Unless you're not using the route/fw blocking functions or have all these hosts in the ignore file you'll be effectively D0Ssing yourself.

Snort OTOH is capable of scrubbing packets for certain types of payload on any port. Constantly updated signatures ranges from obscure sliding-NOP ones to recent SSL/Bugbear etc etc stuff.

The question is, when filtering, would you prefer using a pitchfork or a sieve?..
 
Old 10-14-2002, 03:08 PM   #3
Jim Miller
Member
 
Registered: Sep 2001
Posts: 35

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by unSpawn
Worked well before install of Portsentry/firewall not blocking?
>>> yes

Portsentry not in paranoid(?) mode...
>>> I'm using the "just to be aware" settings for tcp_ports and udp_ports, if that's what you mean. I've tried setting block_tcp and block_udp to both 0 and 1, with no differences

and not using firewall to block access?
>>> no

Are the addresses for C{1,2} in the ignore file?
>>> yes

Port not listen in advanced_mode when using paranoid mode?
>>> not sure what this is / how to do this (thus certifying my newbie status...)

Are the addresses for C{1,2} in /etc/hosts.allow: "pop3: <ip of C1>, <ip of C2>"?
>>> yes
I'll also check out snort; thanks.
 
Old 10-14-2002, 03:51 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hmm. Overlooked you stating the version. It's plainly beta, and mistah Rolands pages list some bugs in Portsentry 2.x. FWIW I d/l'ed the source to play with. Who knows what I'll find, don't keep your fingers crossed but exercise 'em at least a bit by compiling Snort I'd say :-]
 
Old 10-15-2002, 12:03 AM   #5
Jim Miller
Member
 
Registered: Sep 2001
Posts: 35

Original Poster
Rep: Reputation: 15
Problem solved, I think. A couple of configuration issues, and <blush>a user-headgap error or two</blush>. We'll see how things look in the morning.

In any case, thanks very much for your time and effort. It's appreciated....

Jim
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
portsentry skoot Linux - Security 18 11-21-2005 06:29 AM
how to change notification email for portsentry and how to test portsentry roorings Linux - Security 1 11-04-2003 10:36 AM
PortSentry mikesvx1 Linux - Security 5 12-20-2001 01:52 AM
portsentry Jase Linux - Security 1 07-24-2001 07:49 AM
portsentry Dallam Linux - Security 5 07-12-2001 05:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration