Hello All,

I recently installed portsentry on my Redhat 9 server, to try and secure it a little bit more. It seemed to be doing its job ok, but I noticed after about 3-6 hours when I go to check something on the internet the "host cannot be found" or "name cannot be found". Very strange...

I have had this adsl connection working for months without this problem, everything was fine until portsentry.

I have been getting a high amount of traffic on tcp port 135, which portsentry then blocks. However most of the traffic has come from withtin my service providers network.

I am getting action on port 135 about every 5 minutes.... mostly from comps on the same network as mine, ie the same first three or first two parts of my ip address.



So eventually none of my comps can find www.google.com for example??

When I do traceroute to my nameserver ip it can be found.

I have double checked portsentry.conf and cannot see anything that may be causing this (although I obviously dont know what is causing this problem). In portsentry.ignore I added my local network, nameservers, default gateway etc....

Any ideas anyone.....

Thanks

Lucas

I can only suggest a couple of things to start with. Let us know if it helps.

Setup a script that runs at boot like rc.local that will ping another computer every few seconds to try and keep the connection active.


ping -i 60 ipaddress > /dev/null 2>&1 &


The other suggestion is to stop using portsentry. It's a poor excuse for security. It is better to use a firewall and close ports that you do not need open than to advertise that your system is vunerable trying to fool someone into trying to hack it.

People that know what their doing will not leave any entry in your portsentry log file anyway, and it will invite the idiots that think they know what their doing to keep sending traffic to your system.

Hi,

Thanks for your reply. I agree portsentry is a poor excuse for internet security... but combined in layers with a iptables and a NIDS its not doing any harm, no?

I think after much searching I have found the cause of the problem.

After port sentry has been running for a few hours my outgoing internet connection dies. I think this is why.

Portsentry is set to flush and restart every 6 hours... the entry in the cron.d script that was restrating it was

00 */6 ***root /sbin/service portsentry restart >/dev/null

ok so far, portsentry would restart as planned...

But then the cron.d script was trying to flush my firewall, but the entry in cron.d was

01 */6 ***root /sbin/service/ iptables restart >/dev/null

when I did iptables -L

my usual rules had dissappeared and the last Lokkit section was full of deny eveything from everywhere! No wonder my connection was dying.

I tried from command line typing /etc/rc.nat iptables restart and bang... my internet connection is working ok and everything is back to normal.

I am still unsure as to the reason why >/dev/null is added to the end of those script lines originally?

Thanks

Lucas