Re: Portsentry and iptables

[Bill Johnson <wejohnson usa net>]

Thanks to all who have replied.

I did have portmap running, and I've turned that off.  I also checked the
log.  Portsentry does not attempt to bind to port 111.  I was unsure from
your post, though, whether you think it SHOULD be binding to port 111?
Should I seek out the other rpms you mentioned and reinstall?  It's been a
long time since I installed portsentry, and I've upgraded several
versions of Redhat since then, probably resulting in the package being
upgraded as well.  I don't remember ever changing the configuration,
but it's been a long time... maybe I did.

Now that portmap is off, I'll continue to watch the logs, but if port 111
continues to be reported, should I change the config (or get the
upgraded RPMS) to have it handled by portsentry?

Of course, another question is, what are these pokes at port 111?  I have
iptables running (via the firestarter package which sets up a firewall for
you via a simple gui frontend).  Are these messages saying that something
is getting through that firewall where portsentry is having to deal with
it?

Thanks again for the replies.

Bill Johnson

 On Sun, 30 Sep 2001, Devon wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Friday 28 September 2001 10:29 pm, Bill Johnson wrote:
> > Here are some samples of messages I'm getting:
> > Sep 28 22:23:41 dhcp024-166-087-068 portsentry[784]: attackalert:
> > Possible stealth scan from unknown host to TCP port: 111 (accept
> > failed)
> > Sep 28 22:23:44 dhcp024-166-087-068 last message repeated 2478
> > times
>
> Sorry for the delay, I posted my reply and promptly vanished for the
> weekend. :)
>
> As Chuck Mead already pointed out, if you're running portmap and don't
> need it, turn it off.  However, I have another question. Is this
> portsentry installed via rpm? If so, did you modify the configuration?
> The default config included in the redhat rpm doesn't listen on port 111.
> When you start portsentry, it outputs info as it binds to all the ports.
> You should see log messages similar to:
> Sep 19 00:01:02 roswell portsentry[14009]: adminalert: Going into listen
> mode on TCP port: 111
> In your case, do you see an attempt to bind to port 111? If it can't bind
> to a port , that should be reflected in the log as well.
>
> If you're looking for an rpm for portsentry, look at ftp.redhat.com.
> It's in /pub/redhat/linux/7.1/en/powertools/i386/RedHat/RPMS/
> portsentry-1.0-11.i386.rpm
>
> <Shameless plug>
> Also, I've built an rpm from the portsentry 1.1 source. It's here:
> http://www.tuxfan.homeip.net/rpms/portsentry-1.1-0.i386.rpm
> http://www.tuxfan.homeip.net/rpms/portsentry-1.1-0.src.rpm
> </Shameless plug>
>
> > Sep 28 22:23:44 dhcp024-166-087-068 kernel: IN=eth0 OUT=
> > MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
> > DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=26107 DF
> > PROTO=TCP SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
>
> The default config doesn't listen on port 139 either.  However, unless
> you need it, you should probably block port 139 from the internet via
> your firewall.
>
> Hope that helps,
>
> - -D
>
> - --
>
> pgp key:  http://www.tuxfan.homeip.net:8080/pgpkey.txt
>
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7t7cYeMAUbzJhSVcRAku7AKCwA5qcn2R1XvohrOC0pltin+h3wwCfTgHF
> 2QPDZ4y3G/eNyHEER7B53Fc=
> =awWm
> -----END PGP SIGNATURE-----
>
>
>
>

-- 
William E. Johnson
_____________________________

Gort - klatu, barada, nikto!