Re: Portsentry and iptables

[Bill Johnson <wejohnson usa net>]

After I sent my last reply, I looked at portsentry.conf.  Here is the
section of port listings that is uncommented:

# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,
12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,
32773,32774,31337,54321"

Port 111 is included in that list.  However, I noted the following comment
directly above this section in the config -
# These port bindings are *ignored* for Advanced Stealth Scan Detection
Mode.

I am using the advanced stealth scan detection mode, and have it set up as
follows:

#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#

My understanding is that this means any port below that port is included?
Why doesn't it show in the log file, though, that portsentry is binding to
port 111?

Apologies for a lot of stupid questions, here.  I'm really just trying to
figure out all this security stuff, and in light of the plethora of worms
and virii out there, I'm just trying to keep my cable modem
connection secure.

Thanks again,
Bill Johnson

On Sun, 30 Sep 2001, Devon wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Friday 28 September 2001 10:29 pm, Bill Johnson wrote:
> > Here are some samples of messages I'm getting:
> > Sep 28 22:23:41 dhcp024-166-087-068 portsentry[784]: attackalert:
> > Possible stealth scan from unknown host to TCP port: 111 (accept
> > failed)
> > Sep 28 22:23:44 dhcp024-166-087-068 last message repeated 2478
> > times
>
> Sorry for the delay, I posted my reply and promptly vanished for the
> weekend. :)
>
> As Chuck Mead already pointed out, if you're running portmap and don't
> need it, turn it off.  However, I have another question. Is this
> portsentry installed via rpm? If so, did you modify the configuration?
> The default config included in the redhat rpm doesn't listen on port 111.
> When you start portsentry, it outputs info as it binds to all the ports.
> You should see log messages similar to:
> Sep 19 00:01:02 roswell portsentry[14009]: adminalert: Going into listen
> mode on TCP port: 111
> In your case, do you see an attempt to bind to port 111? If it can't bind
> to a port , that should be reflected in the log as well.
>
> If you're looking for an rpm for portsentry, look at ftp.redhat.com.
> It's in /pub/redhat/linux/7.1/en/powertools/i386/RedHat/RPMS/
> portsentry-1.0-11.i386.rpm
>
> <Shameless plug>
> Also, I've built an rpm from the portsentry 1.1 source. It's here:
> http://www.tuxfan.homeip.net/rpms/portsentry-1.1-0.i386.rpm
> http://www.tuxfan.homeip.net/rpms/portsentry-1.1-0.src.rpm
> </Shameless plug>
>
> > Sep 28 22:23:44 dhcp024-166-087-068 kernel: IN=eth0 OUT=
> > MAC=00:01:02:86:3b:1c:00:e0:0c:b8:34:c9:08:00 SRC=207.71.92.221
> > DST=24.166.87.68 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=26107 DF
> > PROTO=TCP SPT=16049 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
>
> The default config doesn't listen on port 139 either.  However, unless
> you need it, you should probably block port 139 from the internet via
> your firewall.
>
> Hope that helps,
>
> - -D
>
> - --
>
> pgp key:  http://www.tuxfan.homeip.net:8080/pgpkey.txt
>
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7t7cYeMAUbzJhSVcRAku7AKCwA5qcn2R1XvohrOC0pltin+h3wwCfTgHF
> 2QPDZ4y3G/eNyHEER7B53Fc=
> =awWm
> -----END PGP SIGNATURE-----
>
>
>
>

-- 
William E. Johnson
_____________________________

Gort - klatu, barada, nikto!