portsentry and netfilter

To: debian-user@lists.debian.org
Cc: Debian User List <debian-user@lists.debian.org>
Subject: portsentry and netfilter
From: Sarunas <sarunas@mail.saabnet.com>
Date: Tue, 17 Feb 2004 12:03:14 -0500
Message-id: <[🔎] 40324952.7070909@mail.saabnet.com>
References: <[🔎] 200402170932.42479.michael@weblore.com> <[🔎] 4032351D.2030500@zmemw16.demon.co.uk>

Hello,

During the last couple of weeks portsentry is producing a lot of alertson connects to ports 540 and 635:


<quote-syslog>

Feb 17 10:04:11 <hostname> portsentry[949]: attackalert: Connect fromhost: <fqdn>/<ip> to TCP port: 635

Feb 17 10:04:11 <hostname> portsentry[949]: attackalert: Host <ip> hasbeen blocked via wrappers with string: "ALL: <ip> : DENY"

Feb 17 10:04:11 <hostname> portsentry[949]: attackalert: Host <ip> hasbeen blocked via dropped route using command: "/sbin/iptables -I INPUT-s <ip> -j DROP && /sbin/iptables -I INPUT -s <ip> -m limit --limit3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix'Portsentry: dropping: '"

</quote-syslog>

The following rules were added to netfilter (iptables) to explicitlyblock those ports (iptables-save output format):

-A INPUT -i eth0 -p tcp -m tcp --dport 635 -j LOG --log-prefix "TEST:dport 635 drop." --log-level 7

-A INPUT -i eth0 -p tcp -m tcp --dport 635 -j DROP

However the rule doesn't seem to match (no TEST:... entries in the logs)even though portsentry continues to report the same attack alerts.

Any idea on what kind of connect attempts are being made as reported bythe portsentry? Can those connects be blocked by the netfilter?


I didn't try the '-m state' extension yet.

We are running woody/2.4.24/x86.

Thanks,
Sarunas Burdulis

Reply to:

References:
- DVD install
  - From: Michael Satterwhite <michael@weblore.com>
- Re: DVD install
  - From: stephen parkinson <stephen@zmemw16.demon.co.uk>

Prev by Date: Bonjour
Next by Date: dhcp on LAN
Previous by thread: Re: DVD install - SOLVED
Next by thread: Re: DVD install
Index(es):
- Date
- Thread