[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Portsentry/IPChains Log Entries

On Fri, 02 Feb 2001 22:17:29 -0500, "Craig Napier" <craignapier@xxxxxxxxxxx>
wrote:

:>Q: I've installed IPChains, Portsentry and Logcheck and have Portsentry 
:>dropping into IPChains on scans. I'm trying to figure out how to have 
:>Portsentry/IPChains ignore a certain IP range <the ignore files doen't seem 
:>to work>... It seems that another system that shares our network connection 
:>keeps littering our logs with entries <from port 137/138>.. We've tried 
:>everything possible to stop this logging as the logs easily reach 50 megs a 
:>day... We're running portsentry on TCP in Stealth mode <-stcp>, and UDP in 
:>Classic mode <-udp>.. We've also placed the IP block in question inside the 
:>Portsentry "ignore" file, as well as told it to stop looking on port 137 for 
:>UDP/TCP connections... But these darn entries still persist... Should I be 
:>turning my attention towards IPChains, instead of focusing on Portsentry for 
:>this noise?
:>
:>Does anyone have any idea or suggestions? Anything hint would be greatly 
:>appreciated..

I wrote a script for my Qube2 that uses ipfwadm (which is about the same as
ipchains) to turn off some ports before they ever get to portsentry. Hence, I
just don't allow 137/138. Here is my script (watch the line wrap), maybe it
will help? I adjust it as I see entries from portsentry. 

[admin@vanecek admin]$ less /home/local/portsentry/portsentry.init      
#!/bin/sh
#
# portsentry.init   Starts and stops portsentry

# Source function library.
. /etc/rc.d/init.d/functions

[ -f /home/local/portsentry/portsentry ] || exit 0

# ipfwadm definitions
EXTERNAL_INTERFACE="eth0"
IPADDR="nnn.nnn.26.245"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
BROADCAST_DEST="255.255.255.255"
BROADCAST_SRC="0.0.0.0"
LOOPBACK="127.0.0.0/8"

# See how we were called.
case "$1" in
  start)
        echo -n "Starting Portsentry: "
        cd /home/local/portsentry/

        # Flush all existing state
        /sbin/ipfwadm -F -f
        /sbin/ipfwadm -I -f
        /sbin/ipfwadm -O -f

        #Set the default policy
        /sbin/ipfwadm -F -p deny
        /sbin/ipfwadm -I -p accept
        /sbin/ipfwadm -O -p accept

        # Filters only
        # Begin rules
        # Refuse spoofed packets
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $IPADDR 

        # Refuse packets claiming to be private network
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_A 
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_B 
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_C 
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_D_MULTICAST 

        # Refuse loopback packets
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $LOOPBACK 

        # Refuse malformed broadcast packets
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $BROADCAST_DEST 
        /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -D $BROADCAST_SRC 

        # Refuse  udp 67/68 packets
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.0.0/16 -D 0.0.0.0/0 67
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.0.0/16 -D 0.0.0.0/0 68
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
169.254.0.0/16 -D 0.0.0.0/0 67

        # Refuse  udp 137/138 packets   
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.26.0/24 -D 0.0.0.0/0 137
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.26.0/24 -D 0.0.0.0/0 138

        # Refuse tcp 113 packets
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P tcp -i deny -S
nnn.nnn.48.55  -D 0.0.0.0/0 113
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P tcp -i deny -S
nnn.nnn.220.1  -D 0.0.0.0/0 113

        # Refuse tcp 177 packets
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.0.0/16  -D 0.0.0.0/0 177

        # Refuse  udp 520 packets
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.16.245 -D 0.0.0.0/0 520
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.16.242 -D 0.0.0.0/0 520
        /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -P udp -i deny -S
nnn.nnn.16.231 -D 0.0.0.0/0 520

        # Add the ping protection
        #/sbin/ipfwadm -I -a deny -P icmp -S 0/0 8 -W $EXTERNAL_INTERFACE

        # Remove history files
        rm portsentry.blocked.atcp
        rm portsentry.blocked.audp
        rm portsentry.history

        ./portsentry -atcp
        ./portsentry -audp
        echo
        ;;
  stop)
        echo -n "Shutting down Portsentry: "
        killproc portsentry -9
        echo
        ;;
  *)
        echo "Usage: syslog {start|stop}"
        exit 1
esac

exit 0