Re: [cobalt-users] weird /local/local/portsentry ipchains happening

[Andy Brown <andy.brown@xxxxxxxxxxxxx>]

<snip>
On Thursday 21 November 2002 1:51 am, Jim Dory wrote:
> So an inhouse user was complaining that she could not connect to the
> server or email and I took a look at /var/log/messages
> Nov 20 16:01:42 raq portsentry[1290]: attackalert: ERROR: cannot open
> ignore file.
>  Blocking host anyway.
> Nov 20 16:01:42 raq portsentry[1290]: attackalert: Connect from host:
> xxx.xxx.xxx.243
> /xxx.xxx.xxx.243 to UDP port: 161
> Nov 20 16:01:42 raq portsentry[1290]: adminalert: ERROR: Cannot open
> blocked file:
>  /usr/local/psionic/portsentry/portsentry.blocked.udp for reading. Will
> create.
> I don't know anything yet about ipchains so I just wrote out that last
> line and inserted ACCEPT instead of DENY. Not sure the proper way to do
> it. Maybe there's a way to just delete the DENY statement.
</snip>

Okay, firstly, yep sort out why /usr/local/local existed, sounds like a mv 
done wrongly somewhere along the lines, and yes run chkrootkits' and have a 
look at who's been logged in from where and why. Usual stuff.

Onto ipchains, yes portsentry uses ipchains (if it can, portsentry can drop 
routes in other ways, but ipchains is the best to do this) so you do have it 
up and running on the raq.
Do an:
# ipchains -L
and it will list all the rules and settings currently stored.
If you're just running portsentry, chances are there will be few lines, and 
all under the chain input

To unblock somebody, find the rule you want to delete and type:
# ipchains -D input 1

Note : ipchains works from number 0 upwards, so the top rule is 0, next 1, 
etc..
Also be worth checking in /etc/hosts.deny as it also writes a line in there to 
stop the ip using tcpwrapped programs too.


-- 
Regards,
Andy
andy@xxxxxxxxxx
http://www.raqpak.com