[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Why does PortSentry continue to log ports 137 and 138 even though I've told it not to?
- Subject: Re: [cobalt-security] Why does PortSentry continue to log ports 137 and 138 even though I've told it not to?
- From: "Bryan" <raqbox@xxxxxxx>
- Date: Tue, 1 May 2001 17:07:36 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
----- Original Message -----
From: Dan <daniel@xxxxxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, May 01, 2001 4:40 PM
Subject: [cobalt-security] Why does PortSentry continue to log ports 137 and
138 even though I've told it not to?
> Can anyone help?
>
> I recently installed the UK2net firewall as a test to see if it would work
> on my Raq 3 (I'm not with UK2Net but the configuration of the firewall
> seemed fairly easy to adapt). Prior to this I had Portsentry and Logcheck
> running fine. Since installing the firewall and it seeming to work, I have
> been repeatedly swamped with logs relating to ports 137 and 138 from
> machines on the local network. Even if I turn the firewall off (as it is
> now) the logs keep coming through e.g.
>
> May 1 15:01:20 kernel: Packet log: input DENY eth0 PROTO=17
> 195.224.212.76:137 195.224.212.255:137 L=78 S=0x00 I=45852 F=0x0000 T=64
> (#27)
> May 1 15:01:38 kernel: Packet log: input DENY eth0 PROTO=17
> 195.224.15.27:137 195.224.15.255:137 L=78 S=0x00 I=25559 F=0x0000 T=128
> (#45)
>
> I've seen this "problem" discussed a number of times judging by the amount
> of posts I've read, but none of the solutions work.
>
> I'm using Portsentry in advanced stealth mode using IPchains which worked
> fine prior to the firewall script. I've tried "ignoring" ports 137 and 138
> in the portsentry.conf file (a common solution), after stopping the
program,
> and then starting back up again, but it continues to do it. I've tried
> clearing out the portsentry blocked files and etc/hosts.deny file etc
>
> Before anyone asks, I've been through a couple of hundred posts on
> Google\Deja\Cobalt list Archives. Would re-installing portsentry work or
> could it have something to do with IPchains?
>
> Any pointers as to what to do next? I thought these "new" log entres were
as
> a result of the firewall but disabling it does not have an effect!
>
> Thanks for any help - these logs are crippling me!
>
> Dan
If you really want to ignore the samba packets you might want to use these
rules... (To get them on, you'l have to dissable the UK2 firewall script. or
whatever rule is causing the log entrys to be made)
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:137 -p tcp -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:137 -p udp -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:138 -p tcp -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:138 -p udp -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:139 -p tcp -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:139 -p udp -j DENY
OR if you want to block all samba protocol to your machine instead of a raq
number ... try using "0.0.0.0/0.0.0.0" instead of the ip/255.255.255.255
Theres no "-l" in those lines so they will be deny'd before they get to the
rule that is causing the log entrys currently