Re: [cobalt-security] Why does PortSentry continue to log ports 137and 138 even though I've told it not to?

["Dan" <daniel@xxxxxxxxxxxxxxxxxxxxxxxx>]

>
> ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
>
> I'd suggest you have a look at the script and see if that's the case.

Thanks,

I've actually knocked off the script now and would like in some way to
"reset" the logging to the way it was.
The only thing I can see in the script (which is short) that pertains to
logging anyithing (e.g. -l) is right at the bottom:

# Allow any outgoing connections
#
$IPC -A output -j ACCEPT
#
# Just say no...
#
$IPC -A input -j REJECT -l
#
# Show settings
#
$IPC -L -n
#

Individual rules for the firewall are set up like this:

# SSH - Secure shell access
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 22 -j ACCEPT

I tried adding a couple of lines to deal with ports 137 and 138, using the
method detailed in a reply to a post about this particular firewall, but it
did not work either! The following is with reference to Samba:

>Subject: Re: [uk2raq] How do kill this from logcheck?

> ...Any Hints on what you did to get rid of these (theyre driving me
> crazy)???

1) Switch firewall off & open the "firewall-on" config script:

cd your_filewall_directory
./firewall-off
pico -w firewall-on


IN FIREWALL-ON, BELOW WHERE IT SAYS:

# POP3 server
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 110 -j ACCEPT
#

put

# Deny Samba, added 20/4/2001
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 137:139 -j DENY
$IPC -A input -p udp -s 0/0 -d $OUTERNET 137:139 -j DENY
#

leave the rest of the file unchanged.

Save the alterations using "Control o" (o for orange), then restart
firewall.

./firewall-on

Check your messages file to see if the warnings have stopped:

pico -w /var/log/messages



LF


Didn't "stop" for me!

Thanks

Dan