Re: [cobalt-security] Why does PortSentry continue to log ports 137 and 138 even though I've told it not to?

["Dan" <daniel@xxxxxxxxxxxxxxxxxxxxxxxx>]

Thanks Stephen,

I have briefly read the ipchains manual page. I've turned off this firewall
now and PortSentry keeps logging it.

I've even flushed out the IPchains rules using ipchains -F so i'm working
form a blank sheet so to speak. I've been trying to shut portsentry off
using (and I saw this posted) "/usr/local/psionic/portsentry/portsentry
off" - please don't laugh if this is wrong! If I wait a couple of
seconds/minutes the ipchains -l has more entries in it. This would lead me
to believe that Portsentry is not shutting down and as I'm clearing
ipchains, it quickly fills up again!

I'm going to try Brian's suggestion:

ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:137 -p tcp  -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:137 -p udp  -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:138 -p tcp  -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:138 -p udp  -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:139 -p tcp  -j DENY
ipchains -A input -s <IP of the broadcasting raq>/255.255.255.255 -d
0.0.0.0/0.0.0.0 137:139 -p udp  -j DENY


OR if you want to block all samba protocol to your machine instead of a raq
number ... try using "0.0.0.0/0.0.0.0" instead of the ip/255.255.255.255

but he said to disable whatever is doing the logging. if the firewall is
turned off (which I am absolutely sure about), it must be PortSentry.

Any ideas?

Dan


----- Original Message -----
From: Stephen Rice <support@xxxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, May 01, 2001 6:39 PM
Subject: Re: [cobalt-security] Why does PortSentry continue to log ports 137
and 138 even though I've told it not to?


> Gerald wrote:
> > Dan wrote:
> > > Thanks, but where is this "route" table? I've tried to
> > > "locate" it but couldn't find it?
> > try "man route" or just enter the command "route" (as root)
>
>
> Gerald, your dedication to the cause of teaching Dan about the route
command
> is admirable :o) Unfortunately the problem is not really to do with the
> routing, its that the firewall he's using is setting up ipchains to log
> stuff it's denying.
>
> ipchains is a system for managing ip connections to your machine, it
> operates using a set (a chain) of rules you supply it with, and the
firewall
> script sets up these rules. ipchains takes each incoming or outgoing
packet
> and puts it through the rules in order, until it is denied or accepted or
> whatever.
>
> typing "ipchains -L" shows the ipchain rules that the firewall script has
> been given, looking a bit like this:
>
> target     prot opt     source                destination           ports
> DENY       all  ----l-  192.168.0.1           anywhere              n/a
>
> this ---------------^ indicates that if the rule triggers, it should
record
> that action to the system log.
>
> ipchains rules are setup by commands like:
>
> ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
>
> where the -l on the end tells ipchains to log the rule triggering.
>
> simply removing the -l from the appropriate rule stops this logging
> happening, of course, you might want to read when the rule is triggering,
in
> which case you could set up a more specific rule earlier in the chain that
> catches the connections to port 137 and 138, which denies them without
> logging, as others on here have suggested.
>
> For more information, try typing: man ipchains
> Of course, if you haven't already read the manual page for route, that's a
> useful thing to know about as well!
>
> Cheers
> Stephen
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>