On 2007-03-28 at 06:26:55, Daniel Gubser wrote:
> Can you please send me the output of the following command:
> # psad -D --fw-dump
Sorry for the very long delay in getting back to you. I hadn't tried this
for a while and now it looks like the problem is gone (in unstable at
least).
Here is the output of the command you asked for:
[+] uname output:
Linux hostname 2.6.20-1-amd64 #1 SMP Tue Apr 24 21:10:58 UTC 2007 x86_64
GNU/Linux
[+] perl info:
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
Platform:
osname=linux, osvers=2.6.18-1-amd64, archname=x86_64-linux-gnu-thread-multi
uname='linux gkar 2.6.18-1-amd64 #1 smp sat oct 21 18:36:02 cest 2006
x86_64 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.8 -Darchlib=/usr/lib/perl/5.8 -Dvendorprefix=/usr
-Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5
-Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.8.8
-Dsitearch=/usr/local/lib/perl/5.8.8 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Uusenm -Duseshrplib
-Dlibperl=libperl.so.5.8.8 -Dd_dosuid -des'
hint=recommended, useposix=true, d_sigaction=define
usethreads=define use5005threads=undef useithreads=define
usemultiplicity=define
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=define use64bitall=define uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN
-fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
m optimize='-O2',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN
-fno-strict-aliasing -pipe -I/usr/local/include'
ccversion='', gccversion='4.1.2 20061115 (prerelease) (Debian 4.1.1-20)',
gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/libc-2.3.6.so, so=so, useshrplib=true, libperl=libperl.so.5.8.8
gnulibc_version='2.3.6'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'
Characteristics of this binary (from libperl):
Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT
PERL_MALLOC_WRAP THREADS_HAVE_PIDS USE_64_BIT_ALL
USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
USE_PERLIO USE_REENTRANT_API
Built under linux
Compiled at Dec 5 2006 22:43:26
@INC:
/etc/perl
/usr/local/lib/perl/5.8.8
/usr/local/share/perl/5.8.8
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.8
/usr/share/perl/5.8
/usr/local/lib/site_perl
.
[+] syslog processes:
root 2604 0.0 0.0 5880 660 ? Ss 18:02 0:00 /sbin/syslogd
[+] ifconfig output:
eth0 Lien encap:UNSPEC HWaddr
00-E0-18-00-03-6B-CB-A7-00-00-00-00-00-00-00-00
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
eth1 Lien encap:Ethernet HWaddr 00:18:F3:82:F6:61
inet adr:x.x.x.x Bcast:x.x.x.x Masque:x.x.x.x
adr inet6: fe80::218:f3ff:fe82:f661/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18945 errors:0 dropped:0 overruns:0 frame:0
TX packets:19292 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:13940002 (13.2 MiB) TX bytes:1874786 (1.7 MiB)
Interruption:20 Adresse de base:0x2400
lo Lien encap:Boucle locale
inet adr:x.x.x.x Masque:x.x.x.x
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34247 errors:0 dropped:0 overruns:0 frame:0
TX packets:34247 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:26596142 (25.3 MiB) TX bytes:26596142 (25.3 MiB)
[+] psad v2.0.6 (file revision: 2015)
[+] Dumping psad config from: /etc/psad/psad.conf
AIM_SERVERS (removed)
ALERTING_METHODS ALL
ALERT_ALL Y
ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis
ANALYSIS_OUTPUT_FILE /var/log/psad/analysis.out
AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables
AUTO_BLOCK_REGEX ESTABLISHED
AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr
AUTO_BLOCK_TIMEOUT 3600
AUTO_DL_FILE /etc/psad/auto_dl
AUTO_IDS_DANGER_LEVEL 5
AUTO_IPT_SOCK /var/run/psad/auto_ipt.sock
CHECK_INTERVAL 5
CONF_ARCHIVE_DIR /etc/psad/archive
DANGER_LEVEL1 5
DANGER_LEVEL2 15
DANGER_LEVEL3 150
DANGER_LEVEL4 1500
DANGER_LEVEL5 10000
DISK_CHECK_INTERVAL 300
DISK_MAX_PERCENTAGE 95
DISK_MAX_RM_RETRIES 10
DNS_LOOKUP_THRESHOLD 20
DNS_SERVERS (removed)
DSHIELD_ALERT_EMAIL [EMAIL PROTECTED]
DSHIELD_ALERT_INTERVAL 6
DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr
DSHIELD_DL_THRESHOLD 0
DSHIELD_EMAIL_FILE /var/log/psad/dshield.email
DSHIELD_USER_EMAIL (removed)
DSHIELD_USER_ID (removed)
EMAIL_ADDRESSES (removed)
EMAIL_ALERT_DANGER_LEVEL 4
EMAIL_LIMIT 0
EMAIL_LIMIT_STATUS_MSG Y
ENABLE_AUTO_IDS N
ENABLE_AUTO_IDS_EMAILS Y
ENABLE_AUTO_IDS_REGEX N
ENABLE_DSHIELD_ALERTS Y
ENABLE_EXT_SCRIPT_EXEC N
ENABLE_FW_LOGGING_CHECK Y
ENABLE_INTF_LOCAL_NETS Y
ENABLE_MAC_ADDR_REPORTING N
ENABLE_PERSISTENCE Y
ENABLE_RENEW_BLOCK_EMAILS N
ENABLE_SCAN_ARCHIVE N
ENABLE_SIG_MSG_SYSLOG Y
ENABLE_SNORT_SIG_STRICT Y
ETC_HOSTS_DENY_FILE /etc/hosts.deny
ETC_METALOG_CONF /etc/metalog/metalog.conf
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf
ETC_SYSLOG_CONF /etc/syslog.conf
EXEC_EXT_SCRIPT_PER_ALERT N
EXTERNAL_NET (removed)
EXTERNAL_SCRIPT /bin/true
FLUSH_IPT_AT_INIT Y
FW_CHECK_FILE /var/log/psad/fw_check
FW_DATA_FILE /var/log/psad/fwdata
FW_ERROR_LOG /var/log/psad/errs/fwerrorlog
FW_MSG_SEARCH DROP
FW_SEARCH_ALL Y
HOME_NET (removed)
HOSTNAME (removed)
HTTP_PORTS 80
HTTP_SERVERS (removed)
ICMP_TYPES_FILE /etc/psad/icmp_types
IGNORE_CONNTRACK_BUG_PKTS Y
IGNORE_INTERFACES NONE
IGNORE_KERNEL_TIMESTAMP Y
IGNORE_LOG_PREFIXES NONE
IGNORE_PORTS NONE
IGNORE_PROTOCOLS NONE
IMPORT_OLD_SCANS N
INSTALL_LOG_FILE /var/log/psad/install.log
IPTABLES_BLOCK_METHOD Y
IPTABLES_PREREQ_CHECK 1
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT,
1
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1,
PSAD_BLOCK_FORWARD, 1
IPT_ERROR_FILE /var/log/psad/psad.ipterr
IPT_OUTPUT_FILE /var/log/psad/psad.iptout
IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr
IP_OPTS_FILE /etc/psad/ip_options
KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid
MAIL_ALERT_PREFIX [psad-alert]
MAIL_ERROR_PREFIX [psad-error]
MAIL_FATAL_PREFIX [psad-fatal]
MAIL_STATUS_PREFIX [psad-status]
MAX_HOPS 20
MIN_ARCHIVE_DANGER_LEVEL 1
MIN_DANGER_LEVEL 1
ORACLE_PORTS 1521
P0F_FILE /etc/psad/pf.os
PACKET_COUNTER_FILE /var/log/psad/packet_ctr
PORT_RANGE_SCAN_THRESHOLD 1
POSF_FILE /etc/psad/posf
PRINT_SCAN_HASH /var/log/psad/scan_hash
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward
PSADWATCHD_CHECK_INTERVAL 5
PSADWATCHD_MAX_RETRIES 10
PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid
PSAD_CMDLINE_FILE /var/run/psad/psad.cmd
PSAD_CONF_DIR /etc/psad
PSAD_DIR /var/log/psad
PSAD_ERR_DIR /var/log/psad/errs
PSAD_FIFO_DIR /var/lib/psad
PSAD_FIFO_FILE /var/lib/psad/psadfifo
PSAD_LIBS_DIR /usr/lib/psad
PSAD_PID_FILE /var/run/psad/psad.pid
PSAD_RUN_DIR /var/run/psad
SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive
SCAN_TIMEOUT 3600
SHELLCODE_PORTS !80
SHOW_ALL_SIGNATURES N
SIGS_FILE /etc/psad/signatures
SIG_MSG_SYSLOG_THRESHOLD 10
SIG_SID_SYSLOG_THRESHOLD 10
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures
SMTP_SERVERS (removed)
SNORT_RULES_DIR /etc/psad/snort_rules
SNORT_RULE_DL_FILE /etc/psad/snort_rule_dl
SNORT_SID_STR SID
SQL_SERVERS (removed)
STATUS_IP_THRESHOLD 25
STATUS_OUTPUT_FILE /var/log/psad/status.out
STATUS_PORTS_THRESHOLD 20
STATUS_SIGS_THRESHOLD 50
SYSLOG_DAEMON syslogd
TCPWRAPPERS_BLOCK_METHOD N
TELNET_SERVERS (removed)
TOP_ATTACKERS_FILE /var/log/psad/top_attackers
TOP_IP_LOG_THRESHOLD 500
TOP_PORTS_LOG_THRESHOLD 500
TOP_SCANNED_PORTS_FILE /var/log/psad/top_ports
TOP_SCANS_CTR_THRESHOLD 1
TOP_SIGS_FILE /var/log/psad/top_sigs
TOP_SIGS_LOG_THRESHOLD 500
TRUNCATE_FWDATA Y
ULOG_DATA_FILE /var/log/psad/ulogd.log
WHOIS_LOOKUP_THRESHOLD 20
WHOIS_TIMEOUT 60
[+] Command paths:
[+] df /bin/df
[+] fwcheck_psad /usr/sbin/fwcheck_psad
[+] gzip /bin/gzip
[+] ifconfig /sbin/ifconfig
[+] iptables /sbin/iptables
[+] killall /usr/bin/killall
[+] kmsgsd /usr/sbin/kmsgsd
[+] mail /usr/bin/mail
[+] mknod /bin/mknod
[+] netstat /bin/netstat
[+] ps /bin/ps
[+] psad /usr/sbin/psad
[+] psadwatchd /usr/sbin/psadwatchd
[+] sendmail /usr/sbin/sendmail
[+] sh /bin/sh
[+] uname /bin/uname
[+] wget /usr/bin/wget
[+] whois /usr/bin/whois
[+] iptables policy dump:
iptables v1.3.6
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0
tcp flags:!0x17/0x02
3 836 ACCEPT udp -- * * x.x.x.x 0.0.0.0/0
0 0 ACCEPT tcp -- * * x.x.x.x 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 ACCEPT udp -- * * x.x.x.x 0.0.0.0/0
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/sec burst 5
0 0 DROP 0 -- eth1 * 0.0.0.0/0 x.x.x.x
0 0 DROP 0 -- * * 0.0.0.0/0 x.x.x.x
0 0 DROP 0 -- * * x.x.x.x/x 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 x.x.x.x/x
0 0 DROP 0 -- * * x.x.x.x 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 LSI 0 -f * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5
25 2389 INBOUND 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Unknown Input'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/sec burst 5
0 0 LOG_FILTER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Unknown Forward'
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * x.x.x.x x.x.x.x tcp
dpt:53
3 177 ACCEPT udp -- * * x.x.x.x x.x.x.x udp
dpt:53
0 0 ACCEPT tcp -- * * x.x.x.x x.x.x.x tcp
dpt:53
0 0 ACCEPT udp -- * * x.x.x.x x.x.x.x udp
dpt:53
0 0 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- * * x.x.x.x/x 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 x.x.x.x/x
0 0 DROP 0 -- * * x.x.x.x 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
27 1980 OUTBOUND 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Unknown Output'
Chain INBOUND (1 references)
pkts bytes target prot opt in out source destination
25 2389 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 LSI 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination
Chain LSI (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain OUTBOUND (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
22 1717 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
5 263 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
