Hi All, I am having a problem with portsentry on kernel 2.4.5 machines. When using kernel 2.2.19 on the same machine, there is no problem (and it happens on two different compiles of 2.4.5). The problem: portsentry is having false positive port scans. Nobody is scanning me on ports 79 or 111, but it is reporting that people are (I am running both portsentry AND snort, which is how I know scans are *not* happening; I have also watched traffic with ethereal and found nothing abnormal). This happens to the point that portsentry is taking up 40-70% CPU. I searched on google and found a hit on a debian-laptop post, but all people said was "sounds like finger and RPC, what are you running", which is not the problem. Portsentry cannot tell me where the scans are coming from. Snort was reporting scans from our DNS' but I put those in the portsentry ignore. We are thinking it is misdiagnosing local (on-machine) traffic as not coming from localhost when it really is but that doesn't explain how to *fix* it without breaking/removing portsentry. Here is what the syslog entries look like: Jun 15 15:10:01 tonto portsentry[3146]: attackalert: Possible stealth scan from unknown host to TCP port: 111 (accept failed) Jun 15 15:10:31 tonto last message repeated 540822 times Jun 15 15:11:32 tonto last message repeated 1106736 times Jun 15 15:12:33 tonto last message repeated 1109614 times Jun 15 15:13:34 tonto last message repeated 1104765 times Jun 15 15:14:35 tonto last message repeated 1110612 times It used to say the same thing but was for port 79. Somehow it switched from 79 to 111 after I nmapped myself (to see how it would respond). With portsentry running, the following ports are open: Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Interesting ports on tonto (127.0.0.1): (The 1509 ports scanned but not shown below are in state: closed) Port State Service 1/tcp open tcpmux 9/tcp open discard 11/tcp open systat 13/tcp open daytime 15/tcp open netstat 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 119/tcp open nntp 139/tcp open netbios-ssn 143/tcp open imap2 540/tcp open uucp 631/tcp open cups 635/tcp open unknown 859/tcp open unknown 1080/tcp open socks 1524/tcp open ingreslock 2000/tcp open callbook 6000/tcp open X11 6667/tcp open irc 12345/tcp open NetBus 12346/tcp open NetBus 31337/tcp open Elite 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 32773/tcp open sometimes-rpc9 32774/tcp open sometimes-rpc11 54320/tcp open bo2k Without portsentry running, the following ports are open: Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Interesting ports on tonto (127.0.0.1): (The 1529 ports scanned but not shown below are in state: closed) Port State Service 9/tcp open discard 13/tcp open daytime 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 139/tcp open netbios-ssn 631/tcp open cups 859/tcp open unknown 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds I am running: tonto:/home/colby# uname -a Linux tonto 2.4.5 #1 Thu Jun 14 13:47:38 PDT 2001 i686 unknown on: tonto:/home/colby# cat /etc/debian_version testing/unstable Kernel was made with kernel-package: Package: kernel-image-2.4.5 Status: install ok installed Priority: optional Section: base Installed-Size: 2824 Maintainer: Nicole <[EMAIL PROTECTED]> Source: kernel-source-2.4.5 Version: Trigeo-0.1-3 Provides: kernel-image, kernel-image-2.4 Depends: fileutils (>= 4.0) Suggests: lilo (>= 19.1), fdutils, kernel-doc-2.4.5 Description: <snipped> Portsentry is: Package: portsentry Status: install ok installed Priority: optional Section: non-free/net Installed-Size: 125 Maintainer: Guido Guenther <[EMAIL PROTECTED]> Version: 1.0-1.8 Depends: libc6 (>= 2.2.3-1), net-tools, procps, debconf, debianutils (>= 1.7) Recommends: tcpd Suggests: logcheck Conffiles: <snipped> Description: <snipped> Modules that are running: tonto:/home/colby# lsmod Module Size Used by i810_audio 13360 0 (unused) 3c59x 24032 1 usb-storage 20352 0 (unused) I can send a full kernel config if anyone is interested. Both machines having the problem are Dell Optiplex GX150s with the "equivalent" of a 3c905 (onboard, called a 3c920), on an Intel D815EEA motherboard. The same exact thing happens on my home machine, an Asus A7V with a 3c905B, kernel 2.4.2 (not a kernel-package kernel), same version of portsentry, same ports open, same syslog entries on the same 2 ports, again snort reports NO scans or attack attempts. I can send a full kernel config for this one as well, I have not cross-examined them (yet) to see what they have in common/different. I know on my home machine the network card is not compiled as a module but is rather in the kernel while here on the Dells they are modules. Any help would REALLY be appreciated :o) -nicole _______________________________________________ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
