[techtalk] portsentry + kernel 2.4.x
Nicole Zimmerman
colby at wsu.edu
Fri Jun 15 15:31:25 EST 2001
Hi All,
I am having a problem with portsentry on kernel 2.4.5 machines. When using
kernel 2.2.19 on the same machine, there is no problem (and it happens on
two different compiles of 2.4.5).
The problem: portsentry is having false positive port scans. Nobody is
scanning me on ports 79 or 111, but it is reporting that people are (I am
running both portsentry AND snort, which is how I know scans are *not*
happening; I have also watched traffic with ethereal and found nothing
abnormal). This happens to the point that portsentry is taking up 40-70%
CPU.
I searched on google and found a hit on a debian-laptop post, but all
people said was "sounds like finger and RPC, what are you running", which
is not the problem. Portsentry cannot tell me where the scans are coming
from. Snort was reporting scans from our DNS' but I put those in the
portsentry ignore. We are thinking it is misdiagnosing local (on-machine)
traffic as not coming from localhost when it really is but that doesn't
explain how to *fix* it without breaking/removing portsentry.
Here is what the syslog entries look like:
Jun 15 15:10:01 tonto portsentry[3146]: attackalert: Possible stealth scan
from unknown host to TCP port: 111 (accept failed)
Jun 15 15:10:31 tonto last message repeated 540822 times
Jun 15 15:11:32 tonto last message repeated 1106736 times
Jun 15 15:12:33 tonto last message repeated 1109614 times
Jun 15 15:13:34 tonto last message repeated 1104765 times
Jun 15 15:14:35 tonto last message repeated 1110612 times
It used to say the same thing but was for port 79. Somehow it switched
from 79 to 111 after I nmapped myself (to see how it would respond).
With portsentry running, the following ports are open:
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on tonto (127.0.0.1):
(The 1509 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
9/tcp open discard
11/tcp open systat
13/tcp open daytime
15/tcp open netstat
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
79/tcp open finger
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap2
540/tcp open uucp
631/tcp open cups
635/tcp open unknown
859/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6000/tcp open X11
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
Without portsentry running, the following ports are open:
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on tonto (127.0.0.1):
(The 1529 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
37/tcp open time
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
139/tcp open netbios-ssn
631/tcp open cups
859/tcp open unknown
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
I am running:
tonto:/home/colby# uname -a
Linux tonto 2.4.5 #1 Thu Jun 14 13:47:38 PDT 2001 i686 unknown
on:
tonto:/home/colby# cat /etc/debian_version
testing/unstable
Kernel was made with kernel-package:
Package: kernel-image-2.4.5
Status: install ok installed
Priority: optional
Section: base
Installed-Size: 2824
Maintainer: Nicole <colby at trigeo.com>
Source: kernel-source-2.4.5
Version: Trigeo-0.1-3
Provides: kernel-image, kernel-image-2.4
Depends: fileutils (>= 4.0)
Suggests: lilo (>= 19.1), fdutils, kernel-doc-2.4.5
Description: <snipped>
Portsentry is:
Package: portsentry
Status: install ok installed
Priority: optional
Section: non-free/net
Installed-Size: 125
Maintainer: Guido Guenther <agx at debian.org>
Version: 1.0-1.8
Depends: libc6 (>= 2.2.3-1), net-tools, procps, debconf, debianutils (>=
1.7)
Recommends: tcpd
Suggests: logcheck
Conffiles: <snipped>
Description: <snipped>
Modules that are running:
tonto:/home/colby# lsmod
Module Size Used by
i810_audio 13360 0 (unused)
3c59x 24032 1
usb-storage 20352 0 (unused)
I can send a full kernel config if anyone is interested. Both machines
having the problem are Dell Optiplex GX150s with the "equivalent" of a
3c905 (onboard, called a 3c920), on an Intel D815EEA motherboard.
The same exact thing happens on my home machine, an Asus A7V with a
3c905B, kernel 2.4.2 (not a kernel-package kernel), same version of
portsentry, same ports open, same syslog entries on the same 2 ports,
again snort reports NO scans or attack attempts. I can send a full kernel
config for this one as well, I have not cross-examined them (yet) to see
what they have in common/different. I know on my home machine the network
card is not compiled as a module but is rather in the kernel while here on
the Dells they are modules.
Any help would REALLY be appreciated :o)
-nicole
More information about the Techtalk
mailing list