Re: [cobalt-security] Why does PortSentry continue to log ports 137 and 138 even though I've told it not to?

[Lawrence Frewin of Accommodation.com]

>From http://groups.yahoo.com/group/raq/message/10985.

1) Switch firewall off & open the "firewall-on" config script:

cd your_firewall_directory
./firewall-off
pico -w firewall-on

IN FIREWALL-ON, BELOW WHERE IT SAYS:

# POP3 server
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 110 -j ACCEPT
#

ADD THE FOLLOWING TO KILL SAMBA LOG ENTRIES:

# Deny Samba, added 20/4/2001
#
$IPC -A input -p tcp -s 0/0 -d $OUTERNET 137:139 -j DENY
$IPC -A input -p udp -s 0/0 -d $OUTERNET 137:139 -j DENY
#

Make sure these lines are added above the logging line at the bottom of
firewall-on which ends with "-l"

Lawrence




----- Original Message -----
From: "Dan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 01, 2001 4:40 PM
Subject: [cobalt-security] Why does PortSentry continue to log ports 137 and
138 even though I've told it not to?


> Can anyone help?
>
> I recently installed the UK2net firewall as a test to see if it would work
> on my Raq 3 (I'm not with UK2Net but the configuration of the firewall
> seemed fairly easy to adapt). Prior to this I had Portsentry and Logcheck
> running fine. Since installing the firewall and it seeming to work, I have
> been repeatedly swamped with logs relating to ports 137 and 138 from
> machines on the local network. Even if I turn the firewall off (as it is
> now) the logs keep coming through e.g.
>
> May  1 15:01:20 kernel: Packet log: input DENY eth0 PROTO=17
> 195.224.212.76:137 195.224.212.255:137 L=78 S=0x00 I=45852 F=0x0000 T=64
> (#27)
> May  1 15:01:38 kernel: Packet log: input DENY eth0 PROTO=17
> 195.224.15.27:137 195.224.15.255:137 L=78 S=0x00 I=25559 F=0x0000 T=128
> (#45)
>
> I've seen this "problem" discussed a number of times judging by the amount
> of posts I've read, but none of the solutions work.
>
> I'm using Portsentry in advanced stealth mode using IPchains which worked
> fine prior to the firewall script. I've tried "ignoring" ports 137 and 138
> in the portsentry.conf file (a common solution), after stopping the
program,
> and then starting back up again, but it continues to do it. I've tried
> clearing out the portsentry blocked files and etc/hosts.deny file etc
>
> Before anyone asks, I've been through a couple of hundred posts on
> Google\Deja\Cobalt list Archives. Would re-installing portsentry work or
> could it have something to do with IPchains?
>
> Any pointers as to what to do next? I thought these "new" log entres were
as
> a result of the firewall but disabling it does not have an effect!
>
> Thanks for any help - these logs are crippling me!
>
> Dan
>
>
> _______________________________________________
> cobalt-security mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-security

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security