Your message dated Tue, 27 Sep 2005 23:32:11 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#319525: fixed in psad 1.4.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 22 Jul 2005 20:01:21 +0000
>From [EMAIL PROTECTED] Fri Jul 22 13:01:21 2005
Return-path: <[EMAIL PROTECTED]>
Received: from e33.co.us.ibm.com [32.97.110.131]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1Dw3hx-00037G-00; Fri, 22 Jul 2005 13:01:21 -0700
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
[9.17.195.11])
by e33.co.us.ibm.com (8.12.10/8.12.9) with ESMTP id j6MK0jRu217356
for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 16:00:49 -0400
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170])
by westrelay02.boulder.ibm.com (8.12.10/NCO/VERS6.7) with ESMTP id
j6MK0ja0389146
for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 14:00:45 -0600
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1])
by d03av04.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id j6MK0j4S011953
for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 14:00:45 -0600
Received: from bandit-hall.svl.ibm.com (bandit-hall.svl.ibm.com [9.30.58.23])
by d03av04.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id
j6MK0iE3011930
for <[EMAIL PROTECTED]>; Fri, 22 Jul 2005 14:00:44 -0600
Received: from bandit-hall.svl.ibm.com (localhost [127.0.0.1])
(authenticated bits=128)
by bandit-hall.svl.ibm.com (8.13.4/8.13.4/Debian-3) with ESMTP id
j6MK0bPA030911;
Fri, 22 Jul 2005 13:00:37 -0700
Received: (from [EMAIL PROTECTED])
by bandit-hall.svl.ibm.com (8.13.4/8.13.4/Submit) id j6MK0bWQ030910;
Fri, 22 Jul 2005 13:00:37 -0700
Message-Id: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Richard A Nelson <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: psad: error in startup
X-Mailer: reportbug 3.15
Date: Fri, 22 Jul 2005 13:00:37 -0700
X-Scanned-By: MIMEDefang 2.51 on 127.0.0.2
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: psad
Version: 1.4.2-1
Severity: important
I realy like the new psad, especially the new psad -S report:
Iptables auto-blocked IPs:
9.30.58.125 (7066 seconds remaining):
PSAD_BLOCK_INPUT(DROP)
PSAD_BLOCK_FORWARD(DROP)
After seeing a plethora of syslog entries like:
psad: added iptables auto-block against 9.30.58.125 for 7200 seconds
...
psad: could not add iptables block rule for: 9.30.58.125
I began to wonder if psad was indeed working... so I stopped it and
reloaded the firewall to its clean state and started psad again.
During startup I see the more expected logs:
psad: renewed iptables auto-block against 9.30.58.197 for 7200 seconds
...
psad: block rule for ip: 9.30.58.197 already exists
psad: block rule for ip: 9.30.58.197 already exists
...
psad: imported 184 scanning IP addresses from previous psad run
So it seems the test for existance is not being done all the time ?!?
But, more worrying is what showed up on the terminal doing the psad start:
# /etc/init.d/psad start
Starting Port Scan Attack Detector and associated daemons: psad.
bandit-hall:~# Use of uninitialized value in concatenation (.) or string
at /usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4584.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4584.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4584.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
4579:
push @lines, "$tmpsrc " . $auto_blocked_ips{$tmpsrc}{'time'};
4584:
push @lines, "$src " . $auto_blocked_ips{$src}{'time'};
And in the loop governing both lines:
if ($line =~ /^\s*(\S+)\s*$/) { ### old format; update to include time
Which makes think the odd messages seen earlier are infact likely caused
by this loop - both at startup and during subsequent ip blocks
This also probably explains why I occasionally get a whole blast of
block messages for the same IP, when I used to get only a few before
the autoblock went into effect.
-- System Information:
Debian Release: testing/unstable
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages psad depends on:
ii ipchains 1.3.10-15 Network firewalling for Linux 2.2.
ii iptables 1.3.1-2 Linux kernel 2.4+ iptables adminis
ii libc6 2.3.5-1 GNU C Library: Shared libraries an
ii libcarp-clan-perl 5.3-3 Perl enhancement to Carp error log
ii libdate-calc-perl 5.4-3 Perl library for accessing dates
ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module API
ii libunix-syslog-perl 0.100-4 Perl interface to the UNIX syslog(
ii perl 5.8.7-4 Larry Wall's Practical Extraction
ii psmisc 21.6-1 Utilities that use the proc filesy
ii sysklogd [syslogd] 1.4.1-17 System Logging Daemon
ii whois 4.7.5 the GNU whois client
Versions of packages psad recommends:
ii bastille 1:2.1.1-11 Security hardening tool
-- no debconf information
---------------------------------------
Received: (at 319525-close) by bugs.debian.org; 28 Sep 2005 06:48:03 +0000
>From [EMAIL PROTECTED] Tue Sep 27 23:48:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EKVUB-0007xZ-00; Tue, 27 Sep 2005 23:32:11 -0700
From: Daniel Gubser <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#319525: fixed in psad 1.4.3-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 27 Sep 2005 23:32:11 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Source: psad
Source-Version: 1.4.3-1
We believe that the bug you reported is fixed in the latest version of
psad, which is due to be installed in the Debian FTP archive:
psad_1.4.3-1.diff.gz
to pool/main/p/psad/psad_1.4.3-1.diff.gz
psad_1.4.3-1.dsc
to pool/main/p/psad/psad_1.4.3-1.dsc
psad_1.4.3-1_i386.deb
to pool/main/p/psad/psad_1.4.3-1_i386.deb
psad_1.4.3.orig.tar.gz
to pool/main/p/psad/psad_1.4.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Gubser <[EMAIL PROTECTED]> (supplier of updated psad package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 28 Sep 2005 07:46:18 +0200
Source: psad
Binary: psad
Architecture: source i386
Version: 1.4.3-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Gubser <[EMAIL PROTECTED]>
Changed-By: Daniel Gubser <[EMAIL PROTECTED]>
Description:
psad - The Port Scan Attack Detector
Closes: 306367 319525
Changes:
psad (1.4.3-1) unstable; urgency=low
.
* New upstream release
* added Depends for metalog (Closes: #306367) but support is shaky
* upstream fixed auto-blocking code (Closes: #319525)
* added README.SYSLOG in debian/docs
Files:
c6be12cface25315eaa404dc70767512 546 admin optional psad_1.4.3-1.dsc
569b3edcc89b5623a4f5199cbb8ac1fd 669333 admin optional psad_1.4.3.orig.tar.gz
1825a9f6b79df353ade1c1380405e2c3 41174 admin optional psad_1.4.3-1.diff.gz
dcbda598af6ad8dbd76dc172bd65368b 239040 admin optional psad_1.4.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDOjXBNgbFFFW/0CQRAmyFAJwKvUEbFTNUFoJ8EEEkRpuCVM1RPwCdElE7
EKp0BL586w/r7NeiSn/m1yY=
=WFrK
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
