portsentry false positiv?

Hi,

this time I checked my portsentry logfile and saw:

Oct 7 13:35:14 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
already blocked. Ignoring
Oct 7 13:39:30 debian portsentry[5287]: attackalert: Connect from host:
127.0.1.1/127.0.1.1 to TCP port: 513
Oct 7 13:39:30 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
already blocked. Ignoring

following a debian specific thread, 127.0.1.1 seems to be ok for host's
name name resolution:

$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 debian.home.net debian

Yes, stupid name for a linux box :-) It's debian etch running

$ dpkg -l|grep portsentry
ii portsentry 1.2-10 Portscan detection daemon

and

$ cat /etc/hosts.deny |grep -v "#" | sed '/^$/d'
ALL: 127.0.1.1 : DENY
ALL: 127.0.1.1 : DENY
ALL: 127.0.1.1 : DENY
ALL: 127.0.1.1 : DENY
ALL: 127.0.1.1 : DENY
ALL: 127.0.1.1 : DENY
ALL: 127.0.1.1 : DENY

Mmh, once should be enough ... Anyway:

$ netstat --numeric-ports --programs --all |grep 513
tcp 0 0 0.0.0.0:513 0.0.0.0:*
LISTEN 5287/portsentry
udp 0 0 0.0.0.0:513 0.0.0.0:*
5294/portsentry

It'seems, portsentry find it's own opened port??:

$ grep "Going into listen mode on TCP port: 513" portsentry.log
[...]
Oct 7 10:27:24 debian portsentry[5287]: adminalert: Going into listen
mode on TCP port: 513

Something wrong with my configuration?

$ cat /etc/portsentry/portsentry.conf|grep -v "#"|sed '/^$/d'
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,13 8,139,143,512,513,514,515,540,635,1080,1524,2000,2 001,4000,4001,5742,6000,6001,6667,12345,12346,2003 4,27665,30303,32771,32772,32773,32774,31337,40421, 40425,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37 444,34555,31335,32770,32771,32772,32773,32774,3133 7,54321"
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/lib/portsentry/portsentry.history"
BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"
RESOLVE_HOST = "0"
BLOCK_UDP="1"
BLOCK_TCP="1"
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
SCAN_TRIGGER="0"

$ cat /etc/portsentry/portsentry.ignore|grep -v "#"|sed '/^$/d'
127.0.0.1/32
0.0.0.0
192.168.1.2
127.0.0.1

It's confusing me. rkhunter doesn't find something, only a unspecified hint:

[...]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ Warning!
(possible trojan port) ]

[...]

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 176 seconds

What's going on here?

Thanks
Olaf

On Sat, 07 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <eg84ju$j03$(E-Mail Removed)>, Olaf Petzold wrote:

>Oct 7 13:35:14 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
>already blocked. Ignoring
>Oct 7 13:39:30 debian portsentry[5287]: attackalert: Connect from host:
>127.0.1.1/127.0.1.1 to TCP port: 513
>Oct 7 13:39:30 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
>already blocked. Ignoring

[compton ~]$ grep 513 /etc/services
login 513/tcp # BSD rlogind(8)
who 513/udp whod # BSD rwhod(8)
[compton ~]$

So find out why you have something trying to rlogin FROM YOUR SYSTEM. You've
got _something_ misconfigured - most probably portsentry.

>following a debian specific thread, 127.0.1.1 seems to be ok for host's
>name name resolution:
>
>$ cat /etc/hosts
>127.0.0.1 localhost
>127.0.1.1 debian.home.net debian

Technically, there should only be one line for '127.0.0.1' - you could put
all of those hostnames on the same line OR change the second line to 127.0.0.2
which is the same host (_everyone_ on 127.0.0.0/8 is "you").

>Yes, stupid name for a linux box :-) It's debian etch running

[compton ~]$ Whois home.net
whois.moniker.com

[...]

Domain Name: HOME.NET
Registrant [4031]:
DomainSystems Escrow Account
20 SW 27 Avenue
Suite 201
Pompano Beach
FL
33069
US
[...]
[compton ~]$ host home.net
home.net has address 206.207.85.33
[compton ~]$

Please don't grab domain names out of thin air.

>$ cat /etc/hosts.deny |grep -v "#" | sed '/^$/d'
>ALL: 127.0.1.1 : DENY
>ALL: 127.0.1.1 : DENY
>ALL: 127.0.1.1 : DENY
>ALL: 127.0.1.1 : DENY
>ALL: 127.0.1.1 : DENY
>ALL: 127.0.1.1 : DENY
>ALL: 127.0.1.1 : DENY
>
>Mmh, once should be enough ... Anyway:

Yeah - it's a rather stupid program - and you are using it as a denial of
service tool to shoot yourself.

>It'seems, portsentry find it's own opened port??:

What can I say.

>KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

Gotta love it. Tell me what's going to happen when some jerk out on the
net nmap's the snot out of your box, using the -D option and the IP
addresses to that option being your gateway, your DNS servers...

>It's confusing me. rkhunter doesn't find something, only a unspecified hint:

Did you look at the 'rkhunter' executable and see what it's looking for? Most
of it is just a very poorly written shell script - relatively easy to read.

>Networking
>* Check: frequently used backdoors
> Port 2001: Scalper Rootkit [ Warning!
>(possible trojan port) ]

This extremely poorly coded windoze wannabe tool found something listening
to port 2001, and thinks you have a virus. In fact, it found your portsentry
tool - but it doesn't want to bother telling you that running that wannabe
could be a problem that might interfere. If you did a google search, you'd
find hundreds of postings describing similar incidents. The 'chkrootkit' tool
is just as bad, if not worse. It's funny - portsentry has been around for
years longer than chkrootkit or rkhunter, and is well known for causing false
alarms in either, yet the crappy program authors STILL haven't discovered
this fact and at least mentioned it in their "documentation".

>What's going on here?

You have two poorly designed tools running, neither of which should
be needed on a properly maintained/configured Linux box.

Old guy

>> Oct 7 13:35:14 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
>> already blocked. Ignoring
>> Oct 7 13:39:30 debian portsentry[5287]: attackalert: Connect from host:
>> 127.0.1.1/127.0.1.1 to TCP port: 513
>> Oct 7 13:39:30 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
>> already blocked. Ignoring
>
> [compton ~]$ grep 513 /etc/services
> login 513/tcp # BSD rlogind(8)
> who 513/udp whod # BSD rwhod(8)
> [compton ~]$
>
> So find out why you have something trying to rlogin FROM YOUR SYSTEM. You've
> got _something_ misconfigured - most probably portsentry.

Yep, this was confusing me too, no rlogind was/is running.
$ ps aux|grep login
root 693 0.0 0.0 3740 740 pts/3 S+ 10:34 0:00 grep login

>> following a debian specific thread, 127.0.1.1 seems to be ok for host's
>> name name resolution:
>>
>> $ cat /etc/hosts
>> 127.0.0.1 localhost
>> 127.0.1.1 debian.home.net debian
>
> Technically, there should only be one line for '127.0.0.1' - you could put
> all of those hostnames on the same line OR change the second line to 127.0.0.2
> which is the same host (_everyone_ on 127.0.0.0/8 is "you").

following
http://www.debian.org/doc/manuals/re...html#s-net-dns,
but I'm not in the deep of network configuration

>> Yes, stupid name for a linux box :-) It's debian etch running
>
> [compton ~]$ Whois home.net
> whois.moniker.com
>
> [...]
>
> Domain Name: HOME.NET
> Registrant [4031]:
> DomainSystems Escrow Account
> 20 SW 27 Avenue
> Suite 201
> Pompano Beach
> FL
> 33069
> US
> [...]
> [compton ~]$ host home.net
> home.net has address 206.207.85.33
> [compton ~]$
>
> Please don't grab domain names out of thin air.

Oops, I've to change it

>> KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
>
> Gotta love it. Tell me what's going to happen when some jerk out on the
> net nmap's the snot out of your box, using the -D option and the IP
> addresses to that option being your gateway, your DNS servers...

Denial of Service?

[...]
> You have two poorly designed tools running, neither of which should
> be needed on a properly maintained/configured Linux box.

removed.

Thanks
Olaf

2006-10-08, 10:47(+02), Olaf Petzold:
>>> Oct 7 13:35:14 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
>>> already blocked. Ignoring
>>> Oct 7 13:39:30 debian portsentry[5287]: attackalert: Connect from host:
>>> 127.0.1.1/127.0.1.1 to TCP port: 513
>>> Oct 7 13:39:30 debian portsentry[5287]: attackalert: Host: 127.0.1.1 is
>>> already blocked. Ignoring
>>
>> [compton ~]$ grep 513 /etc/services
>> login 513/tcp # BSD rlogind(8)
>> who 513/udp whod # BSD rwhod(8)
>> [compton ~]$
>>
>> So find out why you have something trying to rlogin FROM YOUR SYSTEM. You've
>> got _something_ misconfigured - most probably portsentry.
>
> Yep, this was confusing me too, no rlogind was/is running.
> $ ps aux|grep login
> root 693 0.0 0.0 3740 740 pts/3 S+ 10:34 0:00 grep login

the rlogin service is generally run by inetd/xinetd.

You can know about what listening TCP socket there are and
what programs are listening (for which you need super user
priviledges) with:

$ sudo lsof -i tcp:login
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
inetd 3828 root 8u IPv4 10735 TCP *:login (LISTEN)
$ sudo netstat -tlp | grep :login
tcp 0 0 *:login *:* LISTEN 3828/inetd
$ sudo ss -tpl src :login
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 *:login *:* users("inetd",3828,8))

--
Stéphane

2006-10-8, 10:00(+01), Stephane CHAZELAS:
[....]
>> Yep, this was confusing me too, no rlogind was/is running.
>> $ ps aux|grep login
>> root 693 0.0 0.0 3740 740 pts/3 S+ 10:34 0:00 grep login
>
> the rlogin service is generally run by inetd/xinetd.

What I mean is that it's inetd that is listening for rlogin
connections. Of course, when there's an incoming one inetd
starts rlogind which does the stuff.

It's rlogind that performs the service, but no rlogind running
doesn't mean the service is not available, you need to look at
listening sockets to see whether the service is /potentially/
available (inetd could be listening on the login port and start
/bin/false instead of rlogind, so a socket listening on "login"
doesn't guarantee the service is available either).

--
Stéphane

On Sun, 08 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <egadr0$onf$(E-Mail Removed)>, Olaf Petzold wrote:

>Yep, this was confusing me too, no rlogind was/is running.
>$ ps aux|grep login
>root 693 0.0 0.0 3740 740 pts/3 S+ 10:34 0:00 grep login

As Stephane points out, rlogind is normally run out of the super-server
(inetd or xinetd), but you correctly used 'netstat' to identify the
actual program using the port.

>> Technically, there should only be one line for '127.0.0.1' - you could put
>> all of those hostnames on the same line OR change the second line to
>> 127.0.0.2 which is the same host (_everyone_ on 127.0.0.0/8 is "you").
>
>following
>http://www.debian.org/doc/manuals/re...html#s-net-dns,

That document isn't perfect, but not all Linux, never mind all operating
systems allow multiple definitions in /etc/hosts. The least controversial
setting is that _a_name_ or _an_IP_address should appear once in the
/etc/hosts file. This also avoids confusion.

>> Please don't grab domain names out of thin air.
>
>Oops, I've to change it

Many people choose names, and fail to think that the name may have been
registered and in use. If you have not registered a domain name (really
not needed for a home network), you should choose a name that you are
sure will never be valid - RFC2606 gives a number of suggestions.

>> Gotta love it. Tell me what's going to happen when some jerk out on the
>> net nmap's the snot out of your box, using the -D option and the IP
>> addresses to that option being your gateway, your DNS servers...
>
>Denial of Service?

Absolutely. If you feel that portsentry is useful, you should set it to
block an "attacking" address for a few minutes, rather than "permanently".
Also be aware that only those applications that have been compiled with
libwrap, or are run via tcp_wrappers even look at /etc/hosts.deny, and
those application ONLY do so if they are not listed in /etc/hosts.allow.
The "sensible" way of using tcp_wrappers is to allow services and addresses
in /etc/hosts.allow, and set just one line in /etc/hosts.deny - "ALL: ALL".
Just remember that this only works for a limited number of applications.
This stuff is mentioned in the hosts_access(5) man page.

Old guy

On Sun, 8 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed)> , Stephane CHAZELAS wrote:

>It's rlogind that performs the service, but no rlogind running
>doesn't mean the service is not available, you need to look at
>listening sockets to see whether the service is /potentially/
>available (inetd could be listening on the login port and start
>/bin/false instead of rlogind, so a socket listening on "login"
>doesn't guarantee the service is available either).

inetd/xinetd are listening only on ports it's been told to listen
to, which includes "internal" services. The simple solution is to
not enable them if they are not desired. For the old 'inetd'

[spirit ~]$ grep -v '^#' /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
[spirit ~]$

For the more modern xinetd, the key is the 'disable=' line in the
individual service file

[compton ~]$ grep disable /etc/xinetd.d/* | grep -v yes
/etc/xinetd.d/rsync: disable = no
[compton ~]$

Old guy

> Many people choose names, and fail to think that the name may have been
> registered and in use. If you have not registered a domain name (really
> not needed for a home network), you should choose a name that you are
> sure will never be valid - RFC2606 gives a number of suggestions.

So, e.g. debian.localhost.net is conform to RFC2606, did I right
understood the RFC?

Thanks for all comments/help!
Olaf

2006-10-10, 11:05(+02), Olaf Petzold:
>> Many people choose names, and fail to think that the name may have been
>> registered and in use. If you have not registered a domain name (really
>> not needed for a home network), you should choose a name that you are
>> sure will never be valid - RFC2606 gives a number of suggestions.
>
> So, e.g. debian.localhost.net is conform to RFC2606, did I right
> understood the RFC?
[...]

No, but debian.localhost would be.

Domain Name: LOCALHOST.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS3.DREAMHOST.COM
Name Server: NS2.DREAMHOST.COM
Name Server: NS1.DREAMHOST.COM
Status: ACTIVE
EPP Status: ok
Updated Date: 08-Sep-2006
Creation Date: 11-Jun-1996
Expiration Date: 10-Jun-2007

--
Stéphane