Package: psad Version: 1.4.2-1 Severity: important I realy like the new psad, especially the new psad -S report: Iptables auto-blocked IPs: 9.30.58.125 (7066 seconds remaining): PSAD_BLOCK_INPUT(DROP) PSAD_BLOCK_FORWARD(DROP)
After seeing a plethora of syslog entries like: psad: added iptables auto-block against 9.30.58.125 for 7200 seconds ... psad: could not add iptables block rule for: 9.30.58.125 I began to wonder if psad was indeed working... so I stopped it and reloaded the firewall to its clean state and started psad again. During startup I see the more expected logs: psad: renewed iptables auto-block against 9.30.58.197 for 7200 seconds ... psad: block rule for ip: 9.30.58.197 already exists psad: block rule for ip: 9.30.58.197 already exists ... psad: imported 184 scanning IP addresses from previous psad run So it seems the test for existance is not being done all the time ?!? But, more worrying is what showed up on the terminal doing the psad start: # /etc/init.d/psad start Starting Port Scan Attack Detector and associated daemons: psad. bandit-hall:~# Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4584. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4584. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4584. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. Use of uninitialized value in concatenation (.) or string at /usr/sbin/psad line 4579. 4579: push @lines, "$tmpsrc " . $auto_blocked_ips{$tmpsrc}{'time'}; 4584: push @lines, "$src " . $auto_blocked_ips{$src}{'time'}; And in the loop governing both lines: if ($line =~ /^\s*(\S+)\s*$/) { ### old format; update to include time Which makes think the odd messages seen earlier are infact likely caused by this loop - both at startup and during subsequent ip blocks This also probably explains why I occasionally get a whole blast of block messages for the same IP, when I used to get only a few before the autoblock went into effect. -- System Information: Debian Release: testing/unstable APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages psad depends on: ii ipchains 1.3.10-15 Network firewalling for Linux 2.2. ii iptables 1.3.1-2 Linux kernel 2.4+ iptables adminis ii libc6 2.3.5-1 GNU C Library: Shared libraries an ii libcarp-clan-perl 5.3-3 Perl enhancement to Carp error log ii libdate-calc-perl 5.4-3 Perl library for accessing dates ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module API ii libunix-syslog-perl 0.100-4 Perl interface to the UNIX syslog( ii perl 5.8.7-4 Larry Wall's Practical Extraction ii psmisc 21.6-1 Utilities that use the proc filesy ii sysklogd [syslogd] 1.4.1-17 System Logging Daemon ii whois 4.7.5 the GNU whois client Versions of packages psad recommends: ii bastille 1:2.1.1-11 Security hardening tool -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]