Package: psad
Version: 1.4.2-1
Severity: important
I realy like the new psad, especially the new psad -S report:
Iptables auto-blocked IPs:
9.30.58.125 (7066 seconds remaining):
PSAD_BLOCK_INPUT(DROP)
PSAD_BLOCK_FORWARD(DROP)
After seeing a plethora of syslog entries like:
psad: added iptables auto-block against 9.30.58.125 for 7200 seconds
...
psad: could not add iptables block rule for: 9.30.58.125
I began to wonder if psad was indeed working... so I stopped it and
reloaded the firewall to its clean state and started psad again.
During startup I see the more expected logs:
psad: renewed iptables auto-block against 9.30.58.197 for 7200 seconds
...
psad: block rule for ip: 9.30.58.197 already exists
psad: block rule for ip: 9.30.58.197 already exists
...
psad: imported 184 scanning IP addresses from previous psad run
So it seems the test for existance is not being done all the time ?!?
But, more worrying is what showed up on the terminal doing the psad start:
# /etc/init.d/psad start
Starting Port Scan Attack Detector and associated daemons: psad.
bandit-hall:~# Use of uninitialized value in concatenation (.) or string
at /usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4584.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4584.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4584.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/psad line 4579.
4579:
push @lines, "$tmpsrc " . $auto_blocked_ips{$tmpsrc}{'time'};
4584:
push @lines, "$src " . $auto_blocked_ips{$src}{'time'};
And in the loop governing both lines:
if ($line =~ /^\s*(\S+)\s*$/) { ### old format; update to include time
Which makes think the odd messages seen earlier are infact likely caused
by this loop - both at startup and during subsequent ip blocks
This also probably explains why I occasionally get a whole blast of
block messages for the same IP, when I used to get only a few before
the autoblock went into effect.
-- System Information:
Debian Release: testing/unstable
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages psad depends on:
ii ipchains 1.3.10-15 Network firewalling for Linux 2.2.
ii iptables 1.3.1-2 Linux kernel 2.4+ iptables adminis
ii libc6 2.3.5-1 GNU C Library: Shared libraries an
ii libcarp-clan-perl 5.3-3 Perl enhancement to Carp error log
ii libdate-calc-perl 5.4-3 Perl library for accessing dates
ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module API
ii libunix-syslog-perl 0.100-4 Perl interface to the UNIX syslog(
ii perl 5.8.7-4 Larry Wall's Practical Extraction
ii psmisc 21.6-1 Utilities that use the proc filesy
ii sysklogd [syslogd] 1.4.1-17 System Logging Daemon
ii whois 4.7.5 the GNU whois client
Versions of packages psad recommends:
ii bastille 1:2.1.1-11 Security hardening tool
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
