A customer of my was blocked by portsentry because of a scan at port 443 (just the SSL to the control panel!).

I removed his IP from
/usr/local/psionic/portsentry/portsentry.blocked.atcp
/usr/local/psionic/portsentry/portsentry.blocked.udp

and even added his ip to the ignore file.
But still he is not able to access the raq or even the website (or any other on that server).
I rebooted the server just to be sure, but still no luck.

Is there some other place his ip is dropped ?
Any other suggestion ?

THANKS !

Hi,

Solution
To completely remove your client ip,
Pico the following files and remove any ip match your client ip.


/usr/local/psionic/portsentry/portsentry.history
/usr/local/psionic/portsentry/portsentry.blocked.atcp
/usr/local/psionic/portsentry/portsentry.blocked.udp
/etc/hosts.deny

After doing all these,
Restart inet,
Do "/etc/rc.d/init.d/inet restart"

Hopefully, your client should be able to access his site after 24 hours.

why does it takes 24hrs ?

And here's anotherone i never heard of before,


Forbidden
You were denied access because:
Access denied by access control list.


It from someone who tries to acces his siteadmin wich is secured by SSL.

Hi,

Because i don't think the client can instantly access the server right away after the ip being remove. It definitely need some time to let the server do some update or some soft.

Weird, i thought i disable scanning on port 443, because all ip's get blocked there, and my users need it.
In portsentry.conf i find however:


TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"


So no 443.
Did i misunderstood the section in the .conf file, are these port that are excluded from scanning rather then the ports that ARE scanned ?

Under "Advanced Stealth scan detect options" i find:

# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"


Should i add 443 to it ???

I also find something about a hosts.deny file, wich i indeed find in /etc
There's a list of ip's in there, and on top of it, is my own server IP.
Can anyone tell me what that file is about ?

Thanks !!!

Don't try too hard.

Don't try too hard.

Sorry i have no idea what you mean.

Does anyone know how i uninstall portsentry, i keeps blocking some users although i removed their ip's from the mentioned files, and since i have a firewall installed i don't think i really need it anyway.

Thanks in advance.

You should set port sentry so that it does not drop the IP scanning immediately - you don't want to uninstall it.



Be very carefull, if you scan the box yourself, you will find yourself locked out until you get onto another ip.

Find this section of /etc/portsentry/portsentry.conf

# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="0"
BLOCK_TCP="0"

Set it like that and you will solve the problem - portsentry will still block but not drop the scanning IP.

Don't forget to restart portsentry to apply the change.

Hope that helps.