Topic: SME not letting through some web sites.

[Wildkow]

Hi

My problem is that my Windoze XP clients can't get to some websites when I access them through the SME box but they have no problem when plugged directly into my Cable Modem.  No errors are returned it just times out after awhile.  When I traceroute I get timeouts to almost every site even those I can reach such as yahoo.  Have these SysAdmin's shut off all reply's to pings?  Other times I can reach the Home Page of a site but not access any other pages, makes it hard to get support from Comcast, grrrrr.  8^/
Can anyone help or point me in the right direction?

I am using SME 5.6u4 with some other contribs . . .

User Panel
Spam Assassin
Twiggi
APC UPS
Services
Dynamic Clients (none configured)
Port Opening, Forwarding, Scanning
Adv. Backup/Restore
System Monitor
Printerqueue Admin
Update System
 
I also have Snort/Acid/Guardian, ntop and nPulse installed.

Wildkow

[Warren Blackbeard]

Hi Wildkow ,

The Snort/Acid with the Guardian contrib will update the firewall rules to block ip's
of sites as per the HowTo :
Guardian is an active defense system for snort. What it does is add in an ipchains (1.0-2) or iptables (2.0-1) rule that effectively denies all traffic from the offending IP address for 24 hours. If this presents a problem for you, please DO NOT install the Guardian add-on.

check in the snort and guardian logs:

/var/log/guardian.log
/var/log/snort/alert

A email should also be sent to admin along the lines below;
The Snort-Guardian service has updated your firewall rules by blocking thefollowing IP address: 196.31.4.9.

This IP address will be blocked for 24 hours unless the server is rebooted.

For detailed information: /var/log/guardian.log
                          /var/log/snort/alert


If this is a major problem then i think you would have to unistall the Guardian module .

Hope it sheds some light !

Warren

[wildkow]

Arghhhh!  Doh!!!

Ok, well thanks very much Warren my reaction is due to the fact that it was simple common sense to suspect SAG except I have not had this problem in the past and I have been running SAG for some months now.  The logs show  . . .

Thu Sep 18 00:45:41 2003: 162.115.163.100   [117:1:1] (spp_portscan2) Portscan detected from 162.115.163.100: 1 targets 21 ports in 7 seconds
Running '/bin/guardian_block.sh 162.115.163.100 eth1'

when I browse.  This happens to be verizonwireless.com but is the same for other sites I try to access that suddenly start timing out.  I had been sucessfully browsing verizonwireless.com for some time this evening before I tried to access this particular part of their site.
    http://www.verizonwireless.com/b2c/businessSolutions/smallOfficeHomeOffice/index.jsp.
 
Now it seems that when I do so the site does a port scan back at me which trips a Snort rule and Guardian blocks the offending site???  I don't know if this is common behavior for a web site or not.

Do I have a bad rule?  Are Sys Admin's trying to respond to the Nachia / Welchia worm's?  Time to start sniffing the Snort forum's I guess.

TIA   Wildkow