Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (3) →
David Smith
David Smith
Offline

Snortsam Error unblocking IPs

Resolved
0 votes
Hi Everyone

I've had our ClearOS Professional 6.5.0 system running for just over a week, and as I am an absolute Newbie when it comes to Linux, I'm very happy that it is running smoothly. I have picked up a lot of information from the forums and am very grateful to have a community like this to learn from, and to which I hopefully will be able to contribute in some way.

So, obviously I need a bit of advice - Snortsam is very busy and I see a lot of IPs being blocked on a daily basis and appearing in the blocked list - which is great, and tells me it is working fine, but I picked up a few errors in the Snortsam log :

1) all references to clarkpoint.com servers in the ClearOS whitelist config file return as unresolvable.
/var/log/snortsam:2014/08/24, 09:37:04, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 41] Invalid or unresolvable host 'antivirus1.pointclark.com'.
/var/log/snortsam:2014/08/24, 09:37:06, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 42] Invalid or unresolvable host 'antivirus2.pointclark.com'.
/var/log/snortsam:2014/08/24, 09:37:06, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 43] Invalid or unresolvable host 'antivirus3.pointclark.com'.

etc.....

2)

When Snortsam attempts to release the IPs after a day of blocking it is failing ,and the blocked IPs remain blocked - so the IPtables block list is just growing longer by the day, if I understand correctly.

2014/08/26, 18:34:34, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth2 -d 222.214.247.238 -j DROP Failed
2014/08/26, 18:34:34, -, 1, iptables, Info: UnBlocking ip 222.214.247.238
2014/08/26, 18:34:34, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -d 222.214.247.238 -j DROP Failed

Any advice would be greatly appreciated.

Many thanks, David
In Intrusion Detection and Prevention
Tuesday, August 26 2014, 05:43 PM
Subscribe via email
Share this post:
Responses (3)

  • Accepted Answer

    Peter Finch
    Peter Finch
    Offline
    Sunday, January 04 2015, 06:58 PM - #Permalink
    Resolved
    0 votes
    Any update on this one? I have a fresh reinstall of 6.5.0 Final Community with all updates and both problems are still present:

    1. references to unresolvable pointclark.com domains

    2015/01/04, 03:22:31, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 55] Invalid or unresolvable host 'app3-toronto.pointclark.com'.
    2015/01/04, 03:22:31, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 52] Invalid or unresolvable host 'lvs2-toronto.pointclark.com'.
    2015/01/04, 03:22:31, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 48] Invalid or unresolvable host 'antispam4.pointclark.com'.
    2015/01/04, 03:22:31, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 46] Invalid or unresolvable host 'antispam2.pointclark.com'.
    2015/01/04, 03:22:31, -, 1, snortsam, Error: [/etc/snortsam.d/clearcenter-whitelist.conf: 45] Invalid or unresolvable host 'antispam1.pointclark.com'.
    ...

    2. failure when dropping blocked IP table rules

    2015/01/04, 04:30:01, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 218.77.79.43 -j DROP Failed
    2015/01/04, 04:30:01, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 218.77.79.55 -j DROP Failed
    2015/01/04, 04:30:01, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 61.240.144.67 -j DROP Failed
    2015/01/04, 04:30:01, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 61.240.144.65 -j DROP Failed
    ...

    Thanks!

    Peter
    The reply is currently minimized Show

  • Accepted Answer

    David Smith
    David Smith
    Offline
    Tuesday, August 26 2014, 08:16 PM - #Permalink
    Resolved
    0 votes
    Hi Peter

    Thanks for your reply - it looks like this :

    Chain INPUT (policy DROP 58 packets, 3820 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- eth1 * 0.0.0.0/0 113.15.145.41
    0 0 DROP all -- eth1 * 113.15.145.41 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 113.15.145.41
    2 120 DROP all -- eth2 * 113.15.145.41 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 118.114.246.241
    0 0 DROP all -- eth1 * 118.114.246.241 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 118.114.246.241
    2 120 DROP all -- eth2 * 118.114.246.241 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 183.56.234.66
    0 0 DROP all -- eth1 * 183.56.234.66 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 183.56.234.66
    2 120 DROP all -- eth2 * 183.56.234.66 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 90.188.151.136
    0 0 DROP all -- eth1 * 90.188.151.136 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 90.188.151.136
    2 120 DROP all -- eth2 * 90.188.151.136 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 61.154.64.23
    0 0 DROP all -- eth1 * 61.154.64.23 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 61.154.64.23
    2 120 DROP all -- eth2 * 61.154.64.23 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 115.202.131.83
    0 0 DROP all -- eth1 * 115.202.131.83 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 115.202.131.83
    2 120 DROP all -- eth2 * 115.202.131.83 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 199.19.109.76
    0 0 DROP all -- eth1 * 199.19.109.76 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 199.19.109.76
    0 0 DROP all -- eth2 * 199.19.109.76 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 116.26.194.122
    0 0 DROP all -- eth1 * 116.26.194.122 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 116.26.194.122
    2 120 DROP all -- eth2 * 116.26.194.122 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 58.213.164.254
    0 0 DROP all -- eth1 * 58.213.164.254 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 58.213.164.254
    2 120 DROP all -- eth2 * 58.213.164.254 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 222.118.253.106
    0 0 DROP all -- eth1 * 222.118.253.106 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 222.118.253.106
    0 0 DROP all -- eth2 * 222.118.253.106 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 125.91.25.189
    0 0 DROP all -- eth1 * 125.91.25.189 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 125.91.25.189
    0 0 DROP all -- eth2 * 125.91.25.189 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 186.112.90.18
    0 0 DROP all -- eth1 * 186.112.90.18 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 186.112.90.18
    0 0 DROP all -- eth2 * 186.112.90.18 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 218.144.140.140
    0 0 DROP all -- eth1 * 218.144.140.140 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 218.144.140.140
    2 104 DROP all -- eth2 * 218.144.140.140 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 88.234.234.112
    0 0 DROP all -- eth1 * 88.234.234.112 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 88.234.234.112
    2 120 DROP all -- eth2 * 88.234.234.112 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 31.214.201.196
    0 0 DROP all -- eth1 * 31.214.201.196 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 31.214.201.196
    0 0 DROP all -- eth2 * 31.214.201.196 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 59.33.35.205
    0 0 DROP all -- eth1 * 59.33.35.205 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 59.33.35.205
    2 120 DROP all -- eth2 * 59.33.35.205 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 116.11.61.32
    0 0 DROP all -- eth1 * 116.11.61.32 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 116.11.61.32
    2 120 DROP all -- eth2 * 116.11.61.32 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 190.252.22.133
    0 0 DROP all -- eth1 * 190.252.22.133 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 190.252.22.133
    2 120 DROP all -- eth2 * 190.252.22.133 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 63.141.242.195
    0 0 DROP all -- eth1 * 63.141.242.195 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 63.141.242.195
    0 0 DROP all -- eth2 * 63.141.242.195 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 213.136.75.103
    0 0 DROP all -- eth1 * 213.136.75.103 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 213.136.75.103
    0 0 DROP all -- eth2 * 213.136.75.103 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 93.174.93.218
    0 0 DROP all -- eth1 * 93.174.93.218 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 93.174.93.218
    0 0 DROP all -- eth2 * 93.174.93.218 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 74.82.47.29
    0 0 DROP all -- eth1 * 74.82.47.29 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 74.82.47.29
    0 0 DROP all -- eth2 * 74.82.47.29 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 222.166.238.59
    0 0 DROP all -- eth1 * 222.166.238.59 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 222.166.238.59
    2 120 DROP all -- eth2 * 222.166.238.59 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 61.94.228.14
    0 0 DROP all -- eth1 * 61.94.228.14 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 61.94.228.14
    2 120 DROP all -- eth2 * 61.94.228.14 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 222.92.253.50
    0 0 DROP all -- eth1 * 222.92.253.50 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 222.92.253.50
    2 120 DROP all -- eth2 * 222.92.253.50 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 111.194.34.151
    0 0 DROP all -- eth1 * 111.194.34.151 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 111.194.34.151
    2 120 DROP all -- eth2 * 111.194.34.151 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 211.237.165.131
    0 0 DROP all -- eth1 * 211.237.165.131 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 211.237.165.131
    2 120 DROP all -- eth2 * 211.237.165.131 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 116.10.151.57
    0 0 DROP all -- eth1 * 116.10.151.57 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 116.10.151.57
    2 120 DROP all -- eth2 * 116.10.151.57 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 178.89.105.42
    0 0 DROP all -- eth1 * 178.89.105.42 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 178.89.105.42
    0 0 DROP all -- eth2 * 178.89.105.42 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 71.49.4.88
    0 0 DROP all -- eth1 * 71.49.4.88 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 71.49.4.88
    0 0 DROP all -- eth2 * 71.49.4.88 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 121.239.173.167
    0 0 DROP all -- eth1 * 121.239.173.167 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 121.239.173.167
    0 0 DROP all -- eth2 * 121.239.173.167 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 60.187.220.128
    0 0 DROP all -- eth1 * 60.187.220.128 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 60.187.220.128
    2 120 DROP all -- eth2 * 60.187.220.128 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 184.105.139.89
    0 0 DROP all -- eth1 * 184.105.139.89 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 184.105.139.89
    0 0 DROP all -- eth2 * 184.105.139.89 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 204.42.253.130
    0 0 DROP all -- eth1 * 204.42.253.130 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 204.42.253.130
    0 0 DROP all -- eth2 * 204.42.253.130 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 184.105.139.82
    0 0 DROP all -- eth1 * 184.105.139.82 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 184.105.139.82
    0 0 DROP all -- eth2 * 184.105.139.82 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 122.174.127.122
    0 0 DROP all -- eth1 * 122.174.127.122 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 122.174.127.122
    2 120 DROP all -- eth2 * 122.174.127.122 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 180.175.81.78
    0 0 DROP all -- eth1 * 180.175.81.78 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 180.175.81.78
    2 120 DROP all -- eth2 * 180.175.81.78 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 92.45.159.133
    0 0 DROP all -- eth1 * 92.45.159.133 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 92.45.159.133
    141 6540 DROP all -- eth2 * 92.45.159.133 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 173.208.193.106
    0 0 DROP all -- eth1 * 173.208.193.106 0.0.0.0/0
    ........

    ;
    ;
    ;

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- eth1 * 0.0.0.0/0 113.15.145.41
    0 0 DROP all -- eth1 * 113.15.145.41 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 113.15.145.41
    0 0 DROP all -- eth2 * 113.15.145.41 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 118.114.246.241
    0 0 DROP all -- eth1 * 118.114.246.241 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 118.114.246.241
    0 0 DROP all -- eth2 * 118.114.246.241 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 183.56.234.66
    0 0 DROP all -- eth1 * 183.56.234.66 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 183.56.234.66
    0 0 DROP all -- eth2 * 183.56.234.66 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 90.188.151.136
    0 0 DROP all -- eth1 * 90.188.151.136 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 90.188.151.136
    0 0 DROP all -- eth2 * 90.188.151.136 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 61.154.64.23
    0 0 DROP all -- eth1 * 61.154.64.23 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 61.154.64.23
    0 0 DROP all -- eth2 * 61.154.64.23 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 115.202.131.83
    0 0 DROP all -- eth1 * 115.202.131.83 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 115.202.131.83
    0 0 DROP all -- eth2 * 115.202.131.83 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 199.19.109.76
    0 0 DROP all -- eth1 * 199.19.109.76 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 199.19.109.76
    0 0 DROP all -- eth2 * 199.19.109.76 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 116.26.194.122
    0 0 DROP all -- eth1 * 116.26.194.122 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 116.26.194.122
    0 0 DROP all -- eth2 * 116.26.194.122 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 58.213.164.254
    0 0 DROP all -- eth1 * 58.213.164.254 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 58.213.164.254
    0 0 DROP all -- eth2 * 58.213.164.254 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 222.118.253.106
    0 0 DROP all -- eth1 * 222.118.253.106 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 222.118.253.106
    0 0 DROP all -- eth2 * 222.118.253.106 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 125.91.25.189
    0 0 DROP all -- eth1 * 125.91.25.189 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 125.91.25.189
    0 0 DROP all -- eth2 * 125.91.25.189 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 186.112.90.18
    0 0 DROP all -- eth1 * 186.112.90.18 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 186.112.90.18
    0 0 DROP all -- eth2 * 186.112.90.18 0.0.0.0/0
    0 0 DROP all -- eth1 * 0.0.0.0/0 218.144.140.140
    0 0 DROP all -- eth1 * 218.144.140.140 0.0.0.0/0
    0 0 DROP all -- eth2 * 0.0.0.0/0 218.144.140.140

    etc, etc ...... lots of entries I know ...

    So if I do a search for the IP it tried to unblock at 18H34...222.214.247.238

    I've now got 4 entries :

    DROP all -- 0.0.0.0/0 222.214.247.238
    DROP all -- 0.0.0.0/0 222.214.247.238
    DROP all -- 0.0.0.0/0 222.214.247.238
    DROP all -- 0.0.0.0/0 222.214.247.238

    So they are increasing because they are not being released after the blocking time, and then the IP seems to be added again.

    Thanks, David
    The reply is currently minimized Show

  • Accepted Answer

    Legacy Disabled
    Legacy Disabled
    Offline
    Tuesday, August 26 2014, 07:09 PM - #Permalink
    Resolved
    0 votes
    David Smith wrote:
    1) all references to clarkpoint.com servers in the ClearOS whitelist config file return as unresolvable.

    Those are old DNS names that should be deleted from the whitelist. It's a non-fatal error, but we'll clean those up. Here's the tracker entry.

    When Snortsam attempts to release the IPs after a day of blocking it is failing ,and the blocked IPs remain blocked - so the IPtables block list is just growing longer by the day, if I understand correctly.

    Hmmm. What does the output from following command look like:

    iptables -L INPUT -n -v
    The reply is currently minimized Show
Your Reply