Join Log in
Score:0
cjfjavier avatar Ubuntu

Ubuntu 18.04.5 LTS update psad+fwsnort rules block canonical ip

in flag
cjfjavier

I am trying to update and I get the following error from synaptic: W: Failed to get http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-5.4/linux-modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64 .deb Connection failed [IP: 2001: 67c: 1360: 8001 :: 23 80] checking mutt mail I get psad crash alerts configured with fwsnort:

Danger level: [2] (out of 5)

Scanned TCP ports: [42400: 1 packets]
        TCP flags: [ACK: 1 packets]
   iptables chain: FWSNORT_INPUT_ESTAB (prefix "[401] REJ SID1797 ESTAB"), 1 packets
     fwsnort rule: 401

           Source: 2001: 067c: 1360: 8001: 0000: 0000: 0000: 0023
              DNS: [No reverse dns info available]

[+] TCP scan signatures:

"PORN BDSM" dst port: 42400 (no server bound to local port) flags: ACK content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn

and the same for ipv4

Danger level: [2] (out of 5)

Scanned TCP ports: [51378: 1 packets]
        TCP flags: [ACK: 1 packets]
   iptables chain: FWSNORT_INPUT_ESTAB (prefix "[515] REJ SID1797 ESTAB"), 1 packets
     fwsnort rule: 515

           Source: 91.189.88.152
              DNS: [No reverse dns info available]

[+] TCP scan signatures:

"PORN BDSM" dst port: 51378 (no server bound to local port) flags: ACK content: "BDSM" sid: 1797 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn

I am trying to download the file http://archive.ubuntu.com/ubuntu/pool/main/l/linux-hwe-5.4/linux-modules-extra-5.4.0-77-generic_5.4.0-77.86~18.04.1_amd64. deb from brave browser manually and the malwarebyte extension blocks the download as a suspicious site. Could I be facing a DNS hijacking? or consider this a bug and disable psad-fwsnort and update without risk of infecting my computer.

100
0 + 4
apt
in flag
matigo
There is a lot of "porn" in your messages. `classtype: kickass-porn` is not a class type that I am familiar with. Rather than upgrade, scrub the partitions and start over with a fresh 20.04 or 21.04 installation.
0
Reply
cjfjavier avatar
in flag
cjfjavier
the ip's are correct they belong to canonical in a whois lookup https://ipinfo.io/91.189.88.152
0
Reply
ru flag
Thomas Ward
I would torch your system and start over - unless you're running porn on your system, you should scrub your system and rebuild anew in Ubuntu. Keep in mind that you're going to get blocks if you have weird infrastructure setups. Note that a lot of browsers throw warnings when you're using http:// and not https://. However, the apt-get errors you're seeing suggest you can't connect to IPv6, so you need to force APT to use IPv4 specifically.
0
Reply
cjfjavier avatar
in flag
cjfjavier
No pornography is executed on the machine, the term classtype: kickass-porn refers to fwsnort rule: 401 and the error is for both ipv6 and ipv4, that's why my query is a bug of the fwsnort rules and I should add the ip to White list.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.