<solved>What is SentinalSRM, port 1947? How do I remove it?

Issues related to applications and software problems
Post Reply
MikeBerger
Posts: 19
Joined: 2019/01/02 23:28:04

<solved>What is SentinalSRM, port 1947? How do I remove it?

Post by MikeBerger » 2019/01/24 22:19:21

On my new Centos 7, I just used iptables to implement my favorite security policy:

Code: Select all

If I don't know what it is, -j LOG-DROP
I am getting a large number of UDP port 1947. The web shows me "SentinelSRM", among other things, but it is not clear what it is. Something to do with license? Do I need it? Things seem ok with it blocked. If not needed, how can I get rid of it?
Thanks,
Mike.
Last edited by MikeBerger on 2019/01/25 02:16:51, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: What is SentinalSRM, port 1947? How do I remove it?

Post by TrevorH » 2019/01/24 22:57:37

That's just what's listed in /etc/services for that port. It doesn't necessarily tell you if that's what it is or not.

Since you don't say if that's hitting your outside interface or something internal, it's not really possible to say much more. If you want to know for sure, install wireshark or tcpdump and capture the packets in question and see if they contain anything useful looking. Using e.g. ss -antup | grep 1947 should show you if anything is listening on that port on your own machine.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

MikeBerger
Posts: 19
Joined: 2019/01/02 23:28:04

Re: What is SentinalSRM, port 1947? How do I remove it?

Post by MikeBerger » 2019/01/25 00:10:17

Sorry I didn't mention that the target is internal: 192.168.1.255

I looked at a few packets with wireshark. the port 1974 is labeled "sentinelsrn". The data is 40 bytes long, and appears to contain a meaningless sequence of alphanumeric bytes. Could be base64, or could be a password. A very rough examination suggests they remain the same, at least for a few minutes.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: What is SentinalSRM, port 1947? How do I remove it?

Post by TrevorH » 2019/01/25 00:17:27

It's likely that if your LAN is a /24 then .255 is the broadcast address.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

MikeBerger
Posts: 19
Joined: 2019/01/02 23:28:04

Re: What is SentinalSRM, port 1947? How do I remove it?

Post by MikeBerger » 2019/01/25 00:22:24

Yes, my LAN is /24.

MikeBerger
Posts: 19
Joined: 2019/01/02 23:28:04

<solved>Re: What is SentinalSRM, port 1947? How do I remove it?

Post by MikeBerger » 2019/01/25 00:52:09

I opened my eyes wider and saw that the packets were coming from my nearby win7 box. I disabled a service on that box, and the packets disappeared.

pjsr2
Posts: 614
Joined: 2014/03/27 20:11:07

Re: <solved>What is SentinalSRM, port 1947? How do I remove it?

Post by pjsr2 » 2019/01/27 23:22:22

SentinalSRM is a software license protection system. Older versions of it go by the name HASP, netHASP, Aladdin HASP, SafeNet. It is available on Linux, Windows, Mac and various Un*x.You can find it on sentinalcustomer.gemalto.com.
Software is protected by a USB dongle. It requires a driver package to be installed. That driver package installs a server on the local host that listens on port 1947. This server also provides an administrator web interface on http://localhost:1947/ that you can use to configure it through your web browser. (Client) software that requests a license, uses localhost:1947 (udp) to contact the local license server. If the local host has a dongle with a valid license, the server will provide a license to the client, otherwise the server will (in the default configuration) attempt to locate another license server in the network and see if that remote server can provide a license. By default, these remote license servers are searched through a udp broadcast to port 1947. Through the web server interface you can configure host names or IP addresses of remote license servers and disable the broadcasts.
Old versions of this product use UDP port 475 and lack the administrator web interface.

Post Reply