This tutorial is for Redhat 9 linux users, but should be of general linux use. It details some of the basics of portsentry.
What is portsentry?
To help us understand this I'll quote Georges Tarbouriech writing in Linux Focus :
portsentry monitors your ports and will then allow actions to be taken, such as blocking the IP address that is trying to connect to a port.Today, most networking relies on TCP/IP and TCP/IP relies on ports. To make it short, ports are attached to programs (clients or servers). The server listens till a client contacts it to establish a connection. The services (the programs above mentioned) are mapped to a specific port. On Unix systems, this mapping scheme is found in the /etc/services file. That is, everyone knows which port is dedicated to which service. If everyone knows, crackers know even better ! If we consider a port as a door, when a port is open (listening), it's like an unlocked door. And how do you get into a house ? Usually through the door (unless you prefer the window, it's up to you !). So do the black hats to get into your computer...
Where do I get it ?
psionic portsentry website
RPMs are available via apt apt-get install portsentry
How do I use it ?
portsentry works in two modes, basic and advanced - The tutorial will describe the use of the advanced settings, which are used by default in the RH9 rpm install. Advanced mode monitors all ports except those you tell it not to.
Once installed check Start-System Setting-Server Settings-Settings and make sure the service is enabled at boot, do not start the service yet.
su - first to allow access to what you need.
Check that the /etc/portsentry/portsentry.modes looks like this:
This ensures advanced mode.Code:# This is the modes file for Portsentry. Uncomment the modes you want # to run portsentry to run in. For information about each mode, please # see the Portsentry documentation. #tcp #udp #stcp #sudp atcp audp
Next you need to obtain a list of ports that you do not want to trigger portsentry - If you run a mail server then you might want to ignore TCP port 25 (SMTP) and TCP port 110 (POP3). If you run a webserver TCP Port 80.
Now edit the /etc/portsentry/portsentry.conf and find this section:
Edit the above lines to ignore those ports you have open and want the rest of the world to have access to.Code:########################################### # Advanced Stealth Scan Detection Options # ########################################### # # This is the number of ports you want PortSentry to monitor in Advanced mode. # Any port *below* this number will be monitored. Right now it watches # everything below 1024. # # On many Linux systems you cannot bind above port 61000. This is because # these ports are used as part of IP masquerading. I don't recommend you # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been # warned! Don't write me if you have have a problem because I'll only tell # you to RTFM and don't run above the first 1024 ports. # # ADVANCED_PORTS_TCP="1024" ADVANCED_PORTS_UDP="1024" # # This field tells PortSentry what ports (besides listening daemons) to # ignore. This is helpful for services like ident that services such # as FTP, SMTP, and wrappers look for but you may not run (and probably # *shouldn't* IMHO). # # By specifying ports here PortSentry will simply not respond to # incoming requests, in effect PortSentry treats them as if they are # actual bound daemons. The default ports are ones reported as # problematic false alarms and should probably be left alone for # all but the most isolated systems/networks. # # Default TCP ident and NetBIOS service ADVANCED_EXCLUDE_TCP="25,80,110" # Default UDP route (RIP) ADVANCED_EXCLUDE_UDP="993,520,517,518,513,123,68,67,53"
If you wish to allow access from your internal network or other networks without tripping portsentry you can edit this file/etc/portsentry/portsentry.ignore
Now back to modifying /etc/portsentry/portsentry.confCode:192.168.1.0/24 ######################################### # Do NOT edit below this line, if you # # do, your changes will be lost when # # portsentry is restarted via the # # initscript. Make all changes above # # this box. # #########################################
Decide upon the number of port probes you will allow - I set this to 0 - Instant reaction:
And verify that the action (drop) is set correctly for your flavour of linux:Code:##################### # Enter in the number of port connects you will allow before an # alarm is given. The default is 0 which will react immediately. # A value of 1 or 2 will reduce false alarms. Anything higher is # probably not necessary. This value must always be specified, but # generally can be left at 0. # # NOTE: If you are using the advanced detection option you need to # be careful that you don't make a hair trigger situation. Because # Advanced mode will react for *any* host connecting to a non-used # below your specified range, you have the opportunity to really # break things. (i.e someone innocently tries to connect to you via # SSL [TCP port 443] and you immediately block them). Some of you # may even want this though. Just be careful. # SCAN_TRIGGER="0"
Finally start portsentry - service portsentry startCode:## # Using a packet filter is the PREFERRED. The below lines # work well on many OS's. Remember, you can only uncomment *one* # KILL_ROUTE option. ## # ipfwadm support for Linux #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" # # ipfwadm support for Linux (no logging of denied packets) #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" # # ipchain support for Linux #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" # # ipchain support for Linux (no logging of denied packets) #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" # # iptables support for Linux KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
Note that portsentry adds an entry into cron.daily that flushes all the deined routes once per day.
Other KILL_ROUTE entries can be used to run custom scripts and an example can be found here:
http://www.antionline.com/showthread...172#post685172
Note the use of MIRROR in iptables is not supported and experimental. Using MIRROR can leave you vunerable to a DOS attack:
http://www.netfilter.org/security/20...22-mirror.html
Note - Portsentry does not protect any ports you have open, so it is still important to remeber all the basics for those ports: Strong passwords Keep Patched & Up to Date etc.
Reply With Quote