Home|Cudeso|Linux|*NIX / BSD|Misc|
 

Portsentry

Contents

1. Introduction

2. Useful resources

3. Packages and installation

4. Configuration

5. Initscript

6. Advanced stealth mode





1. Introduction

Portsentry is an easy-to-install application that is designed to assist a GNU/Linux user in their attempts to stop crackers from breaching their fortress. Specifically, PortSentry runs as a daemon on the protected host. When running, it listens to TPC/UDP ports and will block scanning hosts from connecting to your machine.

2. Useful resources

http://www.psionic.com/products/index.html
It seems like Cisco has acquired Psionic : http://newsroom.cisco.com/dlls/corp_102202.html. The new project can be found at http://sourceforge.net/projects/sentrytools/.

3. Packages and installation

You can either download the RPM of the source-files. Allthough RPM's are easy when you're working with RedHat, I prefer the source-distribution for PortSentry. The lastest stable version I found was PortSentry 1.1.

After you have download the tar.gz file, unpack it and navigate to the directory.

Installation itself is straightforward : no configure or other options, just make (be sure to become 'root').
tar zxvf portsentry-1.1.tar.gz
cd portsentry-1.1

make linux
make install

4. Configuration

By default, PortSentry will place all files in /usr/local/psionic/portsentry. This directory will have the necessary, restrictive, permissions.

Become root and open the config-file portsentry.conf in your favorite editor.

The first section gives you the possiblity from one out of three options :
 # Un-comment these if you are really anal:
 #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,[..]
 #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,[..]
 #
 # Use these if you just want to be aware:
 TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,[..]
 UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
 #
 # Use these for just bare-bones
 #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
 #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
The first set is really restrictive, the second one 'good' and the third is (IMHO) of no use. One note, the list of tcp-ports still contains port number 143 (IMAP). If you're using this service, please remove it from the list.
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
The first directive IGNORE_FILE tells PortSentry what hosts should NEVER be blocked. The other two HISTORY_FILE and BLOCKED_FILE are denied hosts (for this session) and permanently denied hosts.


These first options instructed PortSentry how it should work. The next section is what it should do to 'enemy' hosts.


There's one variable KILL_ROUTE that gets fired when a scan takes place. You can give it any value you want but you probably want something like this
KILL_ROUTE="/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
Besides the blocking by iptables, you can also block the host with tcp_wrappers with the option :
KILL_HOSTS_DENY="ALL: $TARGET$ # Portsentry blocked"

5. Initscript

By default, there's initscript supplied with PortSentry. I constructed one from the original RPM.
#!/bin/bash
#
# portsentry Start the portsentry portscan detector
# Authors: Craig Rowland , Tim Powers
# and Matthias Saou
# configfile: /usr/local/psionic/portsentry/portsentry.conf
# pidfile: /var/run/portsentry.pid

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# For this script to work on non english systems
export LANG=C

RETVAL=0

start () {
  # Set up the ignore file
  SENTRYDIR=/usr/local/psionic/portsentry
  FINALIGNORE=$SENTRYDIR/portsentry.ignore
  TMPFILE=/usr/local/psionic/portsentry/portsentry.ignore.tmp
  # Testline is used to see if the initscript has already been run
  if [ -f $FINALIGNORE ] ; then
   cp -f $FINALIGNORE $TMPFILE
   testline=`grep -n "Do NOT edit below this" $TMPFILE | cut --delimiter=":" -f1`
   if [ -z "$testline" ] ; then
    echo > /dev/null # Do nothing
   else
    let headline=$testline-2
    head -$headline $FINALIGNORE > $TMPFILE
   fi
  fi
  echo '#########################################' >> $TMPFILE
  echo '# Do NOT edit below this line, if you #' >> $TMPFILE
  echo '# do, your changes will be lost when #' >> $TMPFILE
  echo '# portsentry is restarted via the #' >> $TMPFILE
  echo '# initscript. Make all changes above #' >> $TMPFILE
  echo '# this box. #' >> $TMPFILE
  echo '#########################################' >> $TMPFILE

  echo '' >> $TMPFILE
  echo '# Exclude all local interfaces' >> $TMPFILE
  for i in `/sbin/ifconfig -a | grep inet | awk '{print $2}' | sed 's/addr://'` ; do
    echo $i >> $TMPFILE
  done

  echo '' >> $TMPFILE
  echo '# Exclude the default gateway(s)' >> $TMPFILE
  for i in `/sbin/route -n | grep ^0.0.0.0 | awk '{print $2}'` ; do
    echo $i >> $TMPFILE
  done

  echo '' >> $TMPFILE
  echo '# Exclude the nameservers' >> $TMPFILE
  for i in `/bin/cat /etc/resolv.conf | grep ^nameserver | awk '{print $2}'` ; do
   echo $i >> $TMPFILE
  done

  echo '' >> $TMPFILE
  echo '# And last but not least...' >> $TMPFILE
  echo '0.0.0.0' >> $TMPFILE
  echo '' >> $TMPFILE

  cp -f $TMPFILE $SENTRYDIR/portsentry.ignore
  rm -f $TMPFILE

  # Check for modes defined in the config file
  if [ -s $SENTRYDIR/portsentry.modes ] ; then
   modes=`cut -d "#" -f 1 $SENTRYDIR/portsentry.modes`
  else
   modes="tcp udp"
  fi
  for i in $modes ; do
   action $"Starting portsentry -$i: " /usr/local/psionic/portsentry/portsentry -$i
   RETVAL=$?
  done
  [ $RETVAL -eq 0 ] && touch /var/lock/subsys/portsentry
  return $RETVAL
 }

stop() {
  echo -n $"Stopping portsentry: "
  killproc portsentry
  RETVAL=$?
  echo
  [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/portsentry
  return $RETVAL
<  }

# See how we were called.
case $1 in
  start)
   start
   ;;
  stop)
   stop
   ;;
  status)
   status portsentry
   RETVAL=$?
   ;;
  restart)
   stop
   start
   RETVAL=$?
   ;;
  condrestart)
    if [ -f /var/lock/subsys/portsentry ]; then
     stop
     start
     RETVAL=$?
    fi
    ;;
  *)
  echo $"Usage: portsentry {start|stop|restart|condrestart|status}"
  exit 1
 esac

exit $RETVAL
Starting and stopping is easily (as always) /etc/init.d/portsentry start|stop

This init-script searches for a portsentry.modes in the directory /usr/local/psionic/portsentry. The 'mode' file contains the startup switches for PortSentry (-tcp -udp -stcp -atcp -sudp -audp)

6. Advanced stealth mode

Allthough PortSentry works fine with the default set of TCP-ports, you can run it also in 'stealth' mode so that it looks to all ports below a certain number. This gives you more security but at the cost of higher CPU-usage.
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"

ADVANCED_PORTS_TCP and ADVANCED_PORTS_UDP are straightforward. Every port below the number is monitored.
Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.betop