Setting up Portsentry
Written By: vvx
Note: Some items may be using a smaller font for fitting on the page.
Okay, before I start to tell you how great Portsentry is and how you to
can install and use it, I'm going to give two pieces of advice. First,
read this all the way through prior to doing ANYTHING! This is especially
true for my fellow Debian users. There is a special treat near the end for
you, but this is advice everyone should follow. Second, while Portsentry
is an excellent security application, having it is not an excuse to be
lazy on security. You can't put Portsentry on an entirely insecure box
with everyone's worst security holes and expect it to be secure. It isn't
happening. That said, I will continue.
So what exactly does this Portsentry do and why do you need it? Well,
Portsentry is this very very cool security application.. Not good enough?
Alright, that's fair. What Portsentry does is it listens on the ports you
are not using for port scans. When it detects a scan, depending on how you
set it up, it will then add them to your hosts.deny file and drop them
through either ipchains or the route command. What this does is as soon as
the person scanning you trips Portsentry, your computer stops responding
to them. Even if you have services open, your computer will not respond
when they scan those ports. Repeat after me, even if you have services
open, your computer will not respond when they scan those ports. That is
very cool. So, why do you need it? Well, I just like the fact that when
someone scans me my computer seems to disappear, as if I disconnected from
the internet. You can also set up "logcheck" to email you when someone
scans you, and there are more settings you can play with at that. So you
can decide if you need this or not. It is after all, your computer.
Okay, so you're still with me? I guess you probably want to install it. Or
possibly, you're following my advice and reading the whole thing before
you screw up your computer. At any rate, I should probably tell you where
to get this Portsentry. Well, I'm going to tell you two, thats right boys
and girls, not one, but two methods to get this. One is to download the
source in a .tar.gz source file, the other is to use Debian package management. If
you're not using Debian, forget the second idea. It's not an option for you! There is a
paragraph near the end dedicated to differences using the apt-get installed Portsentry,
if you're using Debian check it out. As for the tarball, you will need a compiler and
the usual compiling tools installed. Continuing on, the homepage for Portsentry is
at http://www.psionic.com/abacus/portsentry/
and the file you want to grab as of the time I'm writing this is at http://www.psionic.com/tools/portsentry-1.0.tar.gz.
While you're there, you might want to also grab logcheck. The homepage for
that is at http://www.psionic.com/abacus/logcheck/
and real briefly what it does is mails any anomalies in your log files to
a certain email address or user. That includes Portsentry's "ACTIVE SYSTEM
ATTACK" log entries, so you can be emailed when someone trips Portsentry.
Now that we have the file, it's time to unpack it. I personally saved it
to /home/vvx/portsentry-1.0.tar.gz. So what I would type to unpack it
would be
tar -zxvf portsentry-1.0.tar.gz
Or, if that for some reason failed to work I would try it with full path,
tar -zxvf /home/vvx/portsentry-1.0.tar.gz
That will unpack portsentry to a directory "portsentry-1.0" in whatever directory you
were in when you did the unpacking. For me that unpacked it to
/home/vvx/portsentry-1.0. Now we need to change directories into that directory. So,
cd portsentry-1.0
Now if you do an ls you will see several files.. I suggest installing from within
Xwindows with two terminal windows open, you can have the README.install open in one
and the file you're editing open in the other (and possibly netscape off to the side or
something. :)) Use whatever text editor you feel comfortable with. If you don't have
one, try pico, it's arguable the easiest to learn. So to use that you would just type
"pico README.install" to open up the README.install file in pico.
Now we get to the fun part, the actual editing of the files. This is the important
stuff.. First, open up portsentry_config.h in the second window. Here you do not need
to change anything, I wouldn't unless you have need. If you haven't a clue what
anything in this file is, ignore the file and close it. If you do want to change
something, don't forget to save it! If you do have a clue here, then you should know if
you want to change anything or not. It's not a big issue. One thing, if you do change
anything in this file such as the location to keep certain Portsentry files, the
changes must also be done in our next file to edit, the portsentry.conf file.
The portsentry.conf file contains everything you need to edit to get Portsentry
installed. This file can also be edited after you install if you need to. It's location
then if you didn't change anything in the portsentry_config.h file would be
/usr/local/psionic/portsentry/portsentry.conf file. You may wish to note that
somewhere. In this file there is a lot of stuff you can edit, however you only really
need to edit one thing. I'll tell you when we get to that.
#######################
# Port Configurations #
#######################
Okay, this is the first section. Here you are going to tell Portsentry
what ports to listen on. The first important part looks like this.
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540
,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,3
2771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,66
6,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,2
0034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31
337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32
772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,543
21"
These are the ports that Portsentry will listen to in the classic and
stealth modes. Notice how there are UDP and TCP, Portsentry will listen on
both. I suggest setting them up even if you don't plan on using one of
those modes just in case you ever change your mind. You do not have to
change anything here. If you want portsentry to listen to more or less
ports however, you can uncomment (to uncomment something, remove the # at
the beginning of the line. To comment out something, put a # at the
beginning of the line) one of the lists (make sure to comment out the old
one if you do this) and you can also add/remove ports to these lists. So,
if you offer a service on TCP port 5742 and want to use the "anal"
settings, you should remove that port number from the list. If you're
running X, do not set Portsentry to listen on port 6000 or you'll have
problems. Also, it's probably a wise idea to not have it listen on port
113 even if you don't run identd. It kind of sucks when you go to ftp a
file when the ftp server checks ident and trips Portsentry. As long as you
have 1, and 1 alone uncommented for TCP and 1 and 1 alone uncommented for
UDP you should be fine.
Our next section:
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
is for setting what ports Portsentry listens on in the advanced mode. Even
if you're not using advanced mode, you should be aware of this in case you
ever change your mind.. The first important part here looks like this:
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
Portsentry will listen on every port down from that number in the advanced
mode, with the exception of ports you are using. It is "smart" in that
matter. If you increase the number Portsentry will be on more ports and
will be tripped faster, however at the same time if you increase the
number Portsentry will be on more ports and will be tripped faster.
Confused? Good. What I mean is that while it may seem like a good idea it
will take more resources and you will quite possibly be SWAMPED with false
alarms. I agree with the commentary in the file here, you don't want to
increase the number. Also, notice that there is a line for TCP and a line
for UDP here. Just what it sounds like. The second important part here is
this:
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
These include the ports that the advanced mode will not react on. If
you're having problems with Portsentry monitoring a port you don't want it
to in the advanced mode, you can add that port to these ignore lists to
fix it. Another reason for having so is it cuts down tremendously on false
alarms. If you are getting a lot of false alarms on one particular port
while running in advanced mode, you can add that port to the list (just
make sure you add it to the corresponding list depending if it's TCP or
UDP.) If you remove port 113 TCP, you'll find that problem with getting
FTP stuff I mentioned earlier, so don't do it. Moving on, our next section
is
######################
# Configuration Files#
######################
You don't need to change anything here, unless you want to. If you want
to, okay.. If you don't, well okay. It doesn't really matter. Done with
that section, we're moving on to
|