Setting up Portsentry
Written By: vvx
Note: Some items may be using a smaller font for fitting on the page.
###################
# Response Options#
###################
This section is fairly important. You tell Portsentry how to respond when
it detects a scan here, so listen up! Our first subsection here is
##################
# Ignore Options #
##################
This tells Portsentry what you want it to do. As you can see below, you
can set individual settings for both UDP and TCP. Your choices are 0:
don't block the scan, 1: block scans, or 2: run external command only. I
suggest 1 as that will block the scan and run the external command if you
decide to have one. 0 would be useful if you just want to know when people
scan you, and 2 would be useful if you wanted to use a pager or email to
warn the person scanning (find your own apps.)
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
Moving on once again
###################
# Dropping Routes:#
###################
You need to tell Portsentry how you want it to drop the person scanning.
This is the one thing I mentioned that you need to change this alone and
you are set, but you should at least look at the other settings. You have
a lot of choices, as shown here
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1
-blackho
le"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0
127.0.0.1"
# For those of you running Linux with ipfwadm installed you may like
# this better as it drops the host into the packet filter.
# You can only have one KILL_ROUTE turned on at a time though.
# This is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# This version does not log denied packets after activation
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
#
# New ipchain support for Linux kernel version 2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to
any"
Uh, try not to panic.. In reality, there are probably only 2 choices here
you need to consider, unless you're running an old kernel. The two choices
are
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
or
# New ipchain support for Linux kernel version 2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
The second method here using ipchains would be the preferred method,
however it does require ipchains support. It may already be set up, or it
may require as much as a kernel recompile. See the ipchains NHF for
details on that. The first method would be good to use if the second, for
any reason, doesn't work out and you don't feel like setting up ipchains.
And finally, if you are running an older version of linux
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
would be the method for you. Just change the 333.444.555.666 to either a
dead host on the network, or 127.0.0.1 would probably work as well. The
important thing here is to uncomment one method and one alone. You are
almost done here, moving on...
###############
# TCP Wrappers#
###############
You probably won't need to change anything here, but if you are using an
older Linux, (just so you all know, when I say older, I mean..
Considerably older) comment out the uncommented choice and uncomment the
commented out choice. (Just switch which is uncommented.) You do need TCP
wrappers installed for this, but odds are very likely it was installed
when you installed Linux. This brings me up to the...
###################
# External Command#
###################
What you do here is up to you. You could set it up to retaliate, but you
would probably just be encouraging them and half the script kiddies out
there wouldn't even notice anything. I use this feature to play a .wav
file when I'm scanned and I think that's a nice use. Here is what the
important line looks like by default
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
If you want to have it play a wav sound you would uncomment it and
probably use the play command (although you could have it do practically
anything, play an mp3, turn on red and blue strobe lights with your
computer x10 interface, do an instant email to yourself, etc.) If you
wanted to play /usr/share/sounds/alarm.wav I would change it to this
KILL_RUN_CMD="play /usr/share/sounds/alarm.wav"
with whatever .wav file. This does require play be installed, but it
usually is. On Debian you could apt-get install either wavtools or bplay,
in which the command to play a .wav file would be wavp or bplay. On to a
bit more serious setting..
#####################
# Scan trigger value#
#####################
This setting gives people a bit of flack, Portsentry won't react as
quickly. The person scanning you would have to scan more ports for
Portsentry to react. You're options are 0, 1, 2, and so on. A setting of 0
will cause Portsentry to react immediately, a larger setting will take
more time for Portsentry to react. Changing this to a larger setting may
lower false alarms if you're having a problem with them. If not, I would
leave this at 0.
SCAN_TRIGGER="0"
We have one final setting in this file..
######################
# Port Banner Section#
######################
What this does is when someone scans you while you are running in classic
mode you will display whatever text you specify. The important thing to
remember is to not encourage whoever is scanning you. You don't want to
encourage anyone to hack into your box, it's just not wise. If you decide
to use this feature, uncomment it and change the text to whatever you'd
like. The important line looks like this..
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION
ATTEMPT HAS BEEN LOGGED. GO AWAY."
Okay, you are done editing the portsentry.conf file. So save that and
let's move on!
To start compiling this, while in the portsentry-1.0 directory, type:
make linux
This shouldn't take very long at all. You do need to be root for this step
however, so type:
su
Enter your root password,
And now type:
make install
Now about those modes. Portsentry can be run in classic mode (the -tcp and
-udp flags), stealth mode (the -stcp and -sudp flags), and finally in
advanced mode (the -atcp and -audp flags.) There are reasons for using all
the modes, however what you want will be the ultimate factor. You can only
run one instance of Portsentry for TCP and one instance of Portsentry for
UDP. So here is some info on the different modes you can run.
Classic Mode
These are the -tcp and -udp flags. If you want to use the banner feature
to display text to whomever is scanning you, you would have to use the
-tcp mode for TCP. It's the only one that feature works on. In this mode,
Portsentry listens to all the ports on the list of ports you selected and
possibly edited. This mode will not however detect stealth scans, which
are very common. False alarms are the least common in this mode though,
which is good.
Stealth Mode
These are the -stcp and -sudp flags. Like in classic mode, Portsentry
listens on the lists of ports in the portsentry.conf file. This mode will
detect most stealth scans, which is rather handy. You probably will have
more false alarms as a result of that, but probably nothing significant.
Advanced Mode
These are the -atcp and -audp flags. Unlike the other modes, this one
listens to the port you specified in portsentry.conf downward. It is smart
and won't react on ports you are using for services or ports you told it
to not listen on in the portsentry.conf file. This mode detects the same
scans as the stealth mode, but reacts faster. Unfortuneatly, this mode is
the most prone to false alarms, so if you run into problems with false
alarms in this mode you might consider one of the other modes.
When deciding what modes you want to run for TCP and UDP it is important
to remember they don't both have to be the same. You could run the
advanced TCP mode and the classic UDP mode. There's no rule against it. So
decide what modes you want to run.
Good, now we can run it! To run it type
/usr/local/psionic/portsentry/portsentry
with the flag for the mode you want. You will need to run two seperate
processes of Portsentry to do both UDP and TCP. So if I chose the advanced
TCP mode and the classic UDP mode I would run it as follows
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -udp
Seem like a mouthful to you too? Well, we can simplify this a bit more. By
adding two lines to your /etc/rc.d/rc.local file you can have Portsentry
start on bootup. That makes it that much easier and you don't have to
remember to run Portsentry when you go online. If you don't have an
rc.local, you can have it startup from another startup script. So, if I
were to add it to my rc.local file I would add two lines that look like
this for my example mode selections to the end of my rc.local file:
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -udp
Got it? Good. Now it's time to test it to see if it's really working.
There are a number of free online scanners on the internet. The two I know
of are at http://www.grc.com and http://www.hackerwhacker.com. I
suggest using the grc one, explained in a second. So with Portsentry
running you would want to head to http://www.grc.com, go to their "Shield's
Up" page and select the "Probe my Ports" option. The other option is more
targeted towards Windows users. What the ideal results would be is grc
would trip Portsentry and after doing so everything would be stealthed.
This might mean it scans port 21, tells you it is open (in the classic and
stealth modes portsentry opens ports to listen on them, don't be alarmed)
or closed (or even possibly stealthed) and after that everything else
shows up stealthed. Then if you took the test again everything would show
up stealthed. The test at http://www.hackerwhacker.com isn't the best for
testing Portsentry for one reason. It scans from the same IP the website
is hosted at. Without thinking about this for a second you probably won't
get it. That means that if they trip Portsentry your computer will ignore
everything that comes from their server and the results page will cease to
load. It will stall indefinetely. However, using that you can test to see
if it's working. If the page stalls, you probably have Portsentry set up
right. After these tests you should notice a few new IP's in your
/usr/local/psionic/portsentry/portsentry.history file,
/usr/local/psionic/portsentry/portsentry.blocked files and in
/etc/hosts.deny file. If for some reason it didn't work like it should,
you might try changing the dropping route and the TCP wrappers setting.
Debian. I promised some details on using apt to install Portsentry. All
you really need to do is "apt-get install portsentry." That will install
Portsentry, and set it up to start on bootup. This does require you go
have apt pointed at something intelligible, if not you can install from
the tarball. You still need to edit the portsentry.conf file. Using apt to
install Portsentry, your config files will be stored in /etc/portsentry.
Portsentry itself will install to /usr/sbin/portsentry. One more file to
edit contains the modes you wish to use. That file is called startup.conf
and is with the other Portsentry config files. Also, on a Debian apt
install the default ignore setting is set so Portsentry will not block
scans. So, keep this in mind when you edit your
/etc/portsentry/portsentry.conf file in Debian.
RPM's. Yes, Portsentry is available on RPM's. You can find it at
http://www.rpmfind.net/linux/RPM/portsentry.html. If you decide to install
an RPM, the files will be located in different locations. The modes you
want to run Portsentry in are specified in a
/etc/portsentry/portsentry.modes. Your config files would be located in
the /etc/portsentry directory and it will start on boot up without you
adding it to your rc.local file. There is one reported problem however.
The logrotate script for rotating logs for Portsentry is located at
/etc/logrotate.d/portsentry and it will not work right using the stealth
or advanced modes. The fix is to download this file, uncompress it, and
copy the portsentry.after file to /etc/logrotate.d/portsentry. This may
have been fixed, no guarantees one way or the other. You can thank
AlphaGeek for the fix. Other than that, edit the
/etc/portsentry/portsentry.conf file jsut like you would normally.
Any feedback to this NHF on portsentry should be sent to me, Brian Clark
A.K.A. vvx on LNO.
Okay, now that you've read the whole thing like suggested in my first tip,
get on to installation. Oh, if this is your second time through disregard
that last sentence.
|