[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Need help installing PortSentry
- Subject: Re: [cobalt-users] Need help installing PortSentry
- From: jramer <wormbutt@xxxxxxxxxxxxx>
- Date: Wed Jan 24 17:01:04 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
tob@xxxxxxxxxxxx wrote:
>
> Does anyone have detailed instructions for installing PortSentry ? I
> searched the archives and found a great set of instructions (written by
> Brent Sims) for installing "logcheck" . I was wondering if there was
> such a document for installing portsentry.
> Thanks,
> --
http://www.linuxnewbie.org/nhf/intel/security/portsentry1.html
Setting up Portsentry
Written By: vvx
Note: Some items may be using a smaller font for
fitting on the page.
Okay, before I start to tell you how great
Portsentry is and how you to can
install and use it, I'm going to give two pieces
of advice. First, read this all
the way through prior to doing ANYTHING! This is
especially true for my
fellow Debian users. There is a special treat
near the end for you, but this is
advice everyone should follow. Second, while
Portsentry is an excellent
security application, having it is not an excuse
to be lazy on security. You
can't put Portsentry on an entirely insecure box
with everyone's worst
security holes and expect it to be secure. It
isn't happening. That said, I will
continue.
So what exactly does this Portsentry do and why
do you need it? Well,
Portsentry is this very very cool security
application.. Not good enough?
Alright, that's fair. What Portsentry does is it
listens on the ports you are not
using for port scans. When it detects a scan,
depending on how you set it
up, it will then add them to your hosts.deny file
and drop them through either
ipchains or the route command. What this does is
as soon as the person
scanning you trips Portsentry, your computer
stops responding to them.
Even if you have services open, your computer
will not respond when they
scan those ports. Repeat after me, even if you
have services open, your
computer will not respond when they scan those
ports. That is very cool.
So, why do you need it? Well, I just like the
fact that when someone scans
me my computer seems to disappear, as if I
disconnected from the internet.
You can also set up "logcheck" to email you when
someone scans you, and
there are more settings you can play with at
that. So you can decide if you
need this or not. It is after all, your computer.
Okay, so you're still with me? I guess you
probably want to install it. Or
possibly, you're following my advice and reading
the whole thing before you
screw up your computer. At any rate, I should
probably tell you where to
get this Portsentry. Well, I'm going to tell you
two, thats right boys and girls,
not one, but two methods to get this. One is to
download the source in a
.tar.gz source file, the other is to use Debian
package management. If you're
not using Debian, forget the second idea. It's
not an option for you! There is
a paragraph near the end dedicated to differences
using the apt-get installed
Portsentry, if you're using Debian check it out.
As for the tarball, you will
need a compiler and the usual compiling tools
installed. Continuing on, the
homepage for Portsentry is at
http://www.psionic.com/abacus/portsentry/
and the file you want to grab as of the time I'm
writing this is at
http://www.psionic.com/tools/portsentry-1.0.tar.gz. While you're there,
you
might want to also grab logcheck. The homepage
for that is at
http://www.psionic.com/abacus/logcheck/ and real
briefly what it does is
mails any anomalies in your log files to a
certain email address or user. That
includes Portsentry's "ACTIVE SYSTEM ATTACK" log
entries, so you
can be emailed when someone trips Portsentry.
Now that we have the file, it's time to unpack
it. I personally saved it to
/home/vvx/portsentry-1.0.tar.gz. So what I would
type to unpack it would
be
tar -zxvf portsentry-1.0.tar.gz
Or, if that for some reason failed to work I
would try it with full path,
tar -zxvf /home/vvx/portsentry-1.0.tar.gz
That will unpack portsentry to a directory
"portsentry-1.0" in whatever
directory you were in when you did the unpacking.
For me that unpacked it
to /home/vvx/portsentry-1.0. Now we need to
change directories into that
directory. So,
cd portsentry-1.0
Now if you do an ls you will see several files..
I suggest installing from within
Xwindows with two terminal windows open, you can
have the
README.install open in one and the file you're
editing open in the other
(and possibly netscape off to the side or
something. :)) Use whatever text
editor you feel comfortable with. If you don't
have one, try pico, it's arguable
the easiest to learn. So to use that you would
just type "pico
README.install" to open up the README.install
file in pico.
Now we get to the fun part, the actual editing of
the files. This is the
important stuff.. First, open up
portsentry_config.h in the second window.
Here you do not need to change anything, I
wouldn't unless you have need.
If you haven't a clue what anything in this file
is, ignore the file and close it. If
you do want to change something, don't forget to
save it! If you do have a
clue here, then you should know if you want to
change anything or not. It's
not a big issue. One thing, if you do change
anything in this file such as the
location to keep certain Portsentry files, the
changes must also be done in
our next file to edit, the portsentry.conf file.
The portsentry.conf file contains everything you
need to edit to get
Portsentry installed. This file can also be
edited after you install if you need
to. It's location then if you didn't change
anything in the portsentry_config.h
file would be
/usr/local/psionic/portsentry/portsentry.conf file. You may wish
to note that somewhere. In this file there is a
lot of stuff you can edit,
however you only really need to edit one thing.
I'll tell you when we get to
that.
#######################
# Port Configurations #
#######################
Okay, this is the first section. Here you are
going to tell Portsentry what
ports to listen on. The first important part
looks like this.
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540
,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,3
2771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,66
6,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,2
0034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31
337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32
772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,543
21"
These are the ports that Portsentry will listen
to in the classic and stealth
modes. Notice how there are UDP and TCP,
Portsentry will listen on both.
I suggest setting them up even if you don't plan
on using one of those modes
just in case you ever change your mind. You do
not have to change anything
here. If you want portsentry to listen to more or
less ports however, you can
uncomment (to uncomment something, remove the #
at the beginning of the
line. To comment out something, put a # at the
beginning of the line) one of
the lists (make sure to comment out the old one
if you do this) and you can
also add/remove ports to these lists. So, if you
offer a service on TCP port
5742 and want to use the "anal" settings, you
should remove that port
number from the list. If you're running X, do not
set Portsentry to listen on
port 6000 or you'll have problems. Also, it's
probably a wise idea to not
have it listen on port 113 even if you don't run
identd. It kind of sucks when
you go to ftp a file when the ftp server checks
ident and trips Portsentry. As
long as you have 1, and 1 alone uncommented for
TCP and 1 and 1 alone
uncommented for UDP you should be fine.
Our next section:
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
is for setting what ports Portsentry listens on
in the advanced mode. Even if
you're not using advanced mode, you should be
aware of this in case you
ever change your mind.. The first important part
here looks like this:
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
Portsentry will listen on every port down from
that number in the advanced
mode, with the exception of ports you are using.
It is "smart" in that matter.
If you increase the number Portsentry will be on
more ports and will be
tripped faster, however at the same time if you
increase the number
Portsentry will be on more ports and will be
tripped faster. Confused?
Good. What I mean is that while it may seem like
a good idea it will take
more resources and you will quite possibly be
SWAMPED with false
alarms. I agree with the commentary in the file
here, you don't want to
increase the number. Also, notice that there is a
line for TCP and a line for
UDP here. Just what it sounds like. The second
important part here is this:
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp
broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
These include the ports that the advanced mode
will not react on. If you're
having problems with Portsentry monitoring a port
you don't want it to in the
advanced mode, you can add that port to these
ignore lists to fix it. Another
reason for having so is it cuts down tremendously
on false alarms. If you are
getting a lot of false alarms on one particular
port while running in advanced
mode, you can add that port to the list (just
make sure you add it to the
corresponding list depending if it's TCP or UDP.)
If you remove port 113
TCP, you'll find that problem with getting FTP
stuff I mentioned earlier, so
don't do it. Moving on, our next section is
######################
# Configuration Files#
######################
You don't need to change anything here, unless
you want to. If you want to,
okay.. If you don't, well okay. It doesn't really
matter. Done with that
section, we're moving on to ??
Setting up Portsentry
Written By: vvx
Note: Some items may be using a smaller font for
fitting on the page.
[-Previous Page-]
###################
# Response Options#
###################
This section is fairly important. You tell
Portsentry how to respond when it
detects a scan here, so listen up! Our first
subsection here is
##################
# Ignore Options #
##################
This tells Portsentry what you want it to do. As
you can see below, you can
set individual settings for both UDP and TCP.
Your choices are 0: don't
block the scan, 1: block scans, or 2: run
external command only. I suggest 1
as that will block the scan and run the external
command if you decide to
have one. 0 would be useful if you just want to
know when people scan you,
and 2 would be useful if you wanted to use a
pager or email to warn the
person scanning (find your own apps.)
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
Moving on once again
###################
# Dropping Routes:#
###################
You need to tell Portsentry how you want it to
drop the person scanning.
This is the one thing I mentioned that you need
to change this alone and you
are set, but you should at least look at the
other settings. You have a lot of
choices, as shown here
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$
333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw
333.444.555.666"
# Newer versions of Linux support the reject flag
now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$
reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$
333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$
333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$
127.0.0.1 1"
# FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask
255.255.255.255 127.0.0.1
-blackho
le"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole
$TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$
netmask 255.255.255.0
127.0.0.1"
# For those of you running Linux with ipfwadm
installed you may like
# this better as it drops the host into the
packet filter.
# You can only have one KILL_ROUTE turned on at a
time though.
# This is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$
-o"
#
# This version does not log denied packets after
activation
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S
$TARGET$"
#
# New ipchain support for Linux kernel version
2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$
-j DENY -l"
#
# For those of you running FreeBSD (and
compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from
$TARGET$:255.255.255.255 to
any"
Uh, try not to panic.. In reality, there are
probably only 2 choices here you
need to consider, unless you're running an old
kernel. The two choices are
# Newer versions of Linux support the reject flag
now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$
reject"
or
# New ipchain support for Linux kernel version
2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$
-j DENY -l"
The second method here using ipchains would be
the preferred method,
however it does require ipchains support. It may
already be set up, or it may
require as much as a kernel recompile. See the
ipchains NHF for details on
that. The first method would be good to use if
the second, for any reason,
doesn't work out and you don't feel like setting
up ipchains. And finally, if
you are running an older version of linux
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw
333.444.555.666"
would be the method for you. Just change the
333.444.555.666 to either a
dead host on the network, or 127.0.0.1 would
probably work as well. The
important thing here is to uncomment one method
and one alone. You are
almost done here, moving on...
###############
# TCP Wrappers#
###############
You probably won't need to change anything here,
but if you are using an
older Linux, (just so you all know, when I say
older, I mean.. Considerably
older) comment out the uncommented choice and
uncomment the
commented out choice. (Just switch which is
uncommented.) You do need
TCP wrappers installed for this, but odds are
very likely it was installed
when you installed Linux. This brings me up to
the...
###################
# External Command#
###################
What you do here is up to you. You could set it
up to retaliate, but you
would probably just be encouraging them and half
the script kiddies out
there wouldn't even notice anything. I use this
feature to play a .wav file
when I'm scanned and I think that's a nice use.
Here is what the important
line looks like by default
#KILL_RUN_CMD="/some/path/here/script $TARGET$
$PORT$"
If you want to have it play a wav sound you would
uncomment it and
probably use the play command (although you could
have it do practically
anything, play an mp3, turn on red and blue
strobe lights with your computer
x10 interface, do an instant email to yourself,
etc.) If you wanted to play
/usr/share/sounds/alarm.wav I would change it to
this
KILL_RUN_CMD="play /usr/share/sounds/alarm.wav"
with whatever .wav file. This does require play
be installed, but it usually is.
On Debian you could apt-get install either
wavtools or bplay, in which the
command to play a .wav file would be wavp or
bplay. On to a bit more
serious setting..
#####################
# Scan trigger value#
#####################
This setting gives people a bit of flack,
Portsentry won't react as quickly.
The person scanning you would have to scan more
ports for Portsentry to
react. You're options are 0, 1, 2, and so on. A
setting of 0 will cause
Portsentry to react immediately, a larger setting
will take more time for
Portsentry to react. Changing this to a larger
setting may lower false alarms if
you're having a problem with them. If not, I
would leave this at 0.
SCAN_TRIGGER="0"
We have one final setting in this file..
######################
# Port Banner Section#
######################
What this does is when someone scans you while
you are running in classic
mode you will display whatever text you specify.
The important thing to
remember is to not encourage whoever is scanning
you. You don't want to
encourage anyone to hack into your box, it's just
not wise. If you decide to
use this feature, uncomment it and change the
text to whatever you'd like.
The important line looks like this..
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED
*** YOUR CONNECTION
ATTEMPT HAS BEEN LOGGED. GO AWAY."
Okay, you are done editing the portsentry.conf
file. So save that and let's
move on!
To start compiling this, while in the
portsentry-1.0 directory, type:
make linux
This shouldn't take very long at all. You do need
to be root for this step
however, so type:
su
Enter your root password,
And now type:
make install
Now about those modes. Portsentry can be run in
classic mode (the -tcp
and -udp flags), stealth mode (the -stcp and
-sudp flags), and finally in
advanced mode (the -atcp and -audp flags.) There
are reasons for using all
the modes, however what you want will be the
ultimate factor. You can only
run one instance of Portsentry for TCP and one
instance of Portsentry for
UDP. So here is some info on the different modes
you can run.
Classic Mode These are the -tcp and -udp flags.
If you want to use the
banner feature to display text to whomever is
scanning you, you would have
to use the -tcp mode for TCP. It's the only one
that feature works on. In this
mode, Portsentry listens to all the ports on the
list of ports you selected and
possibly edited. This mode will not however
detect stealth scans, which are
very common. False alarms are the least common in
this mode though, which
is good.
Stealth Mode
These are the -stcp and -sudp flags. Like in
classic mode, Portsentry listens
on the lists of ports in the portsentry.conf
file. This mode will detect most
stealth scans, which is rather handy. You
probably will have more false
alarms as a result of that, but probably nothing
significant.
Advanced Mode
These are the -atcp and -audp flags. Unlike the
other modes, this one listens
to the port you specified in portsentry.conf
downward. It is smart and won't
react on ports you are using for services or
ports you told it to not listen on
in the portsentry.conf file. This mode detects
the same scans as the stealth
mode, but reacts faster. Unfortuneatly, this mode
is the most prone to false
alarms, so if you run into problems with false
alarms in this mode you might
consider one of the other modes.
When deciding what modes you want to run for TCP
and UDP it is
important to remember they don't both have to be
the same. You could run
the advanced TCP mode and the classic UDP mode.
There's no rule against
it. So decide what modes you want to run.
Good, now we can run it! To run it type
/usr/local/psionic/portsentry/portsentry
with the flag for the mode you want. You will
need to run two seperate
processes of Portsentry to do both UDP and TCP.
So if I chose the
advanced TCP mode and the classic UDP mode I
would run it as follows
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -udp
Seem like a mouthful to you too? Well, we can
simplify this a bit more. By
adding two lines to your /etc/rc.d/rc.local file
you can have Portsentry start
on bootup. That makes it that much easier and you
don't have to remember
to run Portsentry when you go online. If you
don't have an rc.local, you can
have it startup from another startup script. So,
if I were to add it to my
rc.local file I would add two lines that look
like this for my example mode
selections to the end of my rc.local file:
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -udp
Got it? Good. Now it's time to test it to see if
it's really working.
There are a number of free online scanners on the
internet. The two I know
of are at http://www.grc.com and
http://www.hackerwhacker.com. I suggest
using the grc one, explained in a second. So with
Portsentry running you
would want to head to http://www.grc.com, go to
their "Shield's Up" page
and select the "Probe my Ports" option. The other
option is more targeted
towards Windows users. What the ideal results
would be is grc would trip
Portsentry and after doing so everything would be
stealthed. This might
mean it scans port 21, tells you it is open (in
the classic and stealth modes
portsentry opens ports to listen on them, don't
be alarmed) or closed (or
even possibly stealthed) and after that
everything else shows up stealthed.
Then if you took the test again everything would
show up stealthed. The test
at http://www.hackerwhacker.com isn't the best
for testing Portsentry for
one reason. It scans from the same IP the website
is hosted at. Without
thinking about this for a second you probably
won't get it. That means that if
they trip Portsentry your computer will ignore
everything that comes from
their server and the results page will cease to
load. It will stall indefinetely.
However, using that you can test to see if it's
working. If the page stalls, you
probably have Portsentry set up right. After
these tests you should notice a
few new IP's in your
/usr/local/psionic/portsentry/portsentry.history file,
/usr/local/psionic/portsentry/portsentry.blocked
files and in /etc/hosts.deny
file. If for some reason it didn't work like it
should, you might try changing
the dropping route and the TCP wrappers setting.
Debian. I promised some details on using apt to
install Portsentry. All you
really need to do is "apt-get install
portsentry." That will install Portsentry,
and set it up to start on bootup. This does
require you go have apt pointed
at something intelligible, if not you can install
from the tarball. You still need
to edit the portsentry.conf file. Using apt to
install Portsentry, your config
files will be stored in /etc/portsentry.
Portsentry itself will install to
/usr/sbin/portsentry. One more file to edit
contains the modes you wish to
use. That file is called startup.conf and is with
the other Portsentry config
files. Also, on a Debian apt install the default
ignore setting is set so
Portsentry will not block scans. So, keep this in
mind when you edit your
/etc/portsentry/portsentry.conf file in Debian.
RPM's. Yes, Portsentry is available on RPM's. You
can find it at
http://www.rpmfind.net/linux/RPM/portsentry.html.
If you decide to install an
RPM, the files will be located in different
locations. The modes you want to
run Portsentry in are specified in a
/etc/portsentry/portsentry.modes. Your
config files would be located in the
/etc/portsentry directory and it will start
on boot up without you adding it to your rc.local
file. There is one reported
problem however. The logrotate script for
rotating logs for Portsentry is
located at /etc/logrotate.d/portsentry and it
will not work right using the
stealth or advanced modes. The fix is to download
this file, uncompress it,
and copy the portsentry.after file to
/etc/logrotate.d/portsentry. This may
have been fixed, no guarantees one way or the
other. You can thank
AlphaGeek for the fix. Other than that, edit the
/etc/portsentry/portsentry.conf file jsut like
you would normally.
Any feedback to this NHF on portsentry should be
sent to me, Brian Clark
A.K.A. vvx on LNO.
Okay, now that you've read the whole thing like
suggested in my first tip, get
on to installation. Oh, if this is your second
time through disregard that last
sentence.
--
joann
http://seikasrealm.com
HTML e-mail is to Plain Text email what Sulfur Dioxide is to Oxygen.