Install and configure PortSentry in Linux

How to install and configure PortSentry in Linux-Linux Enterprise Application-Linux server application information. Overview
The firewall can protect our networks from attacks. We can choose which ports to open and which ports to close. However, some attackers can use port scanning programs to scan all the ports on the server to collect useful information (which ports are opened and disabled ).

The following is an introduction to PortSentry:

L server port scanning is a precursor to intrusion. PortSentry is designed to detect port scans in real time and respond to port scans. PortSentry responds to port scanning:

L a log message is provided through the syslog () function.

L automatically add the host for port scanning on the server to the "/etc/hosts. deny" file of TCP-Wrappers

L the local host will automatically redirect all information flows from to a non-existent host.

L the local host uses the packet filtering program to filter out all data packets (from the host that performs port scanning on it.

Notes
All the following commands are Unix-compatible commands.

The Source Path is "/var/tmp" (other paths can also be used in actual situations ).

Installed in RedHat Linux 6.1 and 6.2.

Use the "root" user for installation.

The PortSentry version is 1.0.

Package Source
PortSentry homepage: http://www.psionic.com/abacus/portsentry /.

Download: portsentry-1.0.tar.gz.

Precautions for installing software packages
It is best to create a list of all the files in the system before and after compilation, and then compare them with the "diff" command to find out the difference and know where to install the software. Just run the "find/*> PortSentry1" command before compilation, and run the "find/*> PortSentry2" command after the software is compiled and installed ", finally, run the "diff PortSentry1 PortSentry2> PortSentry-Installed" command to find the change.

Decompress the package
Decompress the software package (tar.gz:

[Root @ deep/] # cp portsentry-version.tar.gz/var/tmp/
[Root @ deep/] # cd/var/tmp
[Root @ deep tmp] # tar xzpf portsentry-version.tar.gz

Compilation and Optimization
You must modify the "Makefile" file, set the installation path and compilation mark of PortSentry, and optimize it based on your system. The "Makefile" file must be modified according to the RedHat file system structure.

Step 1

Go to the new PortSentry directory.

Edit the "Makefile" file (vi Makefile) and change the following lines:

CC = cc

Changed:

CC = egcs

CFLAGS =-O-Wall

Changed:

CFLAGS =-O9-funroll-loops-ffast-math-malign-double-mcpu = pentiumpro-march = pentiumpro-fomit-frame-pointer-fno-exceptions? Wall

INSTALLDIR =/usr/local/psionic

Changed:

INSTALLDIR =/usr/psionic

The above changes are made to configure "Makefile" to use the "egcs" compiler, use the compilation optimization tag adapted to our system, and install PortSentry to our selected directory.

Step 2

Because we do not need the "/usr/local/psionic" directory, We must configure PortSentry in the "portsentry_config.h" header file.

Edit the "portsentry_config.h" file (vi portsentry_config.h) and change the following line:

# Define CONFIG_FILE "/usr/local/psionic/portsentry. conf"

Changed:

# Define CONFIG_FILE "/usr/psionic/portsentry. conf"

Step 3

Install PortSentry in the system.

[Root @ deep portsentry-1.0] # make linux
[Root @ deep portsentry-1.0] # make install

Step 3

The above command configures the software, compiles the software, and finally installs it in the appropriate directory.

Clear unnecessary files
Run the following command to delete unnecessary files:

[Root @ deep/] # cd/var/tmp
[Root @ deep tmp] # rm-rf portsentry-version/portsentry-version_tar.gz

The "rm" command deletes all source programs required to compile and install PortSentry, and deletes the zip package of PortSentry.

Configure the "/usr/psionic/portsentry. conf" File
"/Usr/psionic/portsentry. conf" is the main configuration file of PortSentry. You can set the port to be monitored, the IP address to be disabled, monitored, and so on. You can view the "README. install" file in PortSentry to obtain more information.

Edit the "portsentry. conf" file (vi/usr/psionic/portsentry. conf) and make changes as needed:

# PortSentry Configuration
#
# $ Id: portsentry. conf, v 1.13 02:45:42 crowland Exp crowland $
#
# Important note: You can not put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# These ports are not in use (I. e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# You are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users ).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are * ignored * for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
# TCP_PORTS = "109,110,111,119,138,139,143,512,513,514,515,540,635,108, 2
, 4
0421,40425, 49724,54320"
# UDP_PORTS = "69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,204
54321"
#
# Use these if you just want to be aware:
TCP_PORTS = "111,119,143,540,635,108, 32
771,32772, 32773,32774, 40421,49724, 54320"
UDP_PORTS = "161,162,513,635,640,641,700,327, 54321"
#
# Use these for just bare-bones
# TCP_PORTS = "15,110,111,143,540,635,108, 32773,327
54320"
# UDP_PORTS = "161,162,513,640,700,327, 54321"
######################################## ###
# Advanced Stealth Scan Detection Options #
######################################## ###
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port * below * this number will be monitored. Right now it watches
# Everything below 1023.
#
# On Alibaba Linux systems you cannot bind above port 61000. This is because
# These ports are used as part of IP masquerading. I dont recommend you
# Bind over this number of ports. Realistically: I DONT RECOMMEND YOU MONITOR
# OVER 1023 ports as your false alarm rate will almost certainly rise. Youve been
# Warned! Dont write me if you have a problem because Ill only tell
# You to RTFM and dont run the first 1023 ports.
#
#
ADVANCED_PORTS_TCP = "1023"
ADVANCED_PORTS_UDP = "1023"
#
# This field tells PortSentry what ports (besides listening daemons)
# Ignore. This is helpful for services like ident that services such
# As FTP, SMTP, and wrappers look for but you may not run (and probably
# * Shouldnt * IMHO ).
#
# By specifying ports here PortSentry will simply not respond
# Incoming requests, in effect PortSentry treats them as if they are
# Actual bound daemons. The default ports are ones reported
# Problematic false alarms and shoshould probably be left alone
# All but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP = "113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP = "520,138,137, 67"
######################
# Configuration Files #
######################
#
# Hosts to ignore
IGNORE_FILE = "/usr/psionic/portsentry. ignore"
# Hosts that have been denied (running history)
HISTORY_FILE = "/usr/psionic/portsentry. history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE = "/usr/psionic/portsentry. blocked"
###################
# Response Options #
###################
# Options to dispose of attacker. Each is an action that will
# Be run if an attack is detected. If you dont want a participant
# Option then comment it out and it will be skipped.
#
# The variable $ TARGET $ will be substituted with the target attacking
# Host when an attack is detected. The variable $ PORT $ will be substituted
# With the port that was scanned.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# Options for UDP/TCP. This is useful if you just want
# Warnings for connections, but dont want to react
# A participant protocol (I. e. you want to block TCP,
# Not UDP). To prevent a possible Denial of service attack
# Against UDP and stealth scan detection for TCP, you may
# Want to disable blocking, but leave the warning enabled.
# I personally wowould wait for this to become a problem before
# Doing though as most attackers really arent doing this.
# The third option allows you to run just the external command
# In case of a scan to have a pager script or such execute
# But not drop the route. This may be useful for some admins
# Who want to block TCP, but only want pager/e-mail warnings
# On UDP, etc.
#
#
#0 = Do not block UDP/TCP scans.
#1 = Block UDP/TCP scans.
#2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP = "1"
BLOCK_TCP = "1"
###################
# Dropping Routes :#
###################
# This command is used to drop the route or add the host
# A local filter table.
#
# The gateway (333.444.555.666) shocould ideally be a dead host on
# The * local * subnet. On some hosts you can also point this
# Localhost (127.0.0.1) and get the same effect. NOTE THAT
#333.444.555.66 WILL ** NOT * WORK. you need to change it !!
#
# All kill route options are commented out initially. Make sure you
# Uncomment the correct line for your OS. If you OS is not listed
# Here and you have a route drop command that works then please
# Mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# Can be used at a time so dont uncomment multiple lines.
#
# NOTE: The route commands are the least optimal way of blocking
# And do not provide complete protection against UDP attacks and
# Will still generate alarms for both UDP and stealth scans. I
# Always recommend you use a packet filter because they are made
# For this purpose.
#
# Generic
# KILL_ROUTE = "/sbin/route add $ TARGET $333.444.555.666"
# Generic Linux
# KILL_ROUTE = "/sbin/route add-host $ TARGET $ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# Is cleaner than the above option.
KILL_ROUTE = "/sbin/route add-host $ TARGET $ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
# KILL_ROUTE = "/sbin/route add $ TARGET $333.444.555.666"
# Generic Sun
# KILL_ROUTE = "/usr/sbin/route add $ TARGET $333.444.555.666 1"
# NEXTSTEP
# KILL_ROUTE = "/usr/etc/route add $ TARGET $127.0.0.1 1"
# FreeBSD (Not well tested .)
# KILL_ROUTE = "route add-net $ TARGET $-netmask 255.255.255.255 127.0.0.1-blackhole"
# Digital UNIX 4.0D (OSF/1/Compaq Tru64 UNIX)
# KILL_ROUTE = "/sbin/route add-host-blackhole $ TARGET $127.0.0.1"
# Generic HP-UX
# KILL_ROUTE = "/usr/sbin/route add net $ TARGET $ netmask 255.255.255.0 127.0.0.1"
##
# Using a packet filter is the preferred method. The below lines
# Work well on your OSs. Remember, you can only uncomment * one *
# KILL_ROUTE option.
##
###############
# TCP Wrappers #
###############
# This text will be dropped into the hosts. deny file for wrappers
# To use. There are two formats for TCP wrappers:
#
# Format One: Old Style-The default when extended host processing
# Options are not enabled.
#
KILL_HOSTS_DENY = "ALL: $ TARGET $"
#
# Format Two: New Style-The format used when extended option
# Processing is enabled. You can drop in extended processing
# Options, but be sure you escape all % symbols with a backslash
# To prevent problems writing out (I. e. \ % c \ % h)
#
# KILL_HOSTS_DENY = "ALL: $ TARGET $: DENY"
###################
# External Command #
###################
# This is a command that is run when a host connects, it can be whatever
# You want it to be (pager, etc.). This command is executed before
# Route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
# Against the host scanning you. TCP/IP is an * unauthenticated protocol *
# And people can make scans appear out of thin air. The only time it
# Is reasonably safe (and I * never * think it is reasonable) to run
# Reverse probe scripts is when using the "classic"-tcp mode. This
# Mode requires a full connect and is very hard to spoof.
#
# KILL_RUN_CMD = "/some/path/here/script $ TARGET $ PORT $"
#####################
# Scan trigger value #
#####################
# Enter in the number of port connects you will allow before
# Alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# Probably not necessary. This value must always be specified,
# Generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need
# Be careful that you dont make a hair trigger situation. Because
# Advanced mode will react for * any * host connecting to a non-used
# Below your specified range, you have the opportunity to really
# Break things. (I. e someone innocently tries to connect to you
# SSL [TCP port 443] and you immediately block them). Some of you
# May even want this though. Just be careful.
#
SCAN_TRIGGER = "0"
######################
# Port Banner Section #
######################
#
# Enter text in here you want displayed to a person tripping the PortSentry.
# I * dont * recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes dont use this feature
#
PORT_BANNER = "** unauthorized access prohibited *** YOUR CONNECTION ATTEMPT HAS
Been logged. go away ."
# EOF

Now, for security reasons, we must check and change the file permissions:

[Root @ deep/] # chmod 600/usr/psionic/portsentry. conf

Configure the "/usr/psionic/portsentry. ignore" File
Set the host to be ignored by portsentry in the/usr/psionic/portsentry/PortSentry. ignore file. This file must contain at least the IP addresses of localhost (127.0.0.1) and Local interface (lo. Do not put the IP addresses of all files in the network in this file.

Edit the "portsentry. ignore" file (vi/usr/psionic/portsentry. ignore) to add any host that you want PortSentry to ignore.

# Put hosts in here you never want blocked. This includes des the IP addresses
# Of all local interfaces on the protected host (I. e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
127.0.0.1
0.0.0.0

Now, we change the default file permissions:

[Root @ deep/] # chmod 600/usr/psionic/portsentry. ignore

Start PortSentry
The PortSentry program can be configured to run in six different modes, but it can only run in one mode at a time. These different modes are:

L portsentry-tcp (basic port binding TCP Mode)

L portsentry-udp (basic port binding to UDP Mode)

L portsentry-stcp (secret TCP scan detection)

L portsentry-atcp (Advanced TCP Secret scan detection)

L portsentry-sudp (secret UDP scan detection)

L portsentry-audp (Advanced Security UDP scan detection)

I prefer the "advanced TCP Security Scan detection" and "Advanced Security UDP scan detection" modes. For more information, see the "README. install" and "README. stealth" files.

Select TCP mode:

-Atcp-Advanced TCP stealth scan detection mode

With "-atcp" (Advanced TCP Security Scan), PortSentry first checks which ports are running on the server, and then moves these ports to only monitor the remaining ports. In this way, the response speed to port scanning is very fast and the CPU time is very small.

UDP mode:

-Sudp-"Stealth" UDP scan detection mode

With "-sudp" (Advanced Security UDP scan Detection), UDP ports are listed and monitored.

Run the following command to start PortSentry in two modes:

[Root @ deep/] #/usr/psionic/portsentry? Atcp
[Root @ deep/] #/usr/psionic/portsentry-sudp

Note: You can add the above rows to the "/etc/rc. d/rc. local" script file. PortSentry runs automatically when the computer is restarted.

Files installed in the system
>/Usr/psionic
>/Usr/psionic/portsentry
>/Usr/psionic/portsentry. conf
>/Usr/psionic/portsentry. ignore
>/Usr/psionic/portsentry

Copyright description
This article is translated and adapted from Gerhard Mourani's Securing and Optimizing Linux: RedHat Edition. For the original article and its copyright agreement, see www.openna.com.

The copyright of the Chinese version belongs to the authors brimmer and www.linuxaid.com.cn.