[Home] [Credit Search] [Category Browser] [Staff Roll Call] The LINUX.COM Article Archive
Originally Published: Thursday, 4 October 2001 Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated.

Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.

Intrusion Detection Systems for the Uninitiated!

So perhaps you have been following all those defacement mirrors and are worried about whether your machine is going be the next entry in the archives? This article is intended to act as a health supplement for your existing security needs and policies.

Now, like I just said, this article is like a health supplement, but you have to consume it along with your basic food intake. In other words have a basic security policy in place, otherwise you'll be wasting your time here.

In this article (and the one that will follow), we will discuss what an Intrusion detection actually is, what software you can use to combat them, and how to install not one protection package, but a couple of them.

What is an IDS?

An IDS is expected to detect attacks (like someone port scanning you), log the attacker's traffic, help trace the origin of the attack and possibly even stop the attack midstream.

To achieve this an IDS has to do a lot of things like analyzing the captured packets for an attack, comparing them with a database of attack signatures, performing integrity checks on file system (like if somebody has tampered with your /etc/shadow file), watching processes etc.

There are vendor defined IDS models like network ids, host ids, procedure based ids. Basically, enough options to confuse us!

In this article we will leave all that junk aside and focus on the principles: installation, configuration and a bit about bypassing IDSs.

We will learn about all this in a series on IDSs comprising of two articles/parts/whatevers :

Part 1 :Installing and Config. Portsentry (a simple an' sweet IDS)

Part 2 : Installing and Configuring Snort (relatively advanced IDS and with more functionalities.)

PART 1 Installing and Configuring Portsentry

Platform : Linux (configuration is similar on other OSs like BSD /sun/*nix )

Installation

There are two ways in which you can install Portsentry :

a)get an rpm from rpmfind.net.

and do: rpm -ivh <name-of-portsenty-rpm->

b)get a tar ball :

copy it and unpack it in any directory, say /tmp:

$] tar -zxvf portsentry-1.0.tar.gz

That will unpack portsentry to a directory "portsentry-1.0" in /tmp or whatever directory you were in when you did the unpacking. Now,

cd portsentry-1.0

If you do an ls you will see several files. Now we get to the fun part, the actual editing of the files. First, open up portsentry_config.h in a text-editor (vi/pico/emacs etc). See if you can make out anything from all those lines and make any changes (provided you know what you are doing). Normally, you can skip this altogether.

The main configuration file for portsentry is portsentry.conf. It's very customizable and you can edit it before or after installation, as you may like. Here, we will go my way and install it before editing portsentry.conf .

Goto the folder where you have extracted portsentry and do (as root) :

./configure make make install

Generally, you shouldn't get any errors.

To check whether Portsentry has been installed properly do:

whereis portsentry

in my case, I got this:

/etc/portsentry /usr/local/portsentry

Dont fret if the path is different in your case.

Ok. Cute. Great going. Now that we have installed portsentry, we can happily configure it:

Configuration

Like I said earlier, the main configuration file for Portsentry is portsentry.conf.

In my case it was : /etc/portsentry/portsentry.conf

Now before we start configuring Portsentry, lets take a few moments to clear up a few fundamentals about Portsentry :

Portsentry can work in three modes:

  1. Classic mode
    In classic mode portsentry :
    • Is less prone to false alarms
    • Cannot detect stealth scans

  2. Stealth mode
    In Stealth mode portsentry :
    • Is relatively more prone to false alarms
    • Can detect stealth scans

  3. Advanced mode
    In Advanced mode portsentry:
    • Is most prone to false alarms
    • Detects stealth scans

Remember that portsentry can work in one mode only for TCP and one mode only for UDP at the same time. In other words, you cannot run two modes of TCP at the same time, or two modes of UDP at the same time.

So, now we move onwards to editing the portsentry.conf file which looks something like this:

Port Configurations

This part involves the ports you want the Portsentry to listen to for any suspected intrusion attempts. Specify ports here for Classic and Stealth modes 

-------START-------snip----------portsentry.conf--------------

# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows
users). 
# Doing so will prevent the X-client from starting properly. 
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#

# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540
,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,
32771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,
666,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,
32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,
32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,
54321"


---------END-------------------snip------portsentry.conf-----------------

As you might have noted, ports have been specified for both UDP (connectionless transport layer protocol) and TCP (connection oriented transport protocol) as both specify the kind of interaction we're searching for at the transport layer. Put a '#'(hash)in the beginning of a line to comment (disable) out an option. Advice to the newbies: Dont go for the 'anal' settings as they really are for the anal.

You can always take the middle path and uncomment the option that says :"use this if you just want to be aware".

Also, avoid configuring Portsentry to listen to port 6000 specifically, as this is the port on which X-server listens for client connections, and it might make you get "constipated in your head" (confused) if it finds Portsentry there! Also, it's probably a wise idea to not have Portsentry listen on port 113 (identd) even if you don't run identd.

For the uninitiated, Identd is a daemon that implements a User Identification Protocol called Ident. If installed, Identd, typically comes into the picture in the case of a FTP or telnet connection. That may lead to a situation where whenever you try to FTP to a host, the FTP server will check the Identd running at 113 and ask it for the user identity (login name) of the user who owns the connection. Now, if Portsentry is sitting there, it will get tripped when the FTP server does its identd check.

I guess thats not worth the trouble... so leave port 113 and 6000 for portsentry.

Also, take care to choose ONLY ONE OPTION for TCP and UDP each, per a section of portsentry.conf as I will keep on repeating throughout this document (actually , as long as I can!)

Ok, so we now move on to the next part. We configure Portsentry to listen to a specific range of ports in Advanced mode. (In advanced mode, Portsentry cannot be configured to listen to specific ports but only a range of ports) 

---------START-------------snip----portsentry.conf---------------

###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches 
# everything below 1023. 
# 
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don't recommend you
# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR 
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. 
#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such 
# as FTP, SMTP, and wrappers look for but you may not run (and probably 
# *shouldn't* IMHO). 
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as 
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="111,113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"

---------END----------snip---------------portsentry.conf-------------

as the last four lines of this section say, exclude these:

TCP ports : 111,113,139 for TCP ident and netbios service (windows file sharing)

udp ports : 520,138,137,67 for route/RIP( protocol used by routers!), netbios, bootp (used in UDP based remote booting of an OS and also as a rudimentary DHCP server) Now, we move further. I hope you are not feeling sleepy! If you are, go take a dose of extra caffeine and come back.

Configuration Files

Here you can specify the paths to the files where Portsentry logs 'misbehaving' requests (leave the path of the log files to the default, doesn't hurt... so just let it be.) 
---------START---------snip-----------port.sentry.conf--------------

# Logs Hosts to ignore
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
# Logs Hosts that have been denied access to your machines as a result of
past(suspected) intrusion attempts (running history)
HISTORY_FILE="/var/portsentry/portsentry.history"
# Logs Hosts that have been denied this session only (temporary until next
restart)
BLOCKED_FILE="/var/portsentry/portsentry.blocked"


------END----------------snip----portsentry.conf------------------------

Ignore Options

As the comments in this section say, you can set Portsentry to respond in a particular manner in case it detects a tcp/udp portscan. 

  

---------START------snip------PORTSENTRY.conf---------------


# These options allow you to enable automatic response
# options for UDP/TCP. the options are :

#
# 
# 0 = Do not block UDP/TCP scans just log them.
# 1 = Block UDP/TCP scans.
# 2 =  execute external  command

BLOCK_TCP="1"
BLOCK_UDP="1"
--------END------SNIP------------Portsentry.conf--------------------

As we can see, like always, there are options for both TCP and UDP

choose '0' : to just know when a scan occurred. no scan blocking.
choose '1' : to block all scans to your machine.
choose '2' :to run any external command(KILL_RUN_CMD) in response to TCP/UDP scans on your machine.

This option is more like a retaliatory action and not recommended as you might end up damaging a spoofed host used by the cracker or just piss him off, so that he returns, more determined and prepared! Also, if you select this option, then you wont be able to drop routes of the packets, as we will find below.

Also you will find an option to specify this command(KILL_RUN_CMD) as you go down reading this article. So dont worry.

Rogue Hosts

We will filter 'further' connection attempts by a rogue host. portsentry gives us two options:

  1. dropping route(of rogue host's tcp/ip packets).
  2. dropping the rogue hosts packets to the packet filters(ipfwadm or ipchains)

both the methods are discussed here. Make sure you choose ONLY ONE OPTION.

The variable $TARGET$ will be substituted with the attacking host when an attack is detected. The variable $port will be substituted with the port that was scanned and tripped portsentry off. 

---------START------snip------PORTSENTRY.conf---------------

# Generic 
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Linux 
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Newer versions of Linux support the reject flag now. This 
# is cleaner than the above option. 
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) 
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Sun 
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

# NEXTSTEP 
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"

# FreeBSD (Not well tested.) 
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1
-blackhole"

# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) 
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"

# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0
127.0.0.1"


# For those of you running Linux with ipfwadm installed you may like 
# this better as it drops the host into the packet filter. 
# You can only have one KILL_ROUTE turned on at a time though. 
# This is the best method for Linux hosts. 
# 
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" 
# 
# This version does not log denied packets after activation 
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" 
# 
# New ipchain support for Linux kernel version 2.102+ 
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" 
# 
# For those of you running FreeBSD (and compatible) you can 
# use their built in firewalling as well. 
# 
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to 
any"


---------END------snip------PORTSENTRY.conf---------------

OK, there are only a couple of choices we need to consider here. They are:

# Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

or

New ipchain support for Linux kernel version 2.102+ #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

If you have Ipchains installed (do: whereis ipchains ), then the second option is the best. Use the first option in case you have any problems with the ipchains option, like you don't have any idea about configuring ipchains and have decided to postpone learning about ipchains till I decide to write an article on it!

Anyways, if you suddenly realise that you have a old kernel then chuck the two above mentioned options and go for this:

# Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

In case you wondering what a dead host, is, and what has it got to do with Ips :127.0.0.1 , 333.444.555.666, let me tell you that a dead host is a host to which there is no route. In other words, if you send a packet to a dead host it will not reach anywhere, instead it will die when it's life is over!

With that, lets move forward.

TCP Wrappers

TCP wrappers are basically meant for access control and use the files : etc/hosts.allow and /etc/hosts.deny. Portsentry can 'drop' the hosts from where unauthorized connection came from, to the file:

/etc/hosts.deny

so that the 'rogue' IP cannot reconnect.

The process is not reliable because IPs can easily be spoofed but again, this should take care of most of the script kiddies in the wild!

If you are using an ancient Linux kernel that is possibly older than you, then comment out the uncommented choice and uncomment the commented out choice. (Switch the thing around). Otherwise use the default selection. 

---------START------snip------PORTSENTRY.conf---------------

# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"

# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"

---------END------snip------PORTSENTRY.conf---------------

External Command

---------START------snip------PORTSENTRY.conf---------------

#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"

---------END------snip------PORTSENTRY.conf---------------

This is the command(KILL_RUN_CMD) that is run when a host connects. How about playing an alarm bell to a person who is doing a port scan on you?

You can also execute a command to send a mail to yourself on any suspected intrusion attempts or anything else.

To play an audio(say an alarm sound) file, you can do this :

KILL_RUN_CMD="/path/to/alarm.wav "$TARGET$ $PORT$"

Scan Trigger Value

---------START------snip------PORTSENTRY.conf---------------

SCAN_TRIGGER="0"

---------END------snip------PORTSENTRY.conf---------------

Here, you can specify the number of ports(monitored by Portsentry) that are scanned/connected to before Portsentry gets triggered.

The default is 0 which will make it react immediately.

A value of 1 or 2 will reduce false alarms. Anything higher is probably not necessary. This value must always be specified, but generally can be left at 0.

Note: if you are going for the advanced detection option, it is advisable to go for a trigger value > 0 , to avoid a 'hair trigger' effect. This is because Advanced mode is set to listen to a range of ports (in our case : <1023) and therefore, will react to *any* host connecting to a non-used port below our specified range. This could lead to a DoS (Denial of Service) as even a valid/authorized connection attempt could be blocked.

Port Banner Section

This option lets you specify the text that you want to be displayed to the person tripping off Portsentry in the classic mode. The default comment in the configuration file. We do not recommend "taunting the person" as this will only aggravate them.

Keep in mind that the stealth scan detection modes don't use this feature.

This is one sample message :

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** IP LOGGED "

Ok. So finally we are done with the installation and configuration. Now do a quick whereis portsentry and run Portsentry as follows, depending on the mode you want to run it in. Also, do man portsentry to get more help.

Usage :

Classic mode - /path/to/portsentry ^tcp -udp

Stealth mode - /path/to/portsentry ^stcp -sudp

Avanced mode - /path/to/portsentry ^atcp -audp

In Part Two

In the second article on IDSs, we shall learn to install and configure SNORT which is another cute Intrusion Detection System and also a bit on bypassing these IDS systems. ALOHA !

Author : Shashank Pandey a.k.a ~AcE~ E-mail : reach_shash@linuxmail.org

CopyLeftRightandCenter 2001. Shashank Pandey All Rights reserved. Unauthorized copying or duplication of this document is strictly prohibited.



Originally published on Linux.com. Released under the Open Content License unless otherwise stated. Notify Gareth Watts of any errors or copyright violations.