|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Thursday, 4 October 2001||Author: Shashank Pandey|
|Published to: enchance_articles_security/Advanced Security Articles||Page: 1/1 - [Std View]|
Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated.
Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.
Now, like I just said, this article is like a health supplement, but you have to consume it along with your basic food intake. In other words have a basic security policy in place, otherwise you'll be wasting your time here.
In this article (and the one that will follow), we will discuss what an Intrusion detection actually is, what software you can use to combat them, and how to install not one protection package, but a couple of them.
To achieve this an IDS has to do a lot of things like analyzing the captured packets for an attack, comparing them with a database of attack signatures, performing integrity checks on file system (like if somebody has tampered with your /etc/shadow file), watching processes etc.
There are vendor defined IDS models like network ids, host ids, procedure based ids. Basically, enough options to confuse us!
In this article we will leave all that junk aside and focus on the principles: installation, configuration and a bit about bypassing IDSs.
We will learn about all this in a series on IDSs comprising of two articles/parts/whatevers :
Part 1 :Installing and Config. Portsentry (a simple an' sweet IDS)
Part 2 : Installing and Configuring Snort (relatively advanced IDS and with more functionalities.)
a)get an rpm from rpmfind.net.
rpm -ivh <name-of-portsenty-rpm->
b)get a tar ball :
copy it and unpack it in any directory, say /tmp:
$] tar -zxvf portsentry-1.0.tar.gz
That will unpack portsentry to a directory "portsentry-1.0" in /tmp or whatever directory you were in when you did the unpacking. Now,
If you do an ls you will see several files. Now we get to the fun part, the actual editing of the files. First, open up portsentry_config.h in a text-editor (vi/pico/emacs etc). See if you can make out anything from all those lines and make any changes (provided you know what you are doing). Normally, you can skip this altogether.
The main configuration file for portsentry is portsentry.conf. It's very customizable and you can edit it before or after installation, as you may like. Here, we will go my way and install it before editing portsentry.conf .
Goto the folder where you have extracted portsentry and do (as root) :
./configure make make install
Generally, you shouldn't get any errors.
To check whether Portsentry has been installed properly do:
in my case, I got this:
Dont fret if the path is different in your case.
Ok. Cute. Great going. Now that we have installed portsentry, we can happily configure it:
In my case it was :
Now before we start configuring Portsentry, lets take a few moments to clear up a few fundamentals about Portsentry :
Portsentry can work in three modes:
So, now we move onwards to editing the portsentry.conf file which looks something like this:
-------START-------snip----------portsentry.conf-------------- # I like to always keep some ports at the "low" end of the spectrum. # This will detect a sequential port sweep really quickly and usually # these ports are not in use (i.e. tcpmux port 1) # # ** X-Windows Users **: If you are running X on your box, you need to be sure # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). # Doing so will prevent the X-client from starting properly. # # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode. # # Un-comment these if you are really anal: #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540 ,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303, 32771,32772,32773,32774,31337,40421,40425,49724,54320" #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641, 666,700,2049,32770,32771,32772,32773,32774,31337,54321" # # Use these if you just want to be aware: TCP_PORTS="1,11,15,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337, 32771,32772,32773,32774,40421,49724,54320" UDP_PORTS="1,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321" # # Use these for just bare-bones #TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771, 32772,32773,32774,49724,54320" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337, 54321" ---------END-------------------snip------portsentry.conf-----------------
As you might have noted, ports have been specified for both UDP (connectionless transport layer protocol) and TCP (connection oriented transport protocol) as both specify the kind of interaction we're searching for at the transport layer. Put a '#'(hash)in the beginning of a line to comment (disable) out an option. Advice to the newbies: Dont go for the 'anal' settings as they really are for the anal.
You can always take the middle path and uncomment the option that says :"use this if you just want to be aware".
Also, avoid configuring Portsentry to listen to port 6000 specifically, as this is the port on which X-server listens for client connections, and it might make you get "constipated in your head" (confused) if it finds Portsentry there! Also, it's probably a wise idea to not have Portsentry listen on port 113 (identd) even if you don't run identd.
For the uninitiated, Identd is a daemon that implements a User Identification Protocol called Ident. If installed, Identd, typically comes into the picture in the case of a FTP or telnet connection. That may lead to a situation where whenever you try to FTP to a host, the FTP server will check the Identd running at 113 and ask it for the user identity (login name) of the user who owns the connection. Now, if Portsentry is sitting there, it will get tripped when the FTP server does its identd check.
I guess thats not worth the trouble... so leave port 113 and 6000 for portsentry.
Also, take care to choose ONLY ONE OPTION for TCP and UDP each, per a section of portsentry.conf as I will keep on repeating throughout this document (actually , as long as I can!)
Ok, so we now move on to the next part. We configure Portsentry to listen to a specific range of ports in Advanced mode. (In advanced mode, Portsentry cannot be configured to listen to specific ports but only a range of ports)
---------START-------------snip----portsentry.conf--------------- ########################################### # Advanced Stealth Scan Detection Options # ########################################### # # This is the number of ports you want PortSentry to monitor in Advanced mode. # Any port *below* this number will be monitored. Right now it watches # everything below 1023. # # On many Linux systems you cannot bind above port 61000. This is because # these ports are used as part of IP masquerading. I don't recommend you # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR # OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. # ADVANCED_PORTS_TCP="1023" ADVANCED_PORTS_UDP="1023" # # This field tells PortSentry what ports (besides listening daemons) to # ignore. This is helpful for services like ident that services such # as FTP, SMTP, and wrappers look for but you may not run (and probably # *shouldn't* IMHO). # # By specifying ports here PortSentry will simply not respond to # incoming requests, in effect PortSentry treats them as if they are # actual bound daemons. The default ports are ones reported as # problematic false alarms and should probably be left alone for # all but the most isolated systems/networks. # # Default TCP ident and NetBIOS service ADVANCED_EXCLUDE_TCP="111,113,139" # Default UDP route (RIP), NetBIOS, bootp broadcasts. ADVANCED_EXCLUDE_UDP="520,138,137,67" ---------END----------snip---------------portsentry.conf-------------
as the last four lines of this section say, exclude these:
udp ports : 520,138,137,67 for route/RIP(
protocol used by routers!), netbios, bootp
(used in UDP based remote booting of
an OS and also as a rudimentary DHCP server)
TCP ports : 111,113,139 for TCP ident and netbios
service (windows file sharing)
Now, we move further. I hope you are not feeling sleepy!
If you are, go take a
dose of extra caffeine and come back.
udp ports : 520,138,137,67 for route/RIP( protocol used by routers!), netbios, bootp (used in UDP based remote booting of an OS and also as a rudimentary DHCP server)
---------START---------snip-----------port.sentry.conf-------------- # Logs Hosts to ignore IGNORE_FILE="/etc/portsentry/portsentry.ignore" # Logs Hosts that have been denied access to your machines as a result of past(suspected) intrusion attempts (running history) HISTORY_FILE="/var/portsentry/portsentry.history" # Logs Hosts that have been denied this session only (temporary until next restart) BLOCKED_FILE="/var/portsentry/portsentry.blocked" ------END----------------snip----portsentry.conf------------------------
---------START------snip------PORTSENTRY.conf--------------- # These options allow you to enable automatic response # options for UDP/TCP. the options are : # # # 0 = Do not block UDP/TCP scans just log them. # 1 = Block UDP/TCP scans. # 2 = execute external command BLOCK_TCP="1" BLOCK_UDP="1" --------END------SNIP------------Portsentry.conf--------------------
As we can see, like always, there are options for both TCP and UDP
choose '0' : to just know when a scan occurred. no scan blocking.
choose '1' : to block all scans to your machine.
choose '2' :to run any external command(KILL_RUN_CMD) in response to TCP/UDP scans on your machine.
This option is more like a retaliatory action and not recommended as you might end up damaging a spoofed host used by the cracker or just piss him off, so that he returns, more determined and prepared! Also, if you select this option, then you wont be able to drop routes of the packets, as we will find below.
Also you will find an option to specify this command(KILL_RUN_CMD) as you go down reading this article. So dont worry.
both the methods are discussed here. Make sure you choose ONLY ONE OPTION.
$TARGET$ will be substituted with the
attacking host when an attack is detected. The variable
be substituted with the port that was scanned and tripped portsentry off.
---------START------snip------PORTSENTRY.conf--------------- # Generic #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666" # Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # Generic Sun #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1" # NEXTSTEP #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1" # FreeBSD (Not well tested.) #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole" # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1" # Generic HP-UX #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1" # For those of you running Linux with ipfwadm installed you may like # this better as it drops the host into the packet filter. # You can only have one KILL_ROUTE turned on at a time though. # This is the best method for Linux hosts. # #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" # # This version does not log denied packets after activation #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" # # New ipchain support for Linux kernel version 2.102+ #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" # # For those of you running FreeBSD (and compatible) you can # use their built in firewalling as well. # #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any" ---------END------snip------PORTSENTRY.conf---------------
OK, there are only a couple of choices we need to consider here. They are:
# Newer versions of Linux support the reject flag now. This # is
cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
New ipchain support for Linux kernel version 2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
If you have Ipchains installed (do: whereis ipchains ), then the second option is the best. Use the first option in case you have any problems with the ipchains option, like you don't have any idea about configuring ipchains and have decided to postpone learning about ipchains till I decide to write an article on it!
Anyways, if you suddenly realise that you have a old kernel then chuck the two above mentioned options and go for this:
# Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw
In case you wondering what a dead host, is, and what has it got to do with Ips :127.0.0.1 , 333.444.555.666, let me tell you that a dead host is a host to which there is no route. In other words, if you send a packet to a dead host it will not reach anywhere, instead it will die when it's life is over!
With that, lets move forward.
/etc/hosts.deny. Portsentry can 'drop' the hosts from where unauthorized connection came from, to the file:
so that the 'rogue' IP cannot reconnect.
The process is not reliable because IPs can easily be spoofed but again, this should take care of most of the script kiddies in the wild!
If you are using an ancient Linux kernel that is possibly older than you, then comment out the uncommented choice and uncomment the commented out choice. (Switch the thing around). Otherwise use the default selection.
---------START------snip------PORTSENTRY.conf--------------- # Format One: Old Style - The default when extended host processing # options are not enabled. # KILL_HOSTS_DENY="ALL: $TARGET$" # Format Two: New Style - The format used when extended option # processing is enabled. You can drop in extended processing # options, but be sure you escape all '%' symbols with a backslash # to prevent problems writing out (i.e. \%c \%h ) # #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" ---------END------snip------PORTSENTRY.conf---------------
---------START------snip------PORTSENTRY.conf--------------- #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$" ---------END------snip------PORTSENTRY.conf---------------
This is the command(KILL_RUN_CMD) that is run when a host connects. How about playing an alarm bell to a person who is doing a port scan on you?
You can also execute a command to send a mail to yourself on any suspected intrusion attempts or anything else.
To play an audio(say an alarm sound) file, you can do this :
KILL_RUN_CMD="/path/to/alarm.wav "$TARGET$ $PORT$"
---------START------snip------PORTSENTRY.conf--------------- SCAN_TRIGGER="0" ---------END------snip------PORTSENTRY.conf---------------
Here, you can specify the number of ports(monitored by Portsentry) that are scanned/connected to before Portsentry gets triggered.
The default is 0 which will make it react immediately.
A value of 1 or 2 will reduce false alarms. Anything higher is probably not necessary. This value must always be specified, but generally can be left at 0.
Note: if you are going for the advanced detection option, it is advisable to go for a trigger value > 0 , to avoid a 'hair trigger' effect. This is because Advanced mode is set to listen to a range of ports (in our case : <1023) and therefore, will react to *any* host connecting to a non-used port below our specified range. This could lead to a DoS (Denial of Service) as even a valid/authorized connection attempt could be blocked.
Keep in mind that the stealth scan detection modes don't use this feature.
This is one sample message :
PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** IP LOGGED "
Ok. So finally we are done with the installation and configuration. Now do
whereis portsentry and run Portsentry as follows, depending
on the mode you want to run it in. Also, do
man portsentry to get
Stealth mode - /path/to/portsentry ^stcp -sudp
Avanced mode - /path/to/portsentry ^atcp -audp
Classic mode - /path/to/portsentry ^tcp -udp
Stealth mode - /path/to/portsentry ^stcp -sudp
Avanced mode - /path/to/portsentry ^atcp -audp
Author : Shashank Pandey a.k.a ~AcE~ E-mail : firstname.lastname@example.org
CopyLeftRightandCenter 2001. Shashank Pandey All Rights reserved. Unauthorized copying or duplication of this document is strictly prohibited.