Linux.com Article DB: Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated.

PART 1 Installing and Configuring Portsentry

Platform : Linux (configuration is similar on other OSs like BSD /sun/*nix )

Installation

There are two ways in which you can install Portsentry :

a)get an rpm from rpmfind.net.

and do: rpm -ivh <name-of-portsenty-rpm->

b)get a tar ball :

copy it and unpack it in any directory, say /tmp:

$] tar -zxvf portsentry-1.0.tar.gz

That will unpack portsentry to a directory "portsentry-1.0" in /tmp or whatever directory you were in when you did the unpacking. Now,

cd portsentry-1.0

If you do an ls you will see several files. Now we get to the fun part, the actual editing of the files. First, open up portsentry_config.h in a text-editor (vi/pico/emacs etc). See if you can make out anything from all those lines and make any changes (provided you know what you are doing). Normally, you can skip this altogether.

The main configuration file for portsentry is portsentry.conf. It's very customizable and you can edit it before or after installation, as you may like. Here, we will go my way and install it before editing portsentry.conf .

Goto the folder where you have extracted portsentry and do (as root) :

./configure make make install

Generally, you shouldn't get any errors.

To check whether Portsentry has been installed properly do:

whereis portsentry

in my case, I got this:

/etc/portsentry /usr/local/portsentry

Dont fret if the path is different in your case.

Ok. Cute. Great going. Now that we have installed portsentry, we can happily configure it:

Configuration

Like I said earlier, the main configuration file for Portsentry is portsentry.conf.

In my case it was : /etc/portsentry/portsentry.conf

Now before we start configuring Portsentry, lets take a few moments to clear up a few fundamentals about Portsentry :

Portsentry can work in three modes:

Classic mode
In classic mode portsentry :
- Is less prone to false alarms
- Cannot detect stealth scans
Stealth mode
In Stealth mode portsentry :
- Is relatively more prone to false alarms
- Can detect stealth scans
Advanced mode
In Advanced mode portsentry:
- Is most prone to false alarms
- Detects stealth scans

Remember that portsentry can work in one mode only for TCP and one mode only for UDP at the same time. In other words, you cannot run two modes of TCP at the same time, or two modes of UDP at the same time.

So, now we move onwards to editing the portsentry.conf file which looks something like this:

Originally Published: Thursday, 4 October 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 2/5 - [Printable]
Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated. Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.

	<< Page 2 of 5 >>
PART 1 Installing and Configuring Portsentry Platform : Linux (configuration is similar on other OSs like BSD /sun/nix ) Installation There are two ways in which you can install Portsentry : a)get an rpm from rpmfind.net. and do: `rpm -ivh <name-of-portsenty-rpm->` b)get a tar ball : copy it and unpack it in any directory, say /tmp: `$] tar -zxvf portsentry-1.0.tar.gz` That will unpack portsentry to a directory "portsentry-1.0" in /tmp or whatever directory you were in when you did the unpacking. Now, `cd portsentry-1.0` If you do an ls you will see several files. Now we get to the fun part, the actual editing of the files. First, open up portsentry_config.h in a text-editor (vi/pico/emacs etc). See if you can make out anything from all those lines and make any changes (provided you know what you are doing). Normally, you can skip this altogether. The main configuration file for portsentry is portsentry.conf. It's very customizable and you can edit it before or after installation, as you may like. Here, we will go my way and install it before editing portsentry.conf . Goto the folder where you have extracted portsentry and do (as root) : `./configure make make install` Generally, you shouldn't get any errors. To check whether Portsentry has been installed properly do: `whereis portsentry` in my case, I got this: `/etc/portsentry /usr/local/portsentry` Dont fret if the path is different in your case. Ok. Cute. Great going. Now that we have installed portsentry, we can happily configure it: Configuration Like I said earlier, the main configuration file for Portsentry is portsentry.conf. In my case it was : `/etc/portsentry/portsentry.conf` Now before we start configuring Portsentry, lets take a few moments to clear up a few fundamentals about Portsentry : Portsentry can work in three modes: Classic mode* In classic mode portsentry : Is less prone to false alarms Cannot detect stealth scans Stealth mode In Stealth mode portsentry : Is relatively more prone to false alarms Can detect stealth scans Advanced mode In Advanced mode portsentry: Is most prone to false alarms Detects stealth scans Remember that portsentry can work in one mode only for TCP and one mode only for UDP at the same time. In other words, you cannot run two modes of TCP at the same time, or two modes of UDP at the same time. So, now we move onwards to editing the portsentry.conf file which looks something like this:
	<< Page 2 of 5 >>