Linux.com Article DB: Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated.

Port Configurations

This part involves the ports you want the Portsentry to listen to for any suspected intrusion attempts. Specify ports here for Classic and Stealth modes

-------START-------snip----------portsentry.conf--------------

# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows
users). 
# Doing so will prevent the X-client from starting properly. 
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#

# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540
,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,
32771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,
666,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,
32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,
32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,
54321"


---------END-------------------snip------portsentry.conf-----------------

As you might have noted, ports have been specified for both UDP (connectionless transport layer protocol) and TCP (connection oriented transport protocol) as both specify the kind of interaction we're searching for at the transport layer. Put a '#'(hash)in the beginning of a line to comment (disable) out an option. Advice to the newbies: Dont go for the 'anal' settings as they really are for the anal.

You can always take the middle path and uncomment the option that says :"use this if you just want to be aware".

Also, avoid configuring Portsentry to listen to port 6000 specifically, as this is the port on which X-server listens for client connections, and it might make you get "constipated in your head" (confused) if it finds Portsentry there! Also, it's probably a wise idea to not have Portsentry listen on port 113 (identd) even if you don't run identd.

For the uninitiated, Identd is a daemon that implements a User Identification Protocol called Ident. If installed, Identd, typically comes into the picture in the case of a FTP or telnet connection. That may lead to a situation where whenever you try to FTP to a host, the FTP server will check the Identd running at 113 and ask it for the user identity (login name) of the user who owns the connection. Now, if Portsentry is sitting there, it will get tripped when the FTP server does its identd check.

I guess thats not worth the trouble... so leave port 113 and 6000 for portsentry.

Also, take care to choose ONLY ONE OPTION for TCP and UDP each, per a section of portsentry.conf as I will keep on repeating throughout this document (actually , as long as I can!)

Ok, so we now move on to the next part. We configure Portsentry to listen to a specific range of ports in Advanced mode. (In advanced mode, Portsentry cannot be configured to listen to specific ports but only a range of ports)

---------START-------------snip----portsentry.conf---------------

###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches 
# everything below 1023. 
# 
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don't recommend you
# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR 
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. 
#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such 
# as FTP, SMTP, and wrappers look for but you may not run (and probably 
# *shouldn't* IMHO). 
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as 
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="111,113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"

---------END----------snip---------------portsentry.conf-------------

as the last four lines of this section say, exclude these:

TCP ports : 111,113,139 for TCP ident and netbios service (windows file sharing)

udp ports : 520,138,137,67 for route/RIP( protocol used by routers!), netbios, bootp (used in UDP based remote booting of an OS and also as a rudimentary DHCP server)

Originally Published: Thursday, 4 October 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 3/5 - [Printable]
Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated. Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.