Linux.com Article DB: Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated.

Now, we move further. I hope you are not feeling sleepy! If you are, go take a dose of extra caffeine and come back.

Configuration Files

Here you can specify the paths to the files where Portsentry logs 'misbehaving' requests (leave the path of the log files to the default, doesn't hurt... so just let it be.)

---------START---------snip-----------port.sentry.conf--------------

# Logs Hosts to ignore
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
# Logs Hosts that have been denied access to your machines as a result of
past(suspected) intrusion attempts (running history)
HISTORY_FILE="/var/portsentry/portsentry.history"
# Logs Hosts that have been denied this session only (temporary until next
restart)
BLOCKED_FILE="/var/portsentry/portsentry.blocked"


------END----------------snip----portsentry.conf------------------------

Ignore Options

As the comments in this section say, you can set Portsentry to respond in a particular manner in case it detects a tcp/udp portscan.

  

---------START------snip------PORTSENTRY.conf---------------


# These options allow you to enable automatic response
# options for UDP/TCP. the options are :

#
# 
# 0 = Do not block UDP/TCP scans just log them.
# 1 = Block UDP/TCP scans.
# 2 =  execute external  command

BLOCK_TCP="1"
BLOCK_UDP="1"
--------END------SNIP------------Portsentry.conf--------------------

As we can see, like always, there are options for both TCP and UDP

choose '0' : to just know when a scan occurred. no scan blocking.
choose '1' : to block all scans to your machine.
choose '2' :to run any external command(KILL_RUN_CMD) in response to TCP/UDP scans on your machine.

This option is more like a retaliatory action and not recommended as you might end up damaging a spoofed host used by the cracker or just piss him off, so that he returns, more determined and prepared! Also, if you select this option, then you wont be able to drop routes of the packets, as we will find below.

Also you will find an option to specify this command(KILL_RUN_CMD) as you go down reading this article. So dont worry.

Rogue Hosts

We will filter 'further' connection attempts by a rogue host. portsentry gives us two options:

dropping route(of rogue host's tcp/ip packets).
dropping the rogue hosts packets to the packet filters(ipfwadm or ipchains)

both the methods are discussed here. Make sure you choose ONLY ONE OPTION.

The variable $TARGET$ will be substituted with the attacking host when an attack is detected. The variable $port will be substituted with the port that was scanned and tripped portsentry off.

---------START------snip------PORTSENTRY.conf---------------

# Generic 
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Linux 
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Newer versions of Linux support the reject flag now. This 
# is cleaner than the above option. 
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) 
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Sun 
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

# NEXTSTEP 
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"

# FreeBSD (Not well tested.) 
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1
-blackhole"

# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) 
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"

# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0
127.0.0.1"


# For those of you running Linux with ipfwadm installed you may like 
# this better as it drops the host into the packet filter. 
# You can only have one KILL_ROUTE turned on at a time though. 
# This is the best method for Linux hosts. 
# 
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" 
# 
# This version does not log denied packets after activation 
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" 
# 
# New ipchain support for Linux kernel version 2.102+ 
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" 
# 
# For those of you running FreeBSD (and compatible) you can 
# use their built in firewalling as well. 
# 
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to 
any"


---------END------snip------PORTSENTRY.conf---------------

OK, there are only a couple of choices we need to consider here. They are:

# Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

New ipchain support for Linux kernel version 2.102+ #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

If you have Ipchains installed (do: whereis ipchains ), then the second option is the best. Use the first option in case you have any problems with the ipchains option, like you don't have any idea about configuring ipchains and have decided to postpone learning about ipchains till I decide to write an article on it!

Anyways, if you suddenly realise that you have a old kernel then chuck the two above mentioned options and go for this:

# Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

In case you wondering what a dead host, is, and what has it got to do with Ips :127.0.0.1 , 333.444.555.666, let me tell you that a dead host is a host to which there is no route. In other words, if you send a packet to a dead host it will not reach anywhere, instead it will die when it's life is over!

With that, lets move forward.

Originally Published: Thursday, 4 October 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 4/5 - [Printable]
Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated. Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.

	<< Page 4 of 5 >>
Now, we move further. I hope you are not feeling sleepy! If you are, go take a dose of extra caffeine and come back. Configuration Files Here you can specify the paths to the files where Portsentry logs 'misbehaving' requests (leave the path of the log files to the default, doesn't hurt... so just let it be.) ---------START---------snip-----------port.sentry.conf-------------- # Logs Hosts to ignore IGNORE_FILE="/etc/portsentry/portsentry.ignore" # Logs Hosts that have been denied access to your machines as a result of past(suspected) intrusion attempts (running history) HISTORY_FILE="/var/portsentry/portsentry.history" # Logs Hosts that have been denied this session only (temporary until next restart) BLOCKED_FILE="/var/portsentry/portsentry.blocked" ------END----------------snip----portsentry.conf------------------------ Ignore Options As the comments in this section say, you can set Portsentry to respond in a particular manner in case it detects a tcp/udp portscan. `---------START------snip------PORTSENTRY.conf--------------- # These options allow you to enable automatic response # options for UDP/TCP. the options are : # # # 0 = Do not block UDP/TCP scans just log them. # 1 = Block UDP/TCP scans. # 2 = execute external command BLOCK_TCP="1" BLOCK_UDP="1" --------END------SNIP------------Portsentry.conf--------------------` As we can see, like always, there are options for both TCP and UDP choose '0' : to just know when a scan occurred. no scan blocking. choose '1' : to block all scans to your machine. choose '2' :to run any external command(KILL_RUN_CMD) in response to TCP/UDP scans on your machine. This option is more like a retaliatory action and not recommended as you might end up damaging a spoofed host used by the cracker or just piss him off, so that he returns, more determined and prepared! Also, if you select this option, then you wont be able to drop routes of the packets, as we will find below. Also you will find an option to specify this command(KILL_RUN_CMD) as you go down reading this article. So dont worry. Rogue Hosts We will filter 'further' connection attempts by a rogue host. portsentry gives us two options: dropping route(of rogue host's tcp/ip packets). dropping the rogue hosts packets to the packet filters(ipfwadm or ipchains) both the methods are discussed here. Make sure you choose ONLY ONE OPTION. The variable $TARGET$ will be substituted with the attacking host when an attack is detected. The variable `$port` will be substituted with the port that was scanned and tripped portsentry off. ---------START------snip------PORTSENTRY.conf--------------- # Generic #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666" # Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # Generic Sun #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1" # NEXTSTEP #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1" # FreeBSD (Not well tested.) #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole" # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1" # Generic HP-UX #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1" # For those of you running Linux with ipfwadm installed you may like # this better as it drops the host into the packet filter. # You can only have one KILL_ROUTE turned on at a time though. # This is the best method for Linux hosts. # #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" # # This version does not log denied packets after activation #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" # # New ipchain support for Linux kernel version 2.102+ #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" # # For those of you running FreeBSD (and compatible) you can # use their built in firewalling as well. # #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any" ---------END------snip------PORTSENTRY.conf--------------- OK, there are only a couple of choices we need to consider here. They are: `# Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"` or `New ipchain support for Linux kernel version 2.102+ #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"` If you have Ipchains installed (do: whereis ipchains ), then the second option is the best. Use the first option in case you have any problems with the ipchains option, like you don't have any idea about configuring ipchains and have decided to postpone learning about ipchains till I decide to write an article on it! Anyways, if you suddenly realise that you have a old kernel then chuck the two above mentioned options and go for this: `# Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"` In case you wondering what a dead host, is, and what has it got to do with Ips :127.0.0.1 , 333.444.555.666, let me tell you that a dead host is a host to which there is no route. In other words, if you send a packet to a dead host it will not reach anywhere, instead it will die when it's life is over! With that, lets move forward.
	<< Page 4 of 5 >>