Linux.com Article DB: Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated.

TCP Wrappers

TCP wrappers are basically meant for access control and use the files : etc/hosts.allow and /etc/hosts.deny. Portsentry can 'drop' the hosts from where unauthorized connection came from, to the file:

/etc/hosts.deny

so that the 'rogue' IP cannot reconnect.

The process is not reliable because IPs can easily be spoofed but again, this should take care of most of the script kiddies in the wild!

If you are using an ancient Linux kernel that is possibly older than you, then comment out the uncommented choice and uncomment the commented out choice. (Switch the thing around). Otherwise use the default selection.

---------START------snip------PORTSENTRY.conf---------------

# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"

# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"

---------END------snip------PORTSENTRY.conf---------------

External Command

---------START------snip------PORTSENTRY.conf---------------

#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"

---------END------snip------PORTSENTRY.conf---------------

This is the command(KILL_RUN_CMD) that is run when a host connects. How about playing an alarm bell to a person who is doing a port scan on you?

You can also execute a command to send a mail to yourself on any suspected intrusion attempts or anything else.

To play an audio(say an alarm sound) file, you can do this :

KILL_RUN_CMD="/path/to/alarm.wav "$TARGET$ $PORT$"

Scan Trigger Value

---------START------snip------PORTSENTRY.conf---------------

SCAN_TRIGGER="0"

---------END------snip------PORTSENTRY.conf---------------

Here, you can specify the number of ports(monitored by Portsentry) that are scanned/connected to before Portsentry gets triggered.

The default is 0 which will make it react immediately.

A value of 1 or 2 will reduce false alarms. Anything higher is probably not necessary. This value must always be specified, but generally can be left at 0.

Note: if you are going for the advanced detection option, it is advisable to go for a trigger value > 0 , to avoid a 'hair trigger' effect. This is because Advanced mode is set to listen to a range of ports (in our case : <1023) and therefore, will react to *any* host connecting to a non-used port below our specified range. This could lead to a DoS (Denial of Service) as even a valid/authorized connection attempt could be blocked.

Port Banner Section

This option lets you specify the text that you want to be displayed to the person tripping off Portsentry in the classic mode. The default comment in the configuration file. We do not recommend "taunting the person" as this will only aggravate them.

Keep in mind that the stealth scan detection modes don't use this feature.

This is one sample message :

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** IP LOGGED "

Ok. So finally we are done with the installation and configuration. Now do a quick whereis portsentry and run Portsentry as follows, depending on the mode you want to run it in. Also, do man portsentry to get more help.

Usage :

Classic mode - /path/to/portsentry ^tcp -udp

Stealth mode - /path/to/portsentry ^stcp -sudp

Avanced mode - /path/to/portsentry ^atcp -audp

In Part Two

In the second article on IDSs, we shall learn to install and configure SNORT which is another cute Intrusion Detection System and also a bit on bypassing these IDS systems. ALOHA !

Author : Shashank Pandey a.k.a ~AcE~ E-mail : reach_shash@linuxmail.org

Originally Published: Thursday, 4 October 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 5/5 - [Printable]
Installing and Configuring Portsentry: Intrusion Detection Systems for the Uninitiated. Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.

	<< Page 5 of 5
TCP Wrappers TCP wrappers are basically meant for access control and use the files : `etc/hosts.allow` and `/etc/hosts.deny`. Portsentry can 'drop' the hosts from where unauthorized connection came from, to the file: `/etc/hosts.deny` so that the 'rogue' IP cannot reconnect. The process is not reliable because IPs can easily be spoofed but again, this should take care of most of the script kiddies in the wild! If you are using an ancient Linux kernel that is possibly older than you, then comment out the uncommented choice and uncomment the commented out choice. (Switch the thing around). Otherwise use the default selection. ---------START------snip------PORTSENTRY.conf--------------- # Format One: Old Style - The default when extended host processing # options are not enabled. # KILL_HOSTS_DENY="ALL: $TARGET$" # Format Two: New Style - The format used when extended option # processing is enabled. You can drop in extended processing # options, but be sure you escape all '%' symbols with a backslash # to prevent problems writing out (i.e. \%c \%h ) # #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" ---------END------snip------PORTSENTRY.conf--------------- External Command `---------START------snip------PORTSENTRY.conf--------------- #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$" ---------END------snip------PORTSENTRY.conf---------------` This is the command(KILL_RUN_CMD) that is run when a host connects. How about playing an alarm bell to a person who is doing a port scan on you? You can also execute a command to send a mail to yourself on any suspected intrusion attempts or anything else. To play an audio(say an alarm sound) file, you can do this : `KILL_RUN_CMD="/path/to/alarm.wav "$TARGET$ $PORT$"` Scan Trigger Value `---------START------snip------PORTSENTRY.conf--------------- SCAN_TRIGGER="0" ---------END------snip------PORTSENTRY.conf---------------` Here, you can specify the number of ports(monitored by Portsentry) that are scanned/connected to before Portsentry gets triggered. The default is 0 which will make it react immediately. A value of 1 or 2 will reduce false alarms. Anything higher is probably not necessary. This value must always be specified, but generally can be left at 0. Note: if you are going for the advanced detection option, it is advisable to go for a trigger value > 0 , to avoid a 'hair trigger' effect. This is because Advanced mode is set to listen to a range of ports (in our case : <1023) and therefore, will react to any host connecting to a non-used port below our specified range. This could lead to a DoS (Denial of Service) as even a valid/authorized connection attempt could be blocked. Port Banner Section This option lets you specify the text that you want to be displayed to the person tripping off Portsentry in the classic mode. The default comment in the configuration file. We do not recommend "taunting the person" as this will only aggravate them. Keep in mind that the stealth scan detection modes don't use this feature. This is one sample message : `PORT_BANNER=" UNAUTHORIZED ACCESS PROHIBITED * IP LOGGED "` Ok. So finally we are done with the installation and configuration. Now do a quick `whereis portsentry` and run Portsentry as follows, depending on the mode you want to run it in. Also, do `man portsentry` to get more help. Usage : `Classic mode - /path/to/portsentry ^tcp -udp` `Stealth mode - /path/to/portsentry ^stcp -sudp` `Avanced mode - /path/to/portsentry ^atcp -audp` In Part Two In the second article on IDSs, we shall learn to install and configure SNORT which is another cute Intrusion Detection System and also a bit on bypassing these IDS systems. ALOHA ! Author : Shashank Pandey a.k.a ~AcE~ E-mail : reach_shash@linuxmail.org CopyLeftRightandCenter 2001. Shashank Pandey All Rights reserved. Unauthorized copying or duplication of this document is strictly prohibited.
	<< Page 5 of 5