Now, we move further. I hope you are not feeling sleepy!
If you are, go take a
dose of extra caffeine and come back.
Configuration Files
Here you can specify the paths to the files where Portsentry logs 'misbehaving' requests (leave the path of the log files to the default, doesn't hurt... so just let
it be.)
---------START---------snip-----------port.sentry.conf--------------
# Logs Hosts to ignore
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
# Logs Hosts that have been denied access to your machines as a result of
past(suspected) intrusion attempts (running history)
HISTORY_FILE="/var/portsentry/portsentry.history"
# Logs Hosts that have been denied this session only (temporary until next
restart)
BLOCKED_FILE="/var/portsentry/portsentry.blocked"
------END----------------snip----portsentry.conf------------------------
Ignore Options
As the comments in this section say, you can set Portsentry to respond in a
particular manner in case it detects a tcp/udp portscan.
---------START------snip------PORTSENTRY.conf---------------
# These options allow you to enable automatic response
# options for UDP/TCP. the options are :
#
#
# 0 = Do not block UDP/TCP scans just log them.
# 1 = Block UDP/TCP scans.
# 2 = execute external command
BLOCK_TCP="1"
BLOCK_UDP="1"
--------END------SNIP------------Portsentry.conf--------------------
As we can see, like always, there are options for both TCP and UDP
choose '0' : to just know when a scan occurred. no scan blocking.
choose '1' : to block all scans to your machine.
choose '2' :to run any external command(KILL_RUN_CMD) in response to
TCP/UDP scans on your machine.
This option is more like a retaliatory action and
not recommended as you might end up damaging a spoofed host used by the cracker
or just piss him off, so that he returns, more determined and prepared! Also, if
you select this option, then you wont be able to drop routes of the packets, as
we will find below.
Also you will find an option to specify this
command(KILL_RUN_CMD) as you go down reading this article. So dont worry.
Rogue Hosts
We will filter 'further' connection attempts by a rogue host. portsentry gives
us two options:
- dropping route(of rogue host's tcp/ip packets).
- dropping the rogue hosts packets to the packet filters(ipfwadm or ipchains)
both the methods are discussed here. Make sure you choose ONLY ONE
OPTION.
The variable $TARGET$ will be substituted with the
attacking host when an attack is detected. The variable $port will
be substituted with the port that was scanned and tripped portsentry off.
---------START------snip------PORTSENTRY.conf---------------
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1
-blackhole"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0
127.0.0.1"
# For those of you running Linux with ipfwadm installed you may like
# this better as it drops the host into the packet filter.
# You can only have one KILL_ROUTE turned on at a time though.
# This is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# This version does not log denied packets after activation
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
#
# New ipchain support for Linux kernel version 2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to
any"
---------END------snip------PORTSENTRY.conf---------------
OK, there are only a couple of choices we need to consider here. They are:
# Newer versions of Linux support the reject flag now. This # is
cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
or
New ipchain support for Linux kernel version 2.102+
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
If you have Ipchains installed (do: whereis ipchains ), then the second
option is the best. Use the first option in case you have any problems with the
ipchains option, like you don't have any idea about configuring ipchains and
have decided to postpone learning about ipchains till I decide to write an
article on it!
Anyways, if you suddenly realise that you have a old kernel
then chuck the two above mentioned options and go for this:
# Generic Linux #KILL_ROUTE="/sbin/route add -host $TARGET$ gw
333.444.555.666"
In case you wondering what a dead host, is, and what has it got to do with
Ips :127.0.0.1 , 333.444.555.666, let me tell you that a dead host is a host to
which there is no route. In other words, if you send a packet to a dead host it
will not reach anywhere, instead it will die when it's life is over!
With that, lets move forward.