Linux

Monitor offensive IP connections with PortSentry

Monitoring incoming port scans is not a task anyone would willingly do 24/7. Fortunately, you can find tools to do the job for you. Jack Wallen, Jr. shows you how to get one such tool, PortSentry, up and running in no time.

For network administrators, one of the most difficult jobs is that of monitoring incoming packets and IP addresses. In an ideal world, we would hire someone to sit in front of a screen 24/7 and watch as the log churns through the incoming (and often outgoing) hits. This, of course, isn’t an ideal world, and very few organizations have the resources for such a menial task.

You can find tools out there, though, that can aid you in reaching that utopian networked world. One is PortSentry, developed for Linux by Psionic. This handy utility can certainly ease the burden of logging incoming traffic and blocking offending traffic for any network administrator with a Linux box available.

What PortSentry does
PortSentry actually can pull off a number of tricks. When PortSentry detects a port scan, it can react by:
  • Creating a log of the scan.
  • Adding an entry in /etc/hosts for the offending scan.
  • Reconfiguring the host to redirect traffic of the scan target to a dead host.
  • Dropping all packets from the offending scan.

PortSentry can also do stealth scan detection in two ways. The first method relies on a list of ports to watch that is predefined by the administrator. From this list, PortSentry knows to watch for scans to those ports. If an offending scan to one of the predefined ports is detected, PortSentry activates. Another method of stealth scan detection is inverse port binding, in which a larger range of ports is watched, excluding those ports the system has bound for network daemons (daemons started either by PortSentry or manually).

Getting and installing
Part of a bigger whole
The PortSentry utility is part of a larger group of tools, the Abacus Project, a suite of very low-maintenance tools, released by Psionic, that aids in host-based intrusion detection.

The PortSentry tool is available only in source form, so you’ll have to untar and compile it yourself. Download the PortSentry application from the Psionic download site. Then, su to root and run the following commands (in this example, we’re working with portsentry-1.1.tar.gz):
tar xvzf portsentry-1.1.tar.gz

Once the file is unpacked, you’ll need to type cd in the newly created directory (in this example, it’s portsentry-1.1), open the file portsentry_config.h, and make sure the following entries are correct:
  • CONFIG_FILE—The path to the PortSentry configuration file
  • WRAPPER_HOSTS_DENY—The path to the hosts.deny file
  • SYSLOG_FACILITY—The logging facility PortSentry is to use
  • SYSLOG_LEVEL—At which level syslog is to send messages (Seven is the default for syslog, which will output all but debugging information.)

More than likely, the above entries will be correct. I advise you not to change any of these values unless you know what you’re doing. If you do edit this file, make sure you don’t delete the # symbols. In the case of the portsentry_config.h file, they’re not comments.

The next step is to edit the portsentry.conf file. Within this file, you’ll want to look at the following entries:
  • TCP_PORTS—This is a listing of TCP ports you want PortSentry to watch. Notice that there are no spaces in this list. Do not add any!
  • UDP_PORTS—This is the same as above, only in UDP fashion.
  • ADVANCED_PORTS_TCP—This number indicates to PortSentry the highest number it is to check. From that number, PortSentry will then scan all the addresses below it. For instance, if you configure the ADVANCED_PORTS_TCP entry with 1024, PortSentry will start scanning at port 1024 and scan all ports below that number. 1024 is the default entry.
  • ADVANCED_PORTS_UDP—This is the same as above, only in UDP fashion.
  • ADVANCED_EXCLUDE_TCP—This is a listing of ports to be excluded from PortSentry's advanced mode.
  • ADVANCED_EXCLUDE_UDP—This is the same as above, only in UDP fashion.
  • IGNORE_FILE—This is the path to the file that contains a listing of addresses for PortSentry to ignore.
  • BLOCKED_FILE—This is the path to the file that contains a listing of blocked hosts.
  • RESOLVE_HOST—This turns off DNS resolution.
  • BLOCK_TCP—This disables automatic responses to TCP probes. A setting of 0 blocks all TCP probes.
  • BLOCK_UDP—This is the same as above, only in UDP fashion.
  • PORT_BANNER—This is the path to the text banner you'd like to display to the offending scanner if PortSentry is activated.

The third step in the installation process involves yet another file, portsentry.ignore. Open this file and add any host addresses you want PortSentry to ignore. If you don’t add any addresses, the file should at least contain the localhost (127.0.0.1) entry. The format of these entries is:
IP Address/Netmask

or something like this, for example:
192.168.1.100/16

Use the above with much caution because it can add some particularly nasty loopholes to your system.

Now you're ready to compile the application. As root (you should already be su'd to root), run the following, where <system type> is the type of system you will be installing onto:
make <system type>

For example, if I were installing PortSentry onto a Linux machine, I would type:
make linux
make install


The installer will create a new directory, psionic, within /usr/local. Within the newly created psionic directory will be yet another directory, portsentry, which will contain the portsentry executable binary, the portsentry.conf file, and the portsentry.ignore file. With these files in place, you’re now ready to set PortSentry up to run.

Running PortSentry
You can run PortSentry in one of six modes:
  • portsentry -tcp (the basic TCP mode)
  • portsentry -upd (the basic UDP mode)
  • portsentry -stcp (TCP stealth mode)
  • portsentry -atcp (advanced TCP stealth mode)
  • portsentry -sudp (UDP stealth mode)
  • portsentry -audp (advanced UDP stealth mode)

Let's say you want to run PortSentry in basic TCP mode. From the command line, enter (as root, of course):
/usr/local/psionic/portsentry/portsentry -tcp

and PortSentry will begin watching incoming connections.

You’ll notice that when you run the command above, a new file called portsentry.blocked.tcp will be created in the /usr/local/psionic/portsentry directory. This file will show you the addresses PortSentry has captured and configured to block from sending TCP traffic.

More than likely, you’ll want PortSentry to begin running at startup. The simplest way to accomplish this is to add the following lines in your /etc/rc.d/rc.local file, which will cause PortSentry to start at boot:
/usr/local/psionic/portsentry/portsentry –atcp
/usr/local/psionic/portsentry/portsentry -audp


Once PortSentry is up and running, it will begin logging in the /usr/local/psionic/portsentry/portsentry.blocked files as well as adding entries to the host’s /etc/hosts.deny file.

Conclusion
With malicious-minded traffic booming on the Internet, it’s critical that you have as much security as possible. Linux offers a vast array of security options, and it's best not to leave any stone unturned. By using PortSentry, you’re ensuring that your host will log any incoming traffic and automatically place one more barrier up to block offending traffic. I put PortSentry on all my Linux boxes.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

0 comments