(LinuxWorld) -- My last SysAdmin column was a modest attempt to bring some basic awareness on Linux 2.4 firewalling. This week we will continue on the security-focused path, bringing forth a plethora of knowledge for the uninitiated. The topic: PortSentry from Psionic Software.
PortSentry is an easy-to-install application that is designed to assist a Linux user in their attempts to stop those cold-hearted crackers from breaching the mighty fortress that is your Linux machine. Specifically, PortSentry runs as a daemon on the protected host. When running, it listens to TCP/UDP ports that you specify. If it detects a port scan, it will block the scanning IP from connecting to your machine.
| Don't log in as root |
|---|
You should only log in as root when absolutely required. If you can use the su command with the -c flag to achieve your result, do so. If you are unsure on the syntax for the su command is, please see the man page. |
PortSentry has proven so effective at what it does, it is included in many of the newer Linux distributions. These include Turbo Linux, Red Hat, and Debian. You can download PortSentry free of charge from any number of places. As we are going to install PortSentry from scratch, we are going to download the source from Psionic Software. We will not be performing an especially exhaustive overview of PortSentry. If you are interested in more details than this article provides, I suggest you visit Psionic Software's Web site (see resources below).
After you have downloaded the 45 kilobyte software package, you will want to unpack it in an appropriate place on your machine. As usual, assumptions are made that you understand the basics of Linux and its associated commands such as tar.
When you have unpacked the source, enter the source directory and type make linux. Yes, it is really that simple! PortSentry should compile clean on any modern Linux platform. Yes, Red Hat 6.2 is modern (although I have my suspicions about 7.1). After PortSentry has compiled, use the following command to install the application into its directory structure (/usr/local/psionic): su -c "make install". You will need the root password to execute this command.
Now that we have installed PortSentry, we will run through the basic configuration. The configuration file for PortSentry is called portsentry.conf, and it is located in /usr/local/psionic/portsentry/. You will either have to make use of su -c or be the root user to edit the portsentry.conf file.
The configuration file for PortSentry is large, but it is not complicated. The first section in the file we discuss looks like this:
# Un-comment these if you are really anal:#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,[...]"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,[...]"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,[...]"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,[...]"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,[...]"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,[...]"
Like shell scripts, and some programming languages, you comment the configuration file using the # symbol. If you were to run PortSentry as it sits now, it would monitor the ports identified by the "Use these if you just want to be aware" comment. This is the setting that most people will probably want to use. The first set is extremely restrictive, and the third is lackluster from a security perspective.
If you choose to use the default port settings, I suggest you remove port 143 from the listing. The 143 port is used for IMAP.
The next part of the configuration file we explore looks like this:
####################### Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next
restart)
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
This area of the file is used to specify where you would like the configuration files to reside. If you use the default settings, the configuration files will remain in the /usr/local/psionic directory tree. However, you may want to move these to another location. It is popular to use the /etc/portsentry on several Linux distributions.
As we continue our non-stop trip to port scanning detection euphoria, we should address what our protected host should do if it detects a scan. This is done in the Dropping Routes section, which looks like this:
# ipfwadm support for Linux#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# ipfwadm support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
#
# ipchain support for Linux
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
#
# ipchain support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
#
# iptables support for Linux
#KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
#
If you are using a version of Linux that still makes use of the ipfwadm command, you are in need of an upgrade. Otherwise if you are using a 2.2 kernel within Linux, choose the following:
# ipchain support for Linux#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
Finally, if you are using a 2.4 kernel within Linux choose, instead use the following:
# iptables support for Linux#KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
Remember that you must uncomment (remove the #) the line in order for it to be active. Be sure to only uncomment the KILL_ROUTE command, and not the preceding comment.
The KILL_ROUTE command is (IMHO) the most powerful part of PortSentry. The way KILL_ROUTE works is this: if PortSentry detects a scan, the KILL_ROUTE command is executed. Via the default configuration of PortSentry, this means that all future TCP/IP packets from the scanning host will be dropped, or denied. In other words, all your potential hacker hears on the other line is, "I'm sorry, all circuits are busy! Please try your call again later." Fortunately for the protected host, it won't matter if the attacker tries again later. The circuits will always be busy for him.
The last thing to talk about is how to actually run PortSentry. PortSentry should be part of the normal system start-up, and the easiest way to make PortSentry start up automatically is to put it in your rc.local file. If you are running a newer version of RedHat or Mandrake, they may have a service script you can use instead. If you are using the rc.local file to start PortSentry, you can add to it the following lines:
echo "Starting PortSentry"
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -audp
echo "Done"
There are other options available to PortSentry, but they are outside the scope of this article. Fortunately, most of the defaults for the PortSentry configuration file will suffice on a Linux machine. However, I strongly suggest that you review the included documentation. The documentation is reasonably thorough, and can give you some hints about what NOT to do.
Subscribe to Linux Email News Alerts
Subscribe via RSS
