Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

Using PortSentry For Real-Time Attack Detection Against Scans

Calendar Aug 22, 2000 User Avatar Anthony Pell
2 - 3 min read
General Esm H500
Topics%20covered

Topics Covered

network security port scanning system configuration attack detection PortSentry defense tool
The first step to an attack is to see what services a server is running, which is done with a port scan of the server.

A cracker will usually first look to see what services a target is running and go from there to attempt to break into the target server. Doing a port scan, crackers go through all the common ports on a system looking for possibly flaws in the configuration or for a service with a known vulnerability.

PortSentry is a program designed to detect and respond to port scans against a target host in real-time. It can run on multiple TCP and UDP sockets at once, detect stealth scans, report scan attempts to a local or remote logging facility, and take defensive actions against the attacker.

Installation

First, download PortSentry from here.

Then, run: 

  tar xvzf portsentry-1.0.tar.gz
  cd portsentry-1.0
  make linux
  make install

If you have any problems with this, read the portsentry-1.0/README.install file.

Configuration

The PortSentry configuration file is located at /usr/local/psionic/portsentry/portsentry.conf. If needed, change the configuration where necessary to suit the needs of the system. Blocking scans is recommended, but if ipchains is used, the -l options should be used with care because it can be used in a denial of service attack by filling up your /var partition.

Once finished editing the configuration file, add any addresses that shouldn't be reported for scanning to the /usr/local/psionic/portsentry/portsentry.ignore file. At the very least, all local interfaces should be listed in the file along with 0.0.0.0. Here is an example portsentry.ignore file. 

  127.0.0.1
  0.0.0.0
  192.168.1.6
Using PortSentry
The different options for running PortSentry are: 
  portsentry -udp
  portsentry -tcp
  portsentry -audp
  portsentry -sudp
  portsentry -atcp
  portsentry -stcp

With either the -udp or the -tcp options, normal scan detection is done. With -sudp and -stcp, normal stealth scan detection is done. With -audp or -atcp, advanced stealth scan detection is done. It is recommended that two instances of PortSentry are running. 

  /usr/local/psionic/portsentry/portsentry -sudp

and 

  /usr/local/psionic/portsentry/portsentry -atcp

Adding the above two commands to /etc/rc.d/rc.local will have PortSentry automatically started at boot up.

More Information

Check out this article. Also, here is an article about setting up PortSentry to log to a separate file. At DEFCON 7, the author of PortSentry made a presentation with the slides that are shown here.

Your message here