Stay Ahead With Linux Security HOWTOs

network securityport scanningsystem configuration

Using PortSentry For Real-Time Attack Detection Against Scans

The first step to an attack is to see what services a server is running, which is done with a port scan of the server.. A cracker will usually first look to see what services a target is running and go from there to attempt to break into the target server. Doing a port scan, crackers go through all the common ports on a system looking for possibly flaws in the configuration or for a service with a known vulnerability. PortSentry is a program designed to detect and respond to port scans against a target host in real-time. It can run on multiple TCP and UDP sockets at once, detect stealth scans, report scan attempts to a local or remote logging facility, and take defensive actions against the attacker. Installation First, download PortSentry from here. Then, run: tar xvzf portsentry-1.0.tar.gz cd portsentry-1.0 make linux make install If you have any problems with this, read the portsentry-1.0/README.install file. Configuration The PortSentry configuration file is located at /usr/local/psionic/portsentry/portsentry.conf. If needed, change the configuration where necessary to suit the needs of the system. Blocking scans is recommended, but if ipchains is used, the -l options should be used with care because it can be used in a denial of service attack by filling up your /var partition. Once finished editing the configuration file, add any addresses that shouldn't be reported for scanning to the /usr/local/psionic/portsentry/portsentry.ignore file. At the very least, all local interfaces should be listed in the file along with 0.0.0.0. Here is an example portsentry.ignore file. 127.0.0.1 0.0.0.0 192.168.1.6 Using PortSentry The different options for running PortSentry are: portsentry -udp portsentry -tcp portsentry -audp portsentry -sudp portsentry -atcp portsentry -stcp With either the -udp or the -tcp options, normal scan detection is done. With -sudp and -stcp, normal stealth scan detection is done. With -audp or-atcp, advanced stealth scan detection is done. It is recommended that two instances of PortSentry are running. /usr/local/psionic/portsentry/portsentry -sudp and /usr/local/psionic/portsentry/portsentry -atcp Adding the above two commands to /etc/rc.d/rc.local will have PortSentry automatically started at boot up. More Information Check out this article. Also, here is an article about setting up PortSentry to log to a separate file. At DEFCON 7, the author of PortSentry made a presentation with the slides that are shown here. . Learn to harness the power of PortSentry for instantaneous threat identification and defense against port scanning attempts.. PortSentry Usage, Attack Detection Tool, Network Scanning Protection. . Anthony Pell

Aug 22, 2000 • Anthony Pell How to Learn Tips and Tricks