|
Page 1 of 2 PortSentry As any administrator knows, a successful network rollout begins and ends with security. No matter how much money is spent on a system with the latest and greatest hardware and software, the system can be rendered worthless if its security is compromised.
Unfortunately, keeping up with system security can be tedious. Administrators must stay aware of updates to software as well as the latest system compromise techniques. Due to this difficult task, system security is often not maintained and is lacking in many areas. This is illustrated by the increased number of reports that entail system compromise. This dilemma changed for me when I discovered the freeware tools offered by Psionic Software, Inc. called PortSentry and Logcheck. Within minutes, these tools can be installed and configured to improve system security dramatically. The Anatomy of PortSentryOnce a host is targeted by an attacker, a port scan is almost always performed. The port scan is done to expose all services available on the target host and to provide a starting point for break-in attempts. PortSentry detects such scans by monitoring the unused ports on the host. Upon a connection attempt to one of the unused ports, PortSentry is alerted and has the ability to issue a number of commands in response to the scan. The commands issued are configured by the administrator within a configuration file. Although any command may be used, the most helpful is one in which the IP address of the attacker's host is essentially “black holed” by issuing a routing command that denies all traffic from that address. The violation and corresponding action taken by PortSentry are recorded in the system log. Using another Psionic utility, Logcheck, these security alerts are e-mailed to an administrator at designated intervals. Thus, the host is now capable not only of retaliating against a potential break-in attempt automatically, but also of notifying the administrator of the occurrence. Installation and ConfigurationInstallation and configuration of these freeware utilities is simple and straightforward. They compile on most operating systems, including Linux, Solaris and FreeBSD. The system used for the following install is an x86-based web server using Red Hat Linux 7.0. The tools can be downloaded from Psionic's web site (www.psionic.com/tools/). The latest version of the tarballs as of this writing are Logcheck 1.1.1 and PortSentry 1.0. First, we will install and configure PortSentry. Untar the archive and enter the PortSentry-version directory. Read the README.install file for all configuration options available, if desired. Type make <<I>systype> (where systype is one of: linux, bsd, solaris, hpux, hpux-gcc, freebsd, openbsd, netbsd, bsdi, aix, osf or generic). Then use make install (installation directory can be changed by editing the Makefile). Next, we will install Logcheck. First, untar the archive and enter the Logcheck-version directory. Then read the INSTALL file for all configuration options available, if desired. Type make <<I>systype> (where systype is one of: linux, bsdos, freebsd, sun, generic, hpux or digital). Lastly, type make install (installation directory can be changed by editing the Makefile).
|
