PortSentry - Page 2

We will now edit /usr/local/psionic/portsentry/portsentry.conf file to enable route drop. Find and uncomment the KILL_ROUTE option that corresponds to your operating system. For our example, we will use the ipchains utility found in the Linux kernel version 2.102+:

KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l

This will drop all packets originating from an attacker's IP address and log future connection attempts. Individual ports must now be specified for monitoring within the configuration file. Commonly used ports are already given and can simply be uncommented, depending upon how secure the system needs to be:

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667, 12345,12346,20034,31337,32771,32772,32773,32774,40421,49724, 54320"UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771, 32772,32773,32774,31337,54321"

On our example Linux system, however, we will be using PortSentry's advanced stealth scan detection mode, which will automatically monitor ports not being used below 1024 by default. This value can also be altered, but alteration is not recommended. When using this advanced mode, ports can also be manually excluded:

# Default TCP ident and NetBIOS serviceADVANCED_EXCLUDE_TCP="113,139"# Default UDP route (RIP), NetBIOS, bootp broadcasts.ADVANCED_EXCLUDE_UDP="520,138,137,67"

Once all services for our host have been started, PortSentry can now be enabled. First, we start up the TCP port monitor (leaving out the -atcp switch for non-Linux systems):

/usr/local/psionic/portsentry/portsentry -atcp

Tailing our system log will give the following output:

Dec 1 14:23:20 hostname portsentry[18821]:adminalert: Advanced Stealth scan detection modeactivated. Ignored TCP port: 80Dec 4 14:23:20 hostname portsentry[18821]:adminalert: PortSentry is now active and listening.

A list of ignored TCP ports will be displayed, followed by confirmation of PortSentry's activation. Then, if desired, we start up the UDP port monitor (again, leaving out the -audp switch for non-Linux systems):

/usr/local/psionic/portsentry/portsentry -audp

Tailing our system log once more will give the following output:

Dec 1 14:23:20 hostname portsentry[18821]:adminalert: Advanced Stealth scan detection modeactivated. Ignored UDP port: 137Dec 4 14:23:20 hostname portsentry[18821]:adminalert: PortSentry is now active and listening.

A list of ignored UDP ports will be displayed, followed by confirmation of PortSentry's activation. The command(s) can be placed within a startup script but should always be initialized after all other services are active. In this example we will include the above command line into /etc/rc.d/rc.local. All actions taken by PortSentry will be recorded in the system log.

With PortSentry now running, we will configure Logcheck to e-mail an administrator of any suspicious network activity experienced by the host. Edit /usr/local/etc/logcheck.sh to include the e-mail address of the administrator:

"mailto:SYSADMIN= This e-mail address is being protected from spambots. You need JavaScript enabled to view it "

Finally, place the Logcheck command into a cron script to parse the system log at an interval best suited for your operations. We will set our interval for this example at one hour. Open the crontab for editing by typing crontab -e, and place the following line into the crontab:

0 * * * * /usr/local/etc/logcheck.sh > > /dev/null

The host is now configured to detect and react to intrusion attempts and to notify the administrator of such attempts, all fully automated (see Listing 1).

Listing 1. An E-mailed Intrusion Attempt Detected by PortSentry and Parsed by Logcheck

Using this freeware from Psionic Software, Inc., system security is no longer a chore. My systems have been using these freeware security utilities for nine months, and they have performed flawlessly. Upon our initial use of the utilities, I was amazed to see how many intrusion attempts were made in a 24-hour interval. The configuration is extremely comprehensive and allows flexibility in constructing your own network security policies. I have set up dozens of gateway/firewall systems for enterprises and have incorporated these utilities within our standard installation. Thanks to Psionic, administrators now have two more tools for strong system security.