General:
Portsentry 1.2
md5:
3ebd3618ba9abfea2525e236bd44cebd
http://sourceforge.net/projects/sentrytools/
Project Admins: craigrowland
Operating System: All POSIX (Linux/BSD/UNIX-like OSes), OS X
The Sentry tools provide host-level security services for the Unix
platform. PortSentry, Logcheck/LogSentry, and HostSentry protect
against portscans, automate log file auditing, and detect suspicious
login activity on a continuous basis.
This is the new home for the Sentry Tools (PortSentry, Logcheck,
HostSentry). After the Psionic acquisition by Cisco Systems, the
tools were put on hold while licensing issues were being worked
out. The tools (PortSentry, HostSentry) are to be re-released
under a much more liberal Common Public License instead of the
more restricted Psionic license previously used. This software is
being released to the open source community and is supported in
my spare time and is not supported by either Psionic or Cisco
Systems so don't bother them with your questions please.
--------------------------------------------------------------------------------
Tested and found to work on:
Linux 1.x/2.x
BSDI 2.x/3.x
OpenBSD 2.x
FreeBSD 3.x
HPUX 10.20
Solaris 2.6+
AIX
SCO
Digital Unix
NetBSD
OSX
--------------------------------------------------------------------------------
PortSentry does not block anything by default.
Please note that by default PortSentry takes no action against potential
attackers. It only dumps messages into /var/log/syslog. To change this
edit /etc/portsentry/portsentry.conf.
You may also want to check:
/etc/default/portsentry (daemon startup options) and
/etc/portsentry/portsentry.ignore.static (hosts/interfaces to ignore)
For further details see the portsentry(8) and portsentry.conf(5)
--------------------------------------------------------------------------------
/etc/portsentry/portsentry.conf
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/lib/portsentry/portsentry.history"
BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"
--------------------------------------------------------------------------------
Permission for Portsentry Directory Structure:
INSTALLDIR = /usr/local/psionic
CHILDDIR=/portsentry
chmod 700 $(INSTALLDIR)
chmod 700 $(INSTALLDIR)$(CHILDDIR)
chmod 600 $(INSTALLDIR)$(CHILDDIR)/portsentry.ignore
chmod 600 $(INSTALLDIR)$(CHILDDIR)/portsentry.conf
chmod 700 $(INSTALLDIR)$(CHILDDIR)/portsentry
--------------------------------------------------------------------------------
Installation
Debian:
apt-get install portsentry
Source:
tar zxvf portsentry-1.1.tar.gz
cd portsentry-1.1
make linux
make install
--------------------------------------------------------------------------------
Pre-Install Configuration
The default directory is /usr/local/psionic/portsentry. If you don't like
this directory just edit the Makefile and make sure your portsentry.conf and
portsentry_config.h files reflect the new path. Be sure you change the Makefile
if you change the path.
Pull the portsentry_config.h file into your editor and make sure the following
are to your liking:
CONFIG_FILE - The path to the PortSentry configuration file.
WRAPPER_HOSTS_DENY - The path and name of TCP wrapper hosts.deny file.
SYSLOG_FACILITY - The syslog facility for PortSentry to use.
SYSLOG_LEVEL - The syslog level to send messages.
For advanced users, you may wish to change the SYSLOG_FACILITY from LOG_DAEMON
to LOG_LOCAL0 (or one of the other LOCAL reporting facilities, you can use any
of the facilities from syslog.h to send messages to (LOCAL0, etc)). This will
allow you to edit the syslog.conf file and drop PortSentry messages direcly to
its own file on the system for separate monitoring.
DO NOT DELETE THE "#" SIGNS FROM THIS FILE. They are NOT comments, they are
required by the C compiler to pre-process the headers. If you delete the "#"
signs you will get compile errors.
Makefile Paths:
//variable usage is chained: $(INSTALLDIR)$(CHILDDIR)
INSTALLDIR = /usr/local/psionic
CHILDDIR=/portsentry
--------------------------------------------------------------------------------
Post-Install Configuration
By default, PortSentry will place all files in /usr/local/psionic/portsentry.
This directory will have the necessary, restrictive, permissions.
Become root and open the config-file portsentry.conf in your favorite editor.
The first section gives you the possiblity from one out of three options :
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,[..]
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,[..]
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,[..]
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
The first set is really restrictive, the second one 'good' and the third is
(IMHO) of no use. One note, the list of tcp-ports still contains port number
143 (IMAP). If you're using this service, please remove it from the list.
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
The first directive IGNORE_FILE tells PortSentry what hosts should NEVER be
blocked. The other two HISTORY_FILE and BLOCKED_FILE are denied hosts (for
this session) and permanently denied hosts.
These first options instructed PortSentry how it should work. The next section
is what it should do to 'enemy' hosts.
There's one variable KILL_ROUTE that gets fired when a scan takes place. You
can give it any value you want but you probably want something like this
KILL_ROUTE="/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
Besides the blocking by iptables, you can also block the host with tcp_wrappers
with the option:
KILL_HOSTS_DENY="ALL: $TARGET$ # Portsentry blocked"
--------------------------------------------------------------------------------
Initscript
By default, there's initscript supplied with PortSentry.
I constructed one from the original RPM.
#!/bin/bash
#
# portsentry Start the portsentry portscan detector
# Authors: Craig Rowland , Tim Powers
# and Matthias Saou
# configfile: /usr/local/psionic/portsentry/portsentry.conf
# pidfile: /var/run/portsentry.pid
# Source function library.
. /etc/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# For this script to work on non english systems
export LANG=C
RETVAL=0
start () {
# Set up the ignore file
SENTRYDIR=/usr/local/psionic/portsentry
FINALIGNORE=$SENTRYDIR/portsentry.ignore
TMPFILE=/usr/local/psionic/portsentry/portsentry.ignore.tmp
# Testline is used to see if the initscript has already been run
if [ -f $FINALIGNORE ] ; then
cp -f $FINALIGNORE $TMPFILE
testline=`grep -n "Do NOT edit below this" $TMPFILE | cut --delimiter=":" -f1`
if [ -z "$testline" ] ; then
echo > /dev/null # Do nothing
else
let headline=$testline-2
head -$headline $FINALIGNORE > $TMPFILE
fi
fi
echo '#########################################' >> $TMPFILE
echo '# Do NOT edit below this line, if you #' >> $TMPFILE
echo '# do, your changes will be lost when #' >> $TMPFILE
echo '# portsentry is restarted via the #' >> $TMPFILE
echo '# initscript. Make all changes above #' >> $TMPFILE
echo '# this box. #' >> $TMPFILE
echo '#########################################' >> $TMPFILE
echo '' >> $TMPFILE
echo '# Exclude all local interfaces' >> $TMPFILE
for i in `/sbin/ifconfig -a | grep inet | awk '{print $2}' | sed 's/addr://'` ; do
echo $i >> $TMPFILE
done
echo '' >> $TMPFILE
echo '# Exclude the default gateway(s)' >> $TMPFILE
for i in `/sbin/route -n | grep ^0.0.0.0 | awk '{print $2}'` ; do
echo $i >> $TMPFILE
done
echo '' >> $TMPFILE
echo '# Exclude the nameservers' >> $TMPFILE
for i in `/bin/cat /etc/resolv.conf | grep ^nameserver | awk '{print $2}'` ; do
echo $i >> $TMPFILE
done
echo '' >> $TMPFILE
echo '# And last but not least...' >> $TMPFILE
echo '0.0.0.0' >> $TMPFILE
echo '' >> $TMPFILE
cp -f $TMPFILE $SENTRYDIR/portsentry.ignore
rm -f $TMPFILE
# Check for modes defined in the config file
if [ -s $SENTRYDIR/portsentry.modes ] ; then
modes=`cut -d "#" -f 1 $SENTRYDIR/portsentry.modes`
else
modes="tcp udp"
fi
for i in $modes ; do
action $"Starting portsentry -$i: " /usr/local/psionic/portsentry/portsentry -$i
RETVAL=$?
done
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/portsentry
return $RETVAL
}
stop() {
echo -n $"Stopping portsentry: "
killproc portsentry
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/portsentry
return $RETVAL
< }
# See how we were called.
case $1 in
start)
start
;;
stop)
stop
;;
status)
status portsentry
RETVAL=$?
;;
restart)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/portsentry ]; then
stop
start
RETVAL=$?
fi
;;
*)
echo $"Usage: portsentry {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
Starting and stopping is easily (as always) /etc/init.d/portsentry start|stop
This init-script searches for a portsentry.modes in the directory
/usr/local/psionic/portsentry. The 'mode' file contains the startup switches
for PortSentry (-tcp -udp -stcp -atcp -sudp -audp).
--------------------------------------------------------------------------------
Advanced stealth mode
Allthough PortSentry works fine with the default set of TCP-ports, you can run
it also in 'stealth' mode so that it looks to all ports below a certain number.
This gives you more security but at the cost of higher CPU-usage.
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"
ADVANCED_PORTS_TCP and ADVANCED_PORTS_UDP are straightforward. Every port
below the number is monitored.