Port scan detection

[xDamox]

Well, it's another one of my security articles :) before I start I would like to thank the man znx ;)

for getting PortSentry working due to a little programming error.

 

The piece of software you will need to install is "PortSentry" which can be downloaded from here.

 

Once you have downloaded the source file you can decompress it by issue the following command:

 

Code:

tar zvxf portsentry-1.2.tar.gz

 

Once this has been decompressed you should see a directory called: "portsentry_beta" change

into that directory this can be do by issue the cd command as shown below:

 

Code:

cd portsentry_beta

 

Once you are in this directory you should be able to see a file called portsentry.c open this with

your favorte editor (mine is vim as it counts the lines) and scroll down to line 1584 and it will look

like:

 

Code:

 printf ("PortSentry - Port Scan Detector.\n");
 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
sourceforget dot net>\n");
 printf ("Licensing restrictions apply. Please see documentation\n");
 printf ("Version: %s\n\n", VERSION);

 

You need to change the line that wraps so the above should now look like:

 

Code:

 printf ("PortSentry - Port Scan Detector.\n");
 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");
 printf ("Licensing restrictions apply. Please see documentation\n");
 printf ("Version: %s\n\n", VERSION);

 

Now that the file is fixed issue the following commands

 

Code:

make linux
make install

 

Now portsentry is installed :) you can edit the configuration file portsentry.conf this file is well

commented so I wont go into detail. Once you have edited the config file open the portsentry.ignore

file and you should see the following:

 

Code:

# Put hosts in here you never want blocked. This includes the IP addresses
# of all local interfaces on the protected host (i.e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
#
# PortSentry can support full netmasks for networks as well. Format is:
#
# <IP Address>/<Netmask>
#
# Example:
#
# 192.168.2.0/24
# 192.168.0.0/16
# 192.168.2.1/32
# Etc.
#
# If you don't supply a netmask it is assumed to be 32 bits.
#
#

127.0.0.1/32
0.0.0.0

 

Because we are going to test portsentry comment out 127.0.0.1/32 with a hash # so it will look like:

 

Code:

# Put hosts in here you never want blocked. This includes the IP addresses
# of all local interfaces on the protected host (i.e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
#
# PortSentry can support full netmasks for networks as well. Format is:
#
# <IP Address>/<Netmask>
#
# Example:
#
# 192.168.2.0/24
# 192.168.0.0/16
# 192.168.2.1/32
# Etc.
#
# If you don't supply a netmask it is assumed to be 32 bits.
#
#

#127.0.0.1/32
0.0.0.0

 

Once that is done its time to start portsentry. PortSentry can be started with a -tcp or a -udp these

are for basic stealth scans but you can also issue -atcp and -audp which mean advanced monitoring.

 

To start portsentry issue the following:

 

Code:

./portsentry -atcp
./portsentry -audp

 

Once these two have started check they are running fine by issuing the following command:

 

Code:

tail /var/log/messages

 

you should have similar output to mine as shown below:

 

Code:

Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced mode will manually exclude port: 520
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced mode will manually exclude port: 138
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced mode will manually exclude port: 137
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced mode will manually exclude port: 67
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 68
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 520
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 138
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 137
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 67
Jul 10 20:23:13 localhost portsentry[9918]: adminalert: PortSentry is now active and listening.

 

Now to run the test, issue the following nmap command:

 

Code:

nmap -sS -O 127.0.0.1

 

if you check the /var/log/messages again you should see the following or similar:

 

Code:

Jul 10 20:02:20 localhost portsentry[9667]: attackalert: Host: localhost.localdomain/127.0.0.1 is already blocked Ignoring
Jul 10 20:02:20 localhost portsentry[9667]: attackalert: TCP SYN/Normal scan from host: localhost.localdomain/127.0.0.1 to TCP port: 487
Jul 10 20:02:20 localhost portsentry[9667]: attackalert: Host: localhost.localdomain/127.0.0.1 is already blocked Ignoring
Jul 10 20:02:20 localhost portsentry[9667]: attackalert: TCP SYN/Normal scan from host: localhost.localdomain/127.0.0.1 to TCP port: 617

 

:)portsentry works now if you check the /etc/hosts.deny you will notice a new entry in there

which is 127.0.0.1 which portsentry blacklisted. Now finally delete the entry in the /etc/hosts.deny

and in the portsentry.ignore uncomment out 127.0.0.1/32 and you are ready to go.

 

Well thats it another tutorial finished :)

[anyweb]

good work xdamox !

 

you are producing some VERY fine tutorials !

 

cheers

 

anyweb

[znx]

hehe sweet.. i get a thanks for a one line fix .. and he does all these great tuts .. ;) nice one xDamox

[Navrax]

Thanks :)! I Get port scanned Non-stop!

[qstraza]

Thanks man, it ownz :P

[xDamox]

Thanks its always good to get feedback :)

[qstraza]

what exectly is /etc/hosts.deny ? i mean what does it do to keep strangers out?

Is it simmular to iptables -A INPUT -s ip -j DROP ?

cuz i would like that this portsentry blocks in iptables way if it is not 2 hard? :P

 

cu

[znx]

what exectly is /etc/hosts.deny ? i mean what does it do to keep strangers out?

 

Some (but not all) services use /etc/hosts.deny to work out if they should respond to someone that is connecting to them.

 

It isn't really the same as iptables.. for this reason, iptables will actually throw away the information and therefore the server will never see anything happening, the hosts.deny file will allow the server to choose what it does. Some of them respond with a "no thanks" others do nothing, its actually up to the server not the deny file.

 

SSH is one that will completely drop the information if it appears in /etc/hosts.deny .. hence it will act like iptables dropping it.

[xDamox]

Hi,

 

The /etc/hosts.deny is also the configuration for tcp wrappers along with /etc/hosts.allow you can specify

what you want the response to be when a blocked hosts connects e.g.

 

Code:

vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"

 

The %h is a special variable for the full list of variable here they are:

 

Code:

%a