507 lines
16 KiB
HTML
507 lines
16 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Configure and Optimise Portsentry</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Software -Security/Monitoring"
|
|
HREF="soft-secmonitor.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="PortSentry"
|
|
HREF="chap14sec116.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Test fire your PortSentry"
|
|
HREF="chap14sec118.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap14sec116.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 14. Software -Security/Monitoring</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap14sec118.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN7748"
|
|
>14.6. Configure and Optimise Portsentry</A
|
|
></H1
|
|
><P
|
|
> You have to configure the the <TT
|
|
CLASS="filename"
|
|
>/usr/psionic/portsentry/portsentry.conf</TT
|
|
> file which is the main configuration file for the PortSentry Software; you can specify which ports you want to listen
|
|
to, which <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> addresses are denied, monitor, ignore, disable automatic responses, and so on. For more information read the <TT
|
|
CLASS="filename"
|
|
>README.install</TT
|
|
> file under the PortSentry source directory.
|
|
Edit the <TT
|
|
CLASS="filename"
|
|
>portsentry.conf file</TT
|
|
>, <B
|
|
CLASS="command"
|
|
>vi</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/usr/psionic/portsentry.conf</TT
|
|
> and check/change the following options to fit your needs:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # PortSentry Configuration
|
|
#
|
|
# $Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
|
|
#
|
|
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
|
|
#
|
|
# The default ports will catch a large number of common probes
|
|
#
|
|
# All entries must be in quotes.
|
|
|
|
|
|
#######################
|
|
# Port Configurations #
|
|
#######################
|
|
#
|
|
#
|
|
# Some example port configs for classic and basic Stealth modes
|
|
#
|
|
# I like to always keep some ports at the "low" end of the spectrum.
|
|
# This will detect a sequential port sweep really quickly and usually
|
|
# these ports are not in use (i.e. tcpmux port 1)
|
|
#
|
|
# ** X-Windows Users **: If you are running X on your box, you need to be sure
|
|
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
|
|
# Doing so will prevent the X-client from starting properly.
|
|
#
|
|
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
|
|
#
|
|
|
|
# Un-comment these if you are really anal:
|
|
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
|
|
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774,31337,54321"
|
|
#
|
|
# Use these if you just want to be aware:
|
|
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
|
|
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
|
|
#
|
|
# Use these for just bare-bones
|
|
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
|
|
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
|
|
|
|
###########################################
|
|
# Advanced Stealth Scan Detection Options #
|
|
###########################################
|
|
#
|
|
# This is the number of ports you want PortSentry to monitor in Advanced mode.
|
|
# Any port *below* this number will be monitored. Right now it watches
|
|
# everything below 1023.
|
|
#
|
|
# On many Linux systems you cannot bind above port 61000. This is because
|
|
# these ports are used as part of IP masquerading. I don't recommend you
|
|
# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
|
|
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
|
|
# warned! Don't write me if you have have a problem because I'll only tell
|
|
# you to RTFM and don't run above the first 1023 ports.
|
|
#
|
|
#
|
|
ADVANCED_PORTS_TCP="1023"
|
|
ADVANCED_PORTS_UDP="1023"
|
|
#
|
|
# This field tells PortSentry what ports (besides listening daemons) to
|
|
# ignore. This is helpful for services like ident that services such
|
|
# as FTP, SMTP, and wrappers look for but you may not run (and probably
|
|
# *shouldn't* IMHO).
|
|
#
|
|
# By specifying ports here PortSentry will simply not respond to
|
|
# incoming requests, in effect PortSentry treats them as if they are
|
|
# actual bound daemons. The default ports are ones reported as
|
|
# problematic false alarms and should probably be left alone for
|
|
# all but the most isolated systems/networks.
|
|
#
|
|
# Default TCP ident and NetBIOS service
|
|
ADVANCED_EXCLUDE_TCP="113,139"
|
|
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
|
|
ADVANCED_EXCLUDE_UDP="520,138,137,67"
|
|
|
|
|
|
######################
|
|
# Configuration Files#
|
|
######################
|
|
#
|
|
# Hosts to ignore
|
|
IGNORE_FILE="/usr/psionic/portsentry/portsentry.ignore"
|
|
# Hosts that have been denied (running history)
|
|
HISTORY_FILE="/usr/psionic/portsentry/portsentry.history"
|
|
# Hosts that have been denied this session only (temporary until next restart)
|
|
BLOCKED_FILE="/usr/psionic/portsentry/portsentry.blocked"
|
|
|
|
###################
|
|
# Response Options#
|
|
###################
|
|
# Options to dispose of attacker. Each is an action that will
|
|
# be run if an attack is detected. If you don't want a particular
|
|
# option then comment it out and it will be skipped.
|
|
#
|
|
# The variable $TARGET$ will be substituted with the target attacking
|
|
# host when an attack is detected. The variable $PORT$ will be substituted
|
|
# with the port that was scanned.
|
|
#
|
|
##################
|
|
# Ignore Options #
|
|
##################
|
|
# These options allow you to enable automatic response
|
|
# options for UDP/TCP. This is useful if you just want
|
|
# warnings for connections, but don't want to react for
|
|
# a particular protocol (i.e. you want to block TCP, but
|
|
# not UDP). To prevent a possible Denial of service attack
|
|
# against UDP and stealth scan detection for TCP, you may
|
|
# want to disable blocking, but leave the warning enabled.
|
|
# I personally would wait for this to become a problem before
|
|
# doing though as most attackers really aren't doing this.
|
|
# The third option allows you to run just the external command
|
|
# in case of a scan to have a pager script or such execute
|
|
# but not drop the route. This may be useful for some admins
|
|
# who want to block TCP, but only want pager/e-mail warnings
|
|
# on UDP, etc.
|
|
#
|
|
#
|
|
# 0 = Do not block UDP/TCP scans.
|
|
# 1 = Block UDP/TCP scans.
|
|
# 2 = Run external command only (KILL_RUN_CMD)
|
|
|
|
BLOCK_UDP="1"
|
|
BLOCK_TCP="1"
|
|
|
|
###################
|
|
# Dropping Routes:#
|
|
###################
|
|
# This command is used to drop the route or add the host into
|
|
# a local filter table.
|
|
#
|
|
# The gateway (333.444.555.666) should ideally be a dead host on
|
|
# the *local* subnet. On some hosts you can also point this at
|
|
# localhost (127.0.0.1) and get the same effect. NOTE THAT
|
|
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
|
|
#
|
|
# All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
|
|
# uncomment the correct line for your OS. If you OS is not listed
|
|
# here and you have a route drop command that works then please
|
|
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
|
|
# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
|
|
#
|
|
# NOTE: The route commands are the least optimal way of blocking
|
|
# and do not provide complete protection against UDP attacks and
|
|
# will still generate alarms for both UDP and stealth scans. I
|
|
# always recommend you use a packet filter because they are made
|
|
# for this purpose.
|
|
#
|
|
|
|
# Generic
|
|
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
|
|
|
|
# Generic Linux
|
|
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
|
|
|
|
# Newer versions of Linux support the reject flag now. This
|
|
# is cleaner than the above option.
|
|
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
|
|
|
|
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
|
|
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
|
|
|
|
# Generic Sun
|
|
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
|
|
|
|
# NEXTSTEP
|
|
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
|
|
|
|
# FreeBSD (Not well tested.)
|
|
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
|
|
|
|
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
|
|
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
|
|
|
|
# Generic HP-UX
|
|
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
|
|
|
|
##
|
|
# Using a packet filter is the preferred method. The below lines
|
|
# work well on many OS's. Remember, you can only uncomment *one*
|
|
# KILL_ROUTE option.
|
|
##
|
|
|
|
###############
|
|
# TCP Wrappers#
|
|
###############
|
|
# This text will be dropped into the hosts.deny file for wrappers
|
|
# to use. There are two formats for TCP wrappers:
|
|
#
|
|
# Format One: Old Style - The default when extended host processing
|
|
# options are not enabled.
|
|
#
|
|
KILL_HOSTS_DENY="ALL: $TARGET$"
|
|
#
|
|
# Format Two: New Style - The format used when extended option
|
|
# processing is enabled. You can drop in extended processing
|
|
# options, but be sure you escape all '%' symbols with a backslash
|
|
# to prevent problems writing out (i.e. \%c \%h )
|
|
#
|
|
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
|
|
|
|
###################
|
|
# External Command#
|
|
###################
|
|
# This is a command that is run when a host connects, it can be whatever
|
|
# you want it to be (pager, etc.). This command is executed before the
|
|
# route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
|
|
# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
|
|
# and people can make scans appear out of thin air. The only time it
|
|
# is reasonably safe (and I *never* think it is reasonable) to run
|
|
# reverse probe scripts is when using the "classic" -tcp mode. This
|
|
# mode requires a full connect and is very hard to spoof.
|
|
#
|
|
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
|
|
|
|
|
|
#####################
|
|
# Scan trigger value#
|
|
#####################
|
|
# Enter in the number of port connects you will allow before an
|
|
# alarm is given. The default is 0 which will react immediately.
|
|
# A value of 1 or 2 will reduce false alarms. Anything higher is
|
|
# probably not necessary. This value must always be specified, but
|
|
# generally can be left at 0.
|
|
#
|
|
# NOTE: If you are using the advanced detection option you need to
|
|
# be careful that you don't make a hair trigger situation. Because
|
|
# Advanced mode will react for *any* host connecting to a non-used
|
|
# below your specified range, you have the opportunity to really
|
|
# break things. (i.e someone innocently tries to connect to you via
|
|
# SSL [TCP port 443] and you immediately block them). Some of you
|
|
# may even want this though. Just be careful.
|
|
#
|
|
|
|
SCAN_TRIGGER="0"
|
|
|
|
######################
|
|
# Port Banner Section#
|
|
######################
|
|
#
|
|
# Enter text in here you want displayed to a person tripping the PortSentry.
|
|
# I *don't* recommend taunting the person as this will aggravate them.
|
|
# Leave this commented out to disable the feature
|
|
#
|
|
# Stealth scan detection modes don't use this feature
|
|
#
|
|
PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
|
|
|
|
# EOF
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> Now, we must check/change its default permission for security reasons:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> 600 /usr/psionic/portsentry/portsentry.conf
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> You need to configure the <TT
|
|
CLASS="filename"
|
|
>/usr/psionic/portsentry/portsentry.ignore</TT
|
|
> file, where you add in any host you want to have ignored if it connects to a tripwired port. This should always contain at least the
|
|
localhost <TT
|
|
CLASS="literal"
|
|
>127.0.0.1</TT
|
|
> and the <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
>'s of the local interfaces <TT
|
|
CLASS="literal"
|
|
>lo</TT
|
|
>. It is not recommend that you put in every <SPAN
|
|
CLASS="acronym"
|
|
>IP</SPAN
|
|
> on your network.
|
|
|
|
Edit the <TT
|
|
CLASS="filename"
|
|
>portsentry.ignore file</TT
|
|
>, <B
|
|
CLASS="command"
|
|
>vi</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/usr/psionic/portsentry.ignore</TT
|
|
> and add in any host you want to have ignored if it connects to a tripwired port:
|
|
</P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> # Put hosts in here you never want blocked. This includes the IP addresses
|
|
# of all local interfaces on the protected host (i.e virtual host, mult-home)
|
|
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
|
|
|
|
127.0.0.1
|
|
0.0.0.0
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
> Now, we must check/change its default permission for security reasons:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> 600 /usr/psionic/portsentry/portsentry.ignore
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap14sec116.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap14sec118.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>PortSentry</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="soft-secmonitor.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Test fire your PortSentry</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |