Portsentry on debian notes

The main configuration file --/etc/portsentry.conf -- does a really good job in being self-explanatory.

You may choose to block or not-block scanners with
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

Scan Response
The response(s) is-are defined in the KILL_ROUTE,KILL_HOSTS_DENY,KILL_RUN_CMD directives.
You may:
  • send-route the scanner's traffic to a HOST that does not exist
     KILL_ROUTE="/sbin/route add -host $TARGET$ gw"
  • reject traffic from the scanner eg:
     KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
    enabled by default in the debian package
  • drop traffic from the scanner using a traffic packet filter eg:
     KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
  • add the scanner's IP address to /etc/hosts.deny eg:
  • run a command
      KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
    before or after `blocking`

All 'scanning' IP addresses are appended to portsentry.history.
Debian puts portsentry.history at /var/lib/portsentry/portsentry.history

A scanner could choose to avoid the TCP_PORTS and UDP_PORTS in the default portsentry configuration. To mitigate against this add a few more not in use ports in the (1024,61000) range.

An attacker may use forged packets to fool portsenty into blocking legitimate networks.

I usually add a few friendly networks to the ignore list --instruct portsentry to ignore scans from there-- I recommend it to everyone with the BLOCK_TCP directive set to true and KILL_ directives that mess with the routing table, drop packets, or populate the hosts.deny list enabled.

To `permanently whitelist` Hosts and Networks you never want blocked put them in /etc/portsentry/portsentry.ignore.static.

Trusted hosts and networks used for administration along with and are good candidates. does not mean you trust the whole IPv4 Internet It means you never reroute to a blackhole the route or drop everything from

The host network interfaces are added by portsentry to portsentry.ignore on startup so you do not need to worry about them. /etc/portsentry.ignore contains all the ip networks currently not affected by KILL_ROUTE. To add a CIDR edit /etc/portsentry.ignore.static and restart portsentry.

A short script that HTMLfies the portsentry.history log

#g0 2013
#portsenty.history to html


awk '
print "<!doctype html><html><head><title>portsentry.history</title><style>"
print "a.lnk:link \{ color:#0000FF; text-decoration:none; \} a.lnk:visited \{ color:#0000FF; text-decoration:none; \}"
print "a.lnk:hover \{ color:#00FF00; text-decoration:none; \} a.lnk:active \{ color:#00FF00; text-decoration:none; \}"
print "</style></head><body><table border=0 cellspacing=8>" 
DEL=" </td><td> "; APRO="<a target=_blank class=lnk href=http://ipduh.com/apropos/?" ; P=">" ; OS="</a>" ;
EPOC="<a class=lnk target=_blank href=http://ipduh.com/epoch/?";  
{ split($6,a,"/") }
{ print "<tr><td>" EPOC $1 P $1 OS DEL $3 DEL $4 DEL APRO a[1] P a[1] OS DEL } 
{ if (a[1] != a[2] ) {  print APRO a[2] P a[2] OS } }
{ print DEL $8 DEL $9 "</td></tr>" }
END { EPOCH=systime();
print "</table><br /><br />Produced from portsentry.history on " EPOC EPOCH P EPOCH OS "</body></html>" }
' ${PORTSENTRY_HISTORY} 2>/dev/null 1>${HTML}


You just need to set HTML to a file in an http accessible directory and create a cronjob.

To get portsentry_history2html
$ wget kod.ipduh.com/lib/portsentry_history2html

URI: http://alog.ipduh.com/2013/07/portsentry.html