portsentry

Portsentry on debian notes

The main configuration file --/etc/portsentry.conf -- does a really good job in being self-explanatory.


You may choose to block or not-block scanners with
BLOCK_UDP="0"
BLOCK_TCP="0"
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)


Scan Response
The response(s) is-are defined in the KILL_ROUTE,KILL_HOSTS_DENY,KILL_RUN_CMD directives.
You may:
  • send-route the scanner's traffic to a HOST that does not exist
     KILL_ROUTE="/sbin/route add -host $TARGET$ gw 3.4.5.6"
     
  • reject traffic from the scanner eg:
     KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
     
    enabled by default in the debian package
  • drop traffic from the scanner using a traffic packet filter eg:
     KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
     
  • add the scanner's IP address to /etc/hosts.deny eg:
      KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
     
  • run a command
      KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
     
    before or after `blocking`
     KILL_RUN_CMD_FIRST = "0"
     


All 'scanning' IP addresses are appended to portsentry.history.
Debian puts portsentry.history at /var/lib/portsentry/portsentry.history

A scanner could choose to avoid the TCP_PORTS and UDP_PORTS in the default portsentry configuration. To mitigate against this add a few more not in use ports in the (1024,61000) range.

An attacker may use forged packets to fool portsenty into blocking legitimate networks.

I usually add a few friendly networks to the ignore list --instruct portsentry to ignore scans from there-- I recommend it to everyone with the BLOCK_TCP directive set to true and KILL_ directives that mess with the routing table, drop packets, or populate the hosts.deny list enabled.

To `permanently whitelist` Hosts and Networks you never want blocked put them in /etc/portsentry/portsentry.ignore.static.

Trusted hosts and networks used for administration along with 127.0.0.0/8 and 0.0.0.0/0 are good candidates. 0.0.0.0/0 does not mean you trust the whole IPv4 Internet It means you never reroute to a blackhole the 0.0.0.0/0 route or drop everything from 0.0.0.0/0.

The host network interfaces are added by portsentry to portsentry.ignore on startup so you do not need to worry about them. /etc/portsentry.ignore contains all the ip networks currently not affected by KILL_ROUTE. To add a CIDR edit /etc/portsentry.ignore.static and restart portsentry.

A short script that HTMLfies the portsentry.history log
      

#g0 2013
#portsenty.history to html
#http://alog.ipduh.com/2013/07/portsentry.html

PORTSENTRY_HISTORY="/var/lib/portsentry/portsentry.history"
HTML="/var/www/sites/adm.ipduh/www/in/portsentry.history.html"

awk '
BEGIN { 
print "<!doctype html><html><head><title>portsentry.history</title><style>"
print "a.lnk:link \{ color:#0000FF; text-decoration:none; \} a.lnk:visited \{ color:#0000FF; text-decoration:none; \}"
print "a.lnk:hover \{ color:#00FF00; text-decoration:none; \} a.lnk:active \{ color:#00FF00; text-decoration:none; \}"
print "</style></head><body><table border=0 cellspacing=8>" 
DEL=" </td><td> "; APRO="<a target=_blank class=lnk href=http://ipduh.com/apropos/?" ; P=">" ; OS="</a>" ;
EPOC="<a class=lnk target=_blank href=http://ipduh.com/epoch/?";  
}
{ split($6,a,"/") }
{ print "<tr><td>" EPOC $1 P $1 OS DEL $3 DEL $4 DEL APRO a[1] P a[1] OS DEL } 
{ if (a[1] != a[2] ) {  print APRO a[2] P a[2] OS } }
{ print DEL $8 DEL $9 "</td></tr>" }
END { EPOCH=systime();
print "</table><br /><br />Produced from portsentry.history on " EPOC EPOCH P EPOCH OS "</body></html>" }
' ${PORTSENTRY_HISTORY} 2>/dev/null 1>${HTML}



     


You just need to set HTML to a file in an http accessible directory and create a cronjob.

To get portsentry_history2html
$ wget kod.ipduh.com/lib/portsentry_history2html



URI: http://alog.ipduh.com/2013/07/portsentry.html