Home > Articles

  • Print
  • + Share This
This chapter is from the book

Exercise 5: PortSentry

Description

Psionic's PortSentry is another example of host-based intrusion detection software. PortSentry monitors the TCP and UDP ports on the system in an attempt to determine if someone is scanning the system in anticipation of an attack. The Linux version of PortSentry is also capable of detecting stealth scans, such as SYN/half-open, FIN, NULL, XMAS, and out-of-band packets.

PortSentry logs scan violations to local and remote logging syslog systems. When used in conjunction with Psionic's LogCheck function, it can email alerts to a designated administrator.

Another unique aspect of PortSentry is that it will also initiate protective action automatically. It does this by either placing the remote IP address into TCP Wrappers's /etc/hosts.deny or by creating a bogus route in the system's routing table, which effectively black holes any response to the remote system's probes. Black holing a response means that it is essentially being dropped by the system.

The automatic response can be a source of trouble if not properly configured. By spoofing the IP address of a trusted partner, such as a customer or vendor, it is possible for an attacker to effectively create a denial of service situation for the trusted partner.

Objective

The objective of this exercise is to demonstrate the installation, configuration, and operation of PortSentry. An attack will be simulated, and PortSentry's response will be examined.

Requirements

Challenge Procedure

The following are the steps that you will perform for this exercise:

  1. Install PortSentry.
  2. Configure PortSentry.
  3. Test PortSentry.
  4. Kill PortSentry.

Challenge Procedure Step-by-Step

The following are the detailed steps you will perform to install and run PortSentry:

  1. Install PortSentry. To do this, log in as root. Then, download or copy the PortSentry source file to /usr/local/ exercises. Unpack the source file:

  2. tar zxf portsentry-1.1.tar.gz

    Figure 3.72

  3. Change the directory to the PortSentry source directory by typing cd portsentry-1.1.

  4. Figure 3.73

  5. Compile PortSentry using the following:

  6. make linux

    Figure 3.74

  7. Copy the binaries to the default directory:

  8. make install

    Figure 3.75

  9. Now, configure PortSentry. Do this by editing /usr/local/psionic/portsentry/portsentry.ignore.

  10. Figure 3.76

  11. Then, position your cursor at the beginning of the line that reads 127.0.0.1/0. Comment out the entry that instructs PortSentry to ignore scans from the localhost. Press i and insert a number (#) symbol at the beginning of the line. Press Esc to exit insert mode.

  12. Figure 3.77

  13. Press ZZ to save the changes and exit vi.

  14. Next, test PortSentry. Start a TCP PortSentry monitor:

  15. /usr/local/psionic/portsentry/portsentry –tcp

    Figure 3.78

  16. Then, start a UDP PortSentry monitor:

  17. /usr/local/psionic/portsentry/portsentry –udp

    Figure 3.79

  18. Verify that the PortSentry monitors started successfully:

  19. tail /var/log/messages

    Figure 3.80

  20. Run a port scan to trigger some alerts:

  21. nmap –p 1-100 127.0.0.1

    Figure 3.81

  22. Check to see if the alerts were logged:

  23. tail /var/log/messages

    Figure 3.82

  24. Check the protective action that PortSentry will take by typing the following command:

  25. cat /etc/hosts.deny

    Figure 3.83

  26. Try to start a Telnet session:

  27. telnet 127.0.0.1

    Figure 3.84

  28. Remove the protective measures by editing /etc/hosts.deny.

  29. Figure 3.85

  30. Position the cursor at the line that reads ALL: 127.0.0.1.

  31. Figure 3.86

  32. Press dd to delete the entry. Press ZZ to save the changes and exit vi.

  33. Finally, kill PortSentry. Do this by killing the PortSentry monitors using the following command:

  34. killall portsentry

    Figure 3.87

Additional Reading

"How to Stop Crackers with PortSentry," LinuxWorld, http://www.linuxworld.com/site-stories/2001/1002.portsentry.html.

Smith, Clifford. "Deploying Portsentry," BSD Today, July, 2000, http://www.bsdtoday.com/2000/July/Features233.html.

Summary

PortSentry is host-based intrusion detection software. It is able to detect a wide variety of scan types. Scans can be logged to local or remote syslog systems.

PortSentry has the additional capability of protecting a system from hostile port scans. It does this by adding the scanning system's IP address to the hosts.deny file, adding entries to the ipchains ACL list, or black holing return traffic to the scanning host. Care should be taken if this capability is used because it can also be used to cause a type of denial of service attack.

  • + Share This
  • 🔖 Save To Your Account