Exercise 5: PortSentry
Psionic's PortSentry is another example of host-based intrusion detection software. PortSentry monitors the TCP and UDP ports on the system in an attempt to determine if someone is scanning the system in anticipation of an attack. The Linux version of PortSentry is also capable of detecting stealth scans, such as SYN/half-open, FIN, NULL, XMAS, and out-of-band packets.
PortSentry logs scan violations to local and remote logging syslog systems. When used in conjunction with Psionic's LogCheck function, it can email alerts to a designated administrator.
Another unique aspect of PortSentry is that it will also initiate protective action automatically. It does this by either placing the remote IP address into TCP Wrappers's /etc/hosts.deny or by creating a bogus route in the system's routing table, which effectively black holes any response to the remote system's probes. Black holing a response means that it is essentially being dropped by the system.
The automatic response can be a source of trouble if not properly configured. By spoofing the IP address of a trusted partner, such as a customer or vendor, it is possible for an attacker to effectively create a denial of service situation for the trusted partner.
The objective of this exercise is to demonstrate the installation, configuration, and operation of PortSentry. An attack will be simulated, and PortSentry's response will be examined.
Intel-based PC running Red Hat Linux 7.2
Psionic PortSentry 1.1, available at http://www.psionic.com/products/portsentry.html
The following are the steps that you will perform for this exercise:
- Install PortSentry.
- Configure PortSentry.
- Test PortSentry.
- Kill PortSentry.
Challenge Procedure Step-by-Step
The following are the detailed steps you will perform to install and run PortSentry:
Install PortSentry. To do this, log in as root. Then, download or copy the PortSentry source file to /usr/local/ exercises. Unpack the source file:
Change the directory to the PortSentry source directory by typing cd portsentry-1.1.
Compile PortSentry using the following:
Copy the binaries to the default directory:
Now, configure PortSentry. Do this by editing /usr/local/psionic/portsentry/portsentry.ignore.
Then, position your cursor at the beginning of the line that reads 127.0.0.1/0. Comment out the entry that instructs PortSentry to ignore scans from the localhost. Press i and insert a number (#) symbol at the beginning of the line. Press Esc to exit insert mode.
Press ZZ to save the changes and exit vi.
Next, test PortSentry. Start a TCP PortSentry monitor:
Then, start a UDP PortSentry monitor:
Verify that the PortSentry monitors started successfully:
Run a port scan to trigger some alerts:
Check to see if the alerts were logged:
Check the protective action that PortSentry will take by typing the following command:
Try to start a Telnet session:
Remove the protective measures by editing /etc/hosts.deny.
Position the cursor at the line that reads ALL: 127.0.0.1.
Press dd to delete the entry. Press ZZ to save the changes and exit vi.
Finally, kill PortSentry. Do this by killing the PortSentry monitors using the following command:
tar zxf portsentry-1.1.tar.gz
nmap p 1-100 127.0.0.1
"How to Stop Crackers with PortSentry," LinuxWorld, http://www.linuxworld.com/site-stories/2001/1002.portsentry.html.
Smith, Clifford. "Deploying Portsentry," BSD Today, July, 2000, http://www.bsdtoday.com/2000/July/Features233.html.
PortSentry is host-based intrusion detection software. It is able to detect a wide variety of scan types. Scans can be logged to local or remote syslog systems.
PortSentry has the additional capability of protecting a system from hostile port scans. It does this by adding the scanning system's IP address to the hosts.deny file, adding entries to the ipchains ACL list, or black holing return traffic to the scanning host. Care should be taken if this capability is used because it can also be used to cause a type of denial of service attack.