Step Six - Portsentry
Next
Previous
Contents
Quoting from portsentry's homepage on what exactly portsentry is/does: "PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. Some of the more useful features include: Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services. Stealth scan detection (Linux only right now). PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Four stealth scan operation modes are available for you to choose from. PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured options of either dropping the local route back to the attacker, using the Linux ipfwadm/ipchains command, *BSD ipfw command, and/or dropping the attacker host IP into a TCP Wrappers hosts.deny file automatically. PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect "random" port probing. PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. Once a scan is detected your system will turn into a blackhole and disappear from the attacker. This feature stops most attacks cold." Long, I know, but I believe portsentry to be one of the best steps you can take to bring to your attention how many "script-kiddies" are out there, probing thousands of systems, including yours, for weaknesses.
Go to the directory where you downloaded portsentry
mv portsentry* /tmp
tar -zxvf portsentry*
cd portsentry-1.0 (or whatever the directory it installed to)
You must read README.install, because you have to configure certain files
before you compile it. If you try this process, and it still doesn't seem
to work, or it isn't doing what you want, or you just want to see what I have in mine, you are welcome to see my config file: portsentry.conf (should go in /usr/local/abacus/portsentry)
make linux
make install
I recommend editing portsentry.ignore and adding the following line:
192.168.0.0:24
This will ignore your home network and everything will work a lot better.
To start portsentry up, type:
portsentry -stcp
portsentry -sudp
You will know it worked if in /var/log/messages you see portsentry listening
on a bunch of ports.
Next
Previous
Contents