How To Install Portsentry On Centos

Posted on  by

Uninstall portsentry. To remove just portsentry package itself from Debian Unstable (Sid) execute on terminal: sudo apt-get remove portsentry Uninstall portsentry and it’s dependent packages. To remove the portsentry package and any other dependant package which are no longer needed from Debian Sid. Sudo apt-get remove -auto-remove portsentry. Intrusion Detection NMAP scanning and PortSentry Evasion This paper will discuss the methods used to circumvent intrusion detection technology employed by Psionic's PortSentry software. It will look at normal modes of operation where PortSentry binds itself to monitored ports at a userland level, and stealth modes, where it operates with raw. Installing necessary packages yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y After installing the necessary packages you are ready to start configuring named.conf. You may check and see that there is no named.conf in your /etc/ directory in Centos 5. No worries here you can see a sample named.conf file. Adding Zone entries.

[Home] [Credit Search] [Category Browser] [Staff Roll Call] The LINUX.COM Article Archive
Originally Published: Thursday, 4 October 2001 Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

Linux.com enjoys providing information we suspect you, dear reader, will particulary value. In this Linux.com security article correspondent Shashank Pandey shows us how to set up and configure the Intrusion Detection Software (IDS) PortSentry. We hope you find this useful.

Intrusion Detection Systems for the Uninitiated!

So perhaps you have been following all those defacement mirrors and are worried about whether your machine is going be the next entry in the archives? This article is intended to act as a health supplement for your existing security needs and policies.

Now, like I just said, this article is like a health supplement, but you have to consume it along with your basic food intake. In other words have a basic security policy in place, otherwise you'll be wasting your time here.

In this article (and the one that will follow), we will discuss what an Intrusion detection actually is, what software you can use to combat them, and how to install not one protection package, but a couple of them.

What is an IDS?

An IDS is expected to detect attacks (like someone port scanning you), log the attacker's traffic, help trace the origin of the attack and possibly even stop the attack midstream.

To achieve this an IDS has to do a lot of things like analyzing the captured packets for an attack, comparing them with a database of attack signatures, performing integrity checks on file system (like if somebody has tampered with your /etc/shadow file), watching processes etc.

There are vendor defined IDS models like network ids, host ids, procedure based ids. Basically, enough options to confuse us!

In this article we will leave all that junk aside and focus on the principles: installation, configuration and a bit about bypassing IDSs.

We will learn about all this in a series on IDSs comprising of two articles/parts/whatevers :

Part 1 :Installing and Config. Portsentry (a simple an' sweet IDS)

Part 2 : Installing and Configuring Snort (relatively advanced IDS and with more functionalities.)

PART 1 Installing and Configuring Portsentry

Platform : Linux (configuration is similar on other OSs like BSD /sun/*nix )

Installation

There are two ways in which you can install Portsentry :

a)get an rpm from rpmfind.net.

and do: rpm -ivh <name-of-portsenty-rpm->

b)get a tar ball :

copy it and unpack it in any directory, say /tmp:

$] tar -zxvf portsentry-1.0.tar.gz

That will unpack portsentry to a directory 'portsentry-1.0' in /tmp or whatever directory you were in when you did the unpacking. Now,

cd portsentry-1.0

If you do an ls you will see several files. Now we get to the fun part, the actual editing of the files. First, open up portsentry_config.h in a text-editor (vi/pico/emacs etc). See if you can make out anything from all those lines and make any changes (provided you know what you are doing). Normally, you can skip this altogether.

The main configuration file for portsentry is portsentry.conf. It's very customizable and you can edit it before or after installation, as you may like. Here, we will go my way and install it before editing portsentry.conf .

Goto the folder where you have extracted portsentry and do (as root) :

./configure make make install

Generally, you shouldn't get any errors.

To check whether Portsentry has been installed properly do:

whereis portsentry

in my case, I got this:

/etc/portsentry /usr/local/portsentry

Dont fret if the path is different in your case.

Ok. Cute. Great going. Now that we have installed portsentry, we can happily configure it:

Configuration

Like I said earlier, the main configuration file for Portsentry is portsentry.conf.

In my case it was : /etc/portsentry/portsentry.conf

Now before we start configuring Portsentry, lets take a few moments to clear up a few fundamentals about Portsentry :

Portsentry can work in three modes:

  1. Classic mode
    In classic mode portsentry :
    • Is less prone to false alarms
    • Cannot detect stealth scans
  2. Stealth mode
    In Stealth mode portsentry :
    • Is relatively more prone to false alarms
    • Can detect stealth scans
  3. Advanced mode
    In Advanced mode portsentry:
    • Is most prone to false alarms
    • Detects stealth scans
Remember that portsentry can work in one mode only for TCP and one mode only for UDP at the same time. In other words, you cannot run two modes of TCP at the same time, or two modes of UDP at the same time.

So, now we move onwards to editing the portsentry.conf file which looks something like this:

Port Configurations

This part involves the ports you want the Portsentry to listen to for any suspected intrusion attempts. Specify ports here for Classic and Stealth modes

As you might have noted, ports have been specified for both UDP (connectionless transport layer protocol) and TCP (connection oriented transport protocol) as both specify the kind of interaction we're searching for at the transport layer. Put a '#'(hash)in the beginning of a line to comment (disable) out an option. Advice to the newbies: Dont go for the 'anal' settings as they really are for the anal.

You can always take the middle path and uncomment the option that says :'use this if you just want to be aware'.

Also, avoid configuring Portsentry to listen to port 6000 specifically, as this is the port on which X-server listens for client connections, and it might make you get 'constipated in your head' (confused) if it finds Portsentry there! Also, it's probably a wise idea to not have Portsentry listen on port 113 (identd) even if you don't run identd.

For the uninitiated, Identd is a daemon that implements a User Identification Protocol called Ident. If installed, Identd, typically comes into the picture in the case of a FTP or telnet connection. That may lead to a situation where whenever you try to FTP to a host, the FTP server will check the Identd running at 113 and ask it for the user identity (login name) of the user who owns the connection. Now, if Portsentry is sitting there, it will get tripped when the FTP server does its identd check.

I guess thats not worth the trouble... so leave port 113 and 6000 for portsentry.

Also, take care to choose ONLY ONE OPTION for TCP and UDP each, per a section of portsentry.conf as I will keep on repeating throughout this document (actually , as long as I can!)

Ok, so we now move on to the next part. We configure Portsentry to listen to a specific range of ports in Advanced mode. (In advanced mode, Portsentry cannot be configured to listen to specific ports but only a range of ports)

as the last four lines of this section say, exclude these:

TCP ports : 111,113,139 for TCP ident and netbios service (windows file sharing)

udp ports : 520,138,137,67 for route/RIP( protocol used by routers!), netbios, bootp (used in UDP based remote booting of an OS and also as a rudimentary DHCP server) Now, we move further. I hope you are not feeling sleepy! If you are, go take a dose of extra caffeine and come back.

Configuration Files

Here you can specify the paths to the files where Portsentry logs 'misbehaving' requests (leave the path of the log files to the default, doesn't hurt... so just let it be.)

Ignore Options

As the comments in this section say, you can set Portsentry to respond in a particular manner in case it detects a tcp/udp portscan.

As we can see, like always, there are options for both TCP and UDP

choose '0' : to just know when a scan occurred. no scan blocking.
choose '1' : to block all scans to your machine.
choose '2' :to run any external command(KILL_RUN_CMD) in response to TCP/UDP scans on your machine.

This option is more like a retaliatory action and not recommended as you might end up damaging a spoofed host used by the cracker or just piss him off, so that he returns, more determined and prepared! Also, if you select this option, then you wont be able to drop routes of the packets, as we will find below.

Also you will find an option to specify this command(KILL_RUN_CMD) as you go down reading this article. So dont worry.

Rogue Hosts

We will filter 'further' connection attempts by a rogue host. portsentry gives us two options:
  1. dropping route(of rogue host's tcp/ip packets).
  2. dropping the rogue hosts packets to the packet filters(ipfwadm or ipchains)

both the methods are discussed here. Make sure you choose ONLY ONE OPTION.

The variable $TARGET$ will be substituted with the attacking host when an attack is detected. The variable $port will be substituted with the port that was scanned and tripped portsentry off.

OK, there are only a couple of choices we need to consider here. They are:

# Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE='/sbin/route add -host $TARGET$ reject'

or

New ipchain support for Linux kernel version 2.102+ #KILL_ROUTE='/sbin/ipchains -I input -s $TARGET$ -j DENY -l'

If you have Ipchains installed (do: whereis ipchains ), then the second option is the best. Use the first option in case you have any problems with the ipchains option, like you don't have any idea about configuring ipchains and have decided to postpone learning about ipchains till I decide to write an article on it!

Anyways, if you suddenly realise that you have a old kernel then chuck the two above mentioned options and go for this:

# Generic Linux #KILL_ROUTE='/sbin/route add -host $TARGET$ gw 333.444.555.666'

In case you wondering what a dead host, is, and what has it got to do with Ips :127.0.0.1 , 333.444.555.666, let me tell you that a dead host is a host to which there is no route. In other words, if you send a packet to a dead host it will not reach anywhere, instead it will die when it's life is over!

With that, lets move forward.

TCP Wrappers

TCP wrappers are basically meant for access control and use the files : etc/hosts.allow and /etc/hosts.deny. Portsentry can 'drop' the hosts from where unauthorized connection came from, to the file:

/etc/hosts.deny

so that the 'rogue' IP cannot reconnect.

The process is not reliable because IPs can easily be spoofed but again, this should take care of most of the script kiddies in the wild!

If you are using an ancient Linux kernel that is possibly older than you, then comment out the uncommented choice and uncomment the commented out choice. (Switch the thing around). Otherwise use the default selection.

External Command

This is the command(KILL_RUN_CMD) that is run when a host connects. How about playing an alarm bell to a person who is doing a port scan on you?

You can also execute a command to send a mail to yourself on any suspected intrusion attempts or anything else.

To play an audio(say an alarm sound) file, you can do this :

KILL_RUN_CMD='/path/to/alarm.wav '$TARGET$ $PORT$'

Scan Trigger Value

Here, you can specify the number of ports(monitored by Portsentry) that are scanned/connected to before Portsentry gets triggered.

The default is 0 which will make it react immediately.

A value of 1 or 2 will reduce false alarms. Anything higher is probably not necessary. This value must always be specified, but generally can be left at 0.

Note: if you are going for the advanced detection option, it is advisable to go for a trigger value > 0 , to avoid a 'hair trigger' effect. This is because Advanced mode is set to listen to a range of ports (in our case : <1023) and therefore, will react to *any* host connecting to a non-used port below our specified range. This could lead to a DoS (Denial of Service) as even a valid/authorized connection attempt could be blocked.

Port Banner Section

This option lets you specify the text that you want to be displayed to the person tripping off Portsentry in the classic mode. The default comment in the configuration file. We do not recommend 'taunting the person' as this will only aggravate them.

Keep in mind that the stealth scan detection modes don't use this feature.

This is one sample message :

PORT_BANNER='** UNAUTHORIZED ACCESS PROHIBITED *** IP LOGGED '

Ok. So finally we are done with the installation and configuration. Now do a quick whereis portsentry and run Portsentry as follows, depending on the mode you want to run it in. Also, do man portsentry to get more help.

Usage :

Classic mode - /path/to/portsentry ^tcp -udp

Stealth mode - /path/to/portsentry ^stcp -sudp

Avanced mode - /path/to/portsentry ^atcp -audp

In Part Two

In the second article on IDSs, we shall learn to install and configure SNORT which is another cute Intrusion Detection System and also a bit on bypassing these IDS systems. ALOHA !

Author : Shashank Pandey a.k.a ~AcE~ E-mail : reach_shash@linuxmail.org

CopyLeftRightandCenter 2001. Shashank Pandey All Rights reserved. Unauthorized copying or duplication of this document is strictly prohibited.


Originally published on Linux.com. Released under the Open Content License unless otherwise stated.Notify Gareth Watts of anyerrors or copyright violations.

Hardening CentOS 5
Configure user account. logout and relogin as user. su wherever required.
useradd <username>
eg. useradd myodduser
How to install portsentry on centos 7 passwd myodduser <new password>
Configure Default runlevel to runlevel 3
Use your favorite text editor to edit /etc/inittab
Find a line that is similar to the following:
id:3:initdefault:
Verify the no. after “id:” id-colon is 3. If it is not make it three.
To restrict virtual terminals to two:
Find out following stanza to enable only two virtual terminals available:
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
Make it to:
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
Save /etc/inittab and exit
Edit /etc/fstab . For the file systems /tmp, /var, and /home replace the 'defaults' with 'noexec,nodev,nosuid'
noexec : Binaries are not allowed to be executed. NEVER use this option for your root file system!
nosuid : Blocks the operation of suid, and sgid bits.
nodev : Prevent any user to mount the file system.
Disable unused services in order to save on resources and minimize potential security holes.
These Services that are to be stopped are mentioned here, check appendix A in case of custom requirements.
NetworkManager
NetworkManagerDispatacpid
apmd
autofs
avahi-daemon
avahi-dnsconfd
bluetooth
conman
cpuspeed
cups
dc_client
dc_server
dhcdbd
dund
firstboot
gpm
haldaemon
hidd
ibmasm
ip6tables
ipmi
irda
irqbalance
kdump
kudzu
mcstrans
mdmonitor
mdmpd
microcode_ctl
netfs
netplugd
nfs
nfslock
nscd
oddjobd
pand
pcscd
portmap
rdisc
restorecond
rpcgssd
rpcidmapd
rpcsvcgssd
saslauthd
setroubleshoot
smartd
smb
squid
tux
winbind
wpa_supplicant
xfs
ypbind
yum-updatesd
With following command format:
chkconfig –level 12345 <servicename_to_be_disabled> off
To stop if any of the service is running:
service <servicename_to_be_stopped> stop
check /etc/hosts
It must be in the format. (See the 127.0.0.1 line)
127.0.0.1 localhost.localdomain localhost
IP.AD.DR.ESS machine.domain.name machine
Edit /etc/host.conf
order bind,hosts
multi on
nospoof on
Edit /etc/sysctl.conf - tighten
1. net.ipv4.tcp_syncookies = 1 # Enable TCP SYN Cookie Protection
2. net.ipv4.conf.all.accept_source_route = 0 # Disables IP source routing
3. net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP Redirect Acceptance
4. net.ipv4.conf.all.rp_filter = 1 # Enable IP spoofing protection, turn on source route verification
5. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable ignoring broadcasts request
6. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message Protection
7 net.ipv4.conf.all.log_martians = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets
Edit /etc/hosts.deny
portmap: ALL
Edit /etc/hosts.allow
portmap: localhost
portmap: 127.0.0.1
SSH:
Disable RootLogin, force protocol 2, (explore restricting SSH to users/groups )
Protocol 2
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
UsePrivilegeSeparation yes
AllowTcpForwarding no
X11Forwarding no
StrictModes yes
AllowUsers admin user1 user2 user3 (put actual users here in place of userN)
Stripping It Down
Following rpms are to be removed (You may add or remove some packages from this list in order to satisfy your environment.)
xkeyboard-config-0.8-7.fc6
dosfstools-2.11-6.2.el5
finger-0.17-32.2.1.1
dos2unix-3.1-27.1
esound-0.2.36-3
system-config-securitylevel-1.6.29.1-1.el5
NetworkManager-0.6.4-6.el5
OpenIPMI-2.0.6-5.el5.3
apmd-3.2.2-5
acpid-1.0.4-5
system-config-network-1.3.99-1.el5
gnome-python2-gtkhtml2-2.14.2-4.fc6
gnome-python2-bonobo-2.16.0-1.fc6
xorg-x11-drv-mouse-1.1.1-1.1
system-config-display-1.0.48-2.el5
xorg-x11-server-Xorg-1.1.1-48.13.0.1.el5
xorg-x11-server-Xvfb-1.1.1-48.13.0.1.el5
gnome-mime-data-2.4.2-3.1
centos-release-notes-5.0.0-2
xorg-x11-filesystem-7.1-2.fc6
xorg-x11-xauth-1.0.1-2.1
xorg-x11-xkb-utils-1.0.2-2.1
talk-0.17-29.2.2
cpuspeed-1.2.1-1.45.el5
hicolor-icon-theme-0.9-2.1
alsa-lib-1.0.12-3.el5
GConf2-2.14.0-9.el5
xorg-x11-utils-7.1-2.fc6
bluez-gnome-0.5-5.fc6
xorg-x11-xinit-1.0.2-13.el5
ypbind-1.19-7.el5
firstboot-tui-1.4.27.2-1.el5.centos.1
system-config-soundcard-2.0.6-1.el5
yp-tools-2.9-0.1
system-config-samba-1.2.39-1.el5
system-config-kdump-1.0.9-3.el5
tux-3.2.18-9.fc6
xorg-x11-fonts-base-7.1-2.1.el5
gnome-python2-canvas-2.16.0-1.fc6
gnome-mount-0.5-3.el5
xorg-x11-drv-vesa-1.2.1-5.2.el5
xorg-x11-drv-keyboard-1.1.0-2.1
xorg-x11-drv-evdev-1.0.0.5-2.el5
samba-common-3.0.23c-2.el5.2.0.2
xorg-x11-xfs-1.0.2-4
samba-client-3.0.23c-2.el5.2.0.2
xorg-x11-server-Xnest-1.1.1-48.13.0.1.el5
samba-3.0.23c-2.el5.2.0.2
gpm-1.20.1-74.1
xorg-x11-server-utils-7.1-4.fc6
redhat-menus-6.7.8-1.el5
metacity-2.16.0-8.el5
alsa-utils-1.0.12-3.fc6
OpenIPMI-libs-2.0.6-5.el5.3
portmap-4.0-65.2.2.1
nfs-utils-1.0.9-16.el5
system-config-nfs-1.3.23-1.el5
subversion-1.4.2-2.el5
gnome-python2-gconf-2.16.0-1.fc6
gnome-python2-extras-2.14.2-4.fc6
gnome-python2-gnomevfs-2.16.0-1.fc6
xorg-x11-drv-void-1.1.0-3.1
Security and management tool installations and fine tuning:
Security Tools Download, install and run:
a. chkrootkit - http://www.chkrootkit.org/download/
Download to /usr/local/src
Extract using 'tar -zxf'
Compile & Install using 'make sense'
Run chkrootkit
b. rkhunter - http://www.rootkit.nl/projects/rootkit_hunter.html
Download to /usr/local/src
Extract using 'tar -zxf'
Install using ./install.sh
./installer.sh --layout /usr/local –install
rkhunter --update
Run 'rkhunter -c --createlogfile'
Management Tool:. Download, install, configure: Webmin with SSL
Package Dependencies
Ensure openssl and openssl-devel are installed
rpm -q openssl
rpm -q openssl-devel
If they are not installed, install them using:
yum install openssl openssl-devel -y
(Mention ONLY those packages that need to be installed).
Download the Webmin RPM - http://www.webmin.com/
Download the RPM to /usr/local/src
Install using rpm -Uvh
Go to https://IP.AD.DR.ESS:10000 to configure. Login with user root, and password
1. Under Webmin -> Users -> Edit the root user. Rename root user to 'admin'
2. Under Logging ensure all events by all users are logged
3. Change the port from 10000 to a suitable one above 50000 (and below 60000).
4. Under Authntication - set the idle time-out to 5 minutes.
d. Perl Libraries

How To Install Portsentry On Centos Server

Net::SSLeay - http://www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.30.tar.gz
Download to /usr/local/src/
Extract with tar -xzf
Prepare with 'perl Makefile.PL'
Compile & Install with 'make install'
Test installation with 'perl -e 'use Net::SSLeay'. You should be returned to the prompt. If you get errors, the installation did not succeed.
e. Portsentry -ftp://194.199.20.114/linux/freshrpms/fedora/linux/1/portsentry/portsentry-1.1-11.fr.i386.rpm
Download the RPM to /usr/local/src

How To Install Portsentry On Centos 7

Install using rpm -Uvh
Edit /etc/portsentry/portsentry.conf
Edit /etc/portsentry/portsentry.modes
Edit /etc/portsentry/portsentry.ignore
Start portsentry.

How To Install Portsentry On Centos 10

f. Checksuite - http://checksuite.sourceforge.net/
Download the RPM to /usr/local/src
Install using rpm -Uvh

How To Install Portsentry On Centos Windows 10


g. Fine Tuning IPTABLES:
edit /etc/sysconfig/iptables
Insert rules for trusted ip addresses only which should access ssh port.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s <trusted ip address> -j ACCEPT
These rules are to be added before following rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Also you will have to make sure other ports are kept open (Those considered under Pre-Installation preparation)