PortSentry

PortSentry is part of SentryTools. This daemon will watch unused ports for activity and depending on how it is configured take action upon excessive access to watched ports.

The configuration file presented in this guide is setup to block addresses which are picked up & then log them to a log file in /var/log/portsentry.block.log

A good example of portsentry in action, is that if someone were to portscan your machine they would be blocked from the machine & unable to perform further scanning or make attempts at exploiting the machines vulnerabilities.

Often times before an intrusion attempt, one might first scan a machine to look for potential security holes, making this program your defender on the front lines of the cyber battlefield.

Installing PortSentry
You will need to make a keyword change in order to install portsentry, this can be done by adding to your package.accept_keywords with the following command. echo '>=net-analyzer/portsentry-1.2-r1 ~amd64' >> /etc/portage/package.accept_keywords

After you have made the required keyword changes, you can move onto emerging the portsentry ebuild. emerge -av net-analyzer/portsentry

Configuring PortSentry
/etc/portsentry/portsentry.conf TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
 * 1) Use these if you just want to be aware:
 * 2) TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
 * 3) UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
 * 4) Use these for just bare-bones
 * 5) TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
 * 6) UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
 * 1) TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
 * 2) UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"

ADVANCED_PORTS_TCP="65355" ADVANCED_PORTS_UDP="65355" ADVANCED_EXCLUDE_TCP="80,113,139" ADVANCED_EXCLUDE_UDP="520,138,137,67"

IGNORE_FILE="/etc/portsentry/portsentry.ignore" HISTORY_FILE="/etc/portsentry/portsentry.history" BLOCKED_FILE="/etc/portsentry/portsentry.blocked"

RESOLVE_HOST = "0"

BLOCK_UDP="2" BLOCK_TCP="2"

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && echo "$TARGET$:$PORT$" >> /var/log/portsentry.block.log"


 * 1) KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"


 * 1) Format Two: New Style - The format used when extended option
 * 2) processing is enabled. You can drop in extended processing
 * 3) options, but be sure you escape all '%' symbols with a backslash
 * 4) to prevent problems writing out (i.e. \%c \%h )
 * 5) KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
 * 1) KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"


 * 1) External Command#
 * 2) This is a command that is run when a host connects, it can be whatever
 * 3) you want it to be (pager, etc.). This command is executed before the
 * 4) route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
 * 5) I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
 * 6) YOU!
 * 7) TCP/IP is an *unauthenticated protocol* and people can make scans appear out
 * 8) of thin air. The only time it is reasonably safe (and I *never* think it is
 * 9) reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
 * 10) This mode requires a full connect and is very hard to spoof.
 * 11) The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
 * 12) to run *before* the blocking occurs and should be set to "0" to make the
 * 13) command run *after* the blocking has occurred.
 * 14) KILL_RUN_CMD_FIRST = "0"
 * 15) KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
 * 1) The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
 * 2) to run *before* the blocking occurs and should be set to "0" to make the
 * 3) command run *after* the blocking has occurred.
 * 4) KILL_RUN_CMD_FIRST = "0"
 * 5) KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
 * 1) KILL_RUN_CMD_FIRST = "0"
 * 2) KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
 * 1) KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
 * 1) KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"

SCAN_TRIGGER="0"
 * 1) Scan trigger value#
 * 2) Enter in the number of port connects you will allow before an
 * 3) alarm is given. The default is 0 which will react immediately.
 * 4) A value of 1 or 2 will reduce false alarms. Anything higher is
 * 5) probably not necessary. This value must always be specified, but
 * 6) generally can be left at 0.
 * 7) NOTE: If you are using the advanced detection option you need to
 * 8) be careful that you don't make a hair trigger situation. Because
 * 9) Advanced mode will react for *any* host connecting to a non-used
 * 10) below your specified range, you have the opportunity to really
 * 11) break things. (i.e someone innocently tries to connect to you via
 * 12) SSL [TCP port 443] and you immediately block them). Some of you
 * 13) may even want this though. Just be careful.
 * 1) break things. (i.e someone innocently tries to connect to you via
 * 2) SSL [TCP port 443] and you immediately block them). Some of you
 * 3) may even want this though. Just be careful.

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
 * 1) Port Banner Section#
 * 2) Enter text in here you want displayed to a person tripping the PortSentry.
 * 3) I *don't* recommend taunting the person as this will aggravate them.
 * 4) Leave this commented out to disable the feature
 * 5) Stealth scan detection modes don't use this feature
 * 1) I *don't* recommend taunting the person as this will aggravate them.
 * 2) Leave this commented out to disable the feature
 * 3) Stealth scan detection modes don't use this feature
 * 1) Stealth scan detection modes don't use this feature


 * 1) EOF

Starting PortSentry
To start portsentry simply run /etc/init.d/portsentry start You will also want to add portsentry to your startup with rc-update add portsentry default