Portsentry

portsentry from Psionic is a device that can help you determine if your system is being portscanned by nmap or some other portscanning device. All tools in this category do approximately the same thing: they watch the ports on the host looking for activity that is suspicious.

portsentry will run in several different modes as specified on the command line, and only one mode at a time can be used:

portsentry -mode

where mode is:

mode		Meaning
-tcp		Basic port mode scan of TCP ports
-udp		Basic port mode scan of UDP ports
-stcp		Stealth tcp scan uses a raw socket to monitor all ports and will detect connect, SYN, half-SYN and FIN scans
-sudp		Really means nothing and is just a normal udp scan.
-atcp		Will sense and block attempts to connect to designated ports. This is a very powerful scan protection method.

The advanced scan, -atcp, will detect all strobe-type connect scans, half-open scans, FIN scans, NULL scans, XMAS scans and UDP scans. Also, it will detect attempts to elicit responses by sending packets with wierd flag configurations.

portsentry installs in a single directory in which you find the executable as well as the configuration files. Typically, you might install in /usr/local/portsentry, or in /etc/portsentry.

Configuring Portsentry

Assuming that portsentry is installed at /etc/portsentry, /etc/portsentry/portsentry.conf is the primary configuration file and the commentary is the actually decent documentation. In this file you specify the parameters for the scans defined above. The more significant parameters defined in the file are:

Option		Meaning
TCP_PORTS		List of ports to scan for TCP scans; up to 64 ports. These should be ports that you are NOT using on your system. Otherwise, portsentry may see normal traffic as an attack. You can watch ports over 1023, but not more than 61000 which are often reserved.
		TCP_PORTS="1,7,9,11,23,53,13313"
UDP_PORTS		List of ports to scan for UDP scans; up to 64 ports.
		UDP_PORTS="1,7,9,11,23,53,13313"
ADVANCED_TCP_PORTS		Top of the TCP scan list. All ports less than this are monitored. Used for the stealth scans.
		ADVANCED_TCP_PORTS="1024"
ADVANCED_UDP_PORTS		Top of the UDP scan list. All ports less than this are monitored. Used for the stealth scans.
		ADVANCED_UDP_PORTS="1024"
ADVANCED_EXCLUDE_TCP		Ports in the advanced scan to exclude from the scan.
		ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP		Ports in the advanced scan to exclude from the scan.
		ADVANCED_EXCLUDE_UDP="113,139"
IGNORE_FILE		Path or file of IP addresses of hosts to ignore when doing scans. No matter what these hosts do, it will not be monitored or acted on.
		IGNORE_FILE="/usr/local/portsentry/portsentry.ignore
BLOCKED_FILE		Path of file of IP addresses of hosts that are blocked due to scanning activity. These hosts will be prevented from accessing the system in the future.
		BLOCKED_FILE="/usr/local/portsentry/portsentry.blocked
BLOCK_UDP		If "1", disable automatic responses to UDP probes. It is possible for someone to forge packets and cause a legitimate host to be blocked if this has value="0".
		BLOCK_UDP="1"
BLOCK_TCP		If "1", disable automatic responses to TCP probes. As for UDP, but less of a problem as TCP requires a full connect.
		BLOCK_TCP="0"
KILL_ROUTE		The command to execute to drop an offending route if a scan is detected.
		KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
		KILL_ROUTE="/sbin/iptables -A INPUT -s $TARGET$ -j DROP"

Observe the warnings in this file about modifying the syntax, particularly with regard to spaces and "#" symbols.

The other file that needs to be configured is the portsentry.ignore file which should contain a list of IP addresses to be ignored. Typically these are local hosts that might have to do portscanning against this system.

Running Portsentry

service portsentry restart

When portsentry runs, it watches for attacks on ports and sends system log messages. You can see the results in the log files or use a program to watch them for you (swatch, logwatch). When it detects an attack, it attempts to disable any attempt to connect by the offending system. Typically, this is by adding a rule to your iptables. This rule is added dynamically, so it is permanent only if you go through a normal shutdown so that the internal iptables are saved to the configuration file (normally, /etc/sysconfig/iptables.) It also stores information in the /etc/portsentry/*blocked* files so that it remembers what hosts are blocked.