portsentry

Dallam · 07-10-2001, 11:25 AM

Hi,
Is anyone using portsentry? I installed it yesterday. I can start it using portsentry -atcp -audp, but when I check /var/log/messages I see that after it starts I get AdminAlert portsentry is shutting down. What is that all about?
Thanks,
Dallam

unSpawn · 07-10-2001, 02:36 PM

Hmm. Only go this once, so YMMV.
I think u gotta look at the code if u have the binary and/or configs set up in the dir it mentions. The changable locations are also mentioned in the various readme's that go with the source.

Btw, I noticed ure using messages, the ps code can also be customized & use a syslog tag so u could do smptin like: local# /var/log/portsentry.log where # is a single digit.

raz · 07-11-2001, 06:14 AM

Dallam,

You do know that by using portsentry your opening yourself upto denial of service attacks.

Someone could easily "like with nmap" spoof source packets from your ISP's main router as part of a scan and your box would add it to the deny table.

I would write some perl script that checks the deny table for hosts that shouldn't be in there as to make sure my network connectivity stays up.

I've tested this and it doesn't do any kind of verification on the source.

/Raz

unSpawn · 07-11-2001, 03:48 PM

Raz, that ain't the whole picture.
Portsentry does use an ignore file for unblocked traffic from trusted hosts like ure router, dnses etc.

raz · 07-12-2001, 03:23 AM

Are you sure UnSpawn, I've read this one of it's main vulnerabilities.

I've installed it on one of my lab systems and can DOS it with my above method, any idea what file needs editing to add the trusted routers/dns's

Thanks for the info,
Raz

unSpawn · 07-12-2001, 05:42 AM

Raz, if I wasnt sure I wouldnt mention it, cuz I dont like FUD. The location depends on where you want it (compile-time options), guess on a regular install they end up in /etc/portsentry as portsentry.ignore.

Personally I like the modular approach, so my Ipchains entries from PS are fed tru an external script to a separate chains table, pruned/loaded/reported regularly against a separate/independant filterlist. hosts.deny is scrubbed regularly as well.
No use blocking one-timers for eternity.