LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   portsentry (http://www.linuxquestions.org/questions/linux-security-4/portsentry-4126/)

Dallam 07-10-2001 11:25 AM

portsentry
 
Hi,
Is anyone using portsentry? I installed it yesterday. I can start it using portsentry -atcp -audp, but when I check /var/log/messages I see that after it starts I get AdminAlert portsentry is shutting down. What is that all about?
Thanks,
Dallam

unSpawn 07-10-2001 02:36 PM

Hmm. Only go this once, so YMMV.
I think u gotta look at the code if u have the binary and/or configs set up in the dir it mentions. The changable locations are also mentioned in the various readme's that go with the source.

Btw, I noticed ure using messages, the ps code can also be customized & use a syslog tag so u could do smptin like: local# /var/log/portsentry.log where # is a single digit.

raz 07-11-2001 06:14 AM

Dallam,

You do know that by using portsentry your opening yourself upto denial of service attacks.

Someone could easily "like with nmap" spoof source packets from your ISP's main router as part of a scan and your box would add it to the deny table.

I would write some perl script that checks the deny table for hosts that shouldn't be in there as to make sure my network connectivity stays up.

I've tested this and it doesn't do any kind of verification on the source.

/Raz

unSpawn 07-11-2001 03:48 PM

Raz, that ain't the whole picture.
Portsentry does use an ignore file for unblocked traffic from trusted hosts like ure router, dnses etc.

raz 07-12-2001 03:23 AM

Are you sure UnSpawn, I've read this one of it's main vulnerabilities.

I've installed it on one of my lab systems and can DOS it with my above method, any idea what file needs editing to add the trusted routers/dns's

Thanks for the info,
Raz

unSpawn 07-12-2001 05:42 AM

Raz, if I wasnt sure I wouldnt mention it, cuz I dont like FUD. The location depends on where you want it (compile-time options), guess on a regular install they end up in /etc/portsentry as portsentry.ignore.

Personally I like the modular approach, so my Ipchains entries from PS are fed tru an external script to a separate chains table, pruned/loaded/reported regularly against a separate/independant filterlist. hosts.deny is scrubbed regularly as well.
No use blocking one-timers for eternity.


All times are GMT -5. The time now is 10:34 PM.