LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-10-2001, 11:25 AM   #1
Dallam
Member
 
Registered: Apr 2001
Location: England
Distribution: SuSE 7.1
Posts: 63

Rep: Reputation: 15
portsentry


Hi,
Is anyone using portsentry? I installed it yesterday. I can start it using portsentry -atcp -audp, but when I check /var/log/messages I see that after it starts I get AdminAlert portsentry is shutting down. What is that all about?
Thanks,
Dallam
 
Old 07-10-2001, 02:36 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910
Hmm. Only go this once, so YMMV.
I think u gotta look at the code if u have the binary and/or configs set up in the dir it mentions. The changable locations are also mentioned in the various readme's that go with the source.

Btw, I noticed ure using messages, the ps code can also be customized & use a syslog tag so u could do smptin like: local# /var/log/portsentry.log where # is a single digit.
 
Old 07-11-2001, 06:14 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Dallam,

You do know that by using portsentry your opening yourself upto denial of service attacks.

Someone could easily "like with nmap" spoof source packets from your ISP's main router as part of a scan and your box would add it to the deny table.

I would write some perl script that checks the deny table for hosts that shouldn't be in there as to make sure my network connectivity stays up.

I've tested this and it doesn't do any kind of verification on the source.

/Raz
 
Old 07-11-2001, 03:48 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910
Raz, that ain't the whole picture.
Portsentry does use an ignore file for unblocked traffic from trusted hosts like ure router, dnses etc.
 
Old 07-12-2001, 03:23 AM   #5
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Are you sure UnSpawn, I've read this one of it's main vulnerabilities.

I've installed it on one of my lab systems and can DOS it with my above method, any idea what file needs editing to add the trusted routers/dns's

Thanks for the info,
Raz
 
Old 07-12-2001, 05:42 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910Reputation: 2910
Raz, if I wasnt sure I wouldnt mention it, cuz I dont like FUD. The location depends on where you want it (compile-time options), guess on a regular install they end up in /etc/portsentry as portsentry.ignore.

Personally I like the modular approach, so my Ipchains entries from PS are fed tru an external script to a separate chains table, pruned/loaded/reported regularly against a separate/independant filterlist. hosts.deny is scrubbed regularly as well.
No use blocking one-timers for eternity.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
portsentry skoot Linux - Security 18 11-21-2005 06:29 AM
how to change notification email for portsentry and how to test portsentry roorings Linux - Security 1 11-04-2003 10:36 AM
PortSentry Question lub0 Linux - Security 6 10-17-2003 09:54 AM
PortSentry mikesvx1 Linux - Security 5 12-20-2001 01:52 AM
portsentry Jase Linux - Security 1 07-24-2001 07:49 AM


All times are GMT -5. The time now is 09:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration