PortSentry and Logcheck

Changing PortSentry Logging

From Jay

This text explains the install and configure of two great products,
PortSentry, and Logcheck.
Both are free, from Psionic: http://www.psionic.com/

PortSentry Installed on Caldera eDesktop 2.4

PortSentry listens to specified ports, and depending on the level you have it set at, will either block or allow connections. If it blocks, it adds the intruder to the "route" drop area, meaning they can't even touch your machine from then on. Of course it also does great logging of all it's actions.

First, go to their website, and download Portsentry.

tar -xvzf portsentry-1.0.tar.gz

uncomment the following line in portsentry.conf:

KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
(this specifies where to drop rejected intrusion attempts) or if you are running a 2.2.x kernel and have firewall support compiled in (which you should) uncomment this line:

KILL_ROUTE="/sbin/ipchains -I input -s $TARGETS -j DENY -l"

Then uncomment this line:

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT
HAS BEEN LOGGED.GO AWAY " and modify it as you see fit. I like to replace GO AWAY with F*CK OFF, but that's me.

Add any ip addresses you don't want blocked into the portsentry.ignore file.

Type: cd portsentry-1.0
Type: make linux
Type: make install
Type: /usr/local/psionic/portsentry/portsentry -atcp

(or choose another startup option from the list.) Using this option (recommended) will not use the above PORT_BANNER setting though.

Type: tail /var/log/messages

The last line should be:
adminalert: PortSentry is now active and listening.

Now, create a file called PortSentry in /etc/rc.d/init.d

Put the following in the file:

#!/bin/sh
# Start portsentry

case "$1" in
'start')
/usr/local/psionic/portsentry/portsentry -atcp
;;
'stop')
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0

Save and exit.

this ensures that portSentry is started at bootup.

PortSentry is now installed and configured.

Here's what an nmap scan showed in the logs after running from an unaccepted ip address:

Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: SYN/Normal scan from host: 192.168.0.2/192.168.0.2 to TCP port: 885
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: Host 192.168.0.2 has been blocked via wrappers with string: "ALL: 192.168.0.2"
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: Host 192.168.0.2 has been blocked via dropped route using command: "/sbin/route add -host 192.168.0.2 reject"

Note how the host has been dropped, and can no longer connect. Of course, they could run Nmap with the -D flag, but it won't help anyway. Be careful, it blocks hosts or connections you may not want blocked! Be sure to add specific ports or hosts to the ignore file.

Now for Logcheck
Download it from: http://www.psionic.com

Logcheck analyzes your logs, and mails you if it finds preset warnings. It creates .offset files in your log directory, to keep it's place in the logs. You set cron to run it hourly, daily, every 15 minutes, whatever your paranoia chooses.

tar -xvzf logcheck-1.1.1.tar.gz
cd logcheck-1.1.1

chown root.wheel /var/log/messages
chown root.wheel /var/log/secure
chown root.wheel /var/log/xferlog

chmod 600 /var/log/messages
chmod 600 /var/log/secure
chmod 600 /var/log/xferlog

Open logcheck-1.1.1/systems/linux/logcheck.sh in a text editor.

In the section headed "# LOG FILE CONFIGURATION SECTION" use the default settings for RedHat, which match Caldera Make sure the logfiles shown match your logfiles. Comment out unneeded ones and add the ones you want checked.

Type: make linux
Type: touch /etc/cron.d/Hourly/Logcheck
Edit this new file, adding the following text:
#!/bin/sh
exec /usr/local/etc/logcheck.sh
Make it executable. (chmod 755 /etc/cron.d/Hourly/Logcheck)
Type: /usr/local/etc/logcheck.sh
Find out the pid for cron (ps -ax), and send it a HUP:
kill -HUP pidnumberforcron
If there are no errors, you're all set.

Test it out, by attacking your machine. You should get a detailed email telling of the attack, and how Portsentry blocked it.

Free programs, easy setup, great features and performance. Isn't the net great????

Here's a mail I received shortly after running nmap on my machine:

From root@nitrol2.nitrogen.com Sat Jun 3 17:42:02 2000
Received: (from root@localhost)
by nitrol2.nitrogen.com (8.9.3/8.9.3) id RAA01443
for root; Sat, 3 Jun 2000 17:42:01 -0500
Date: Sat, 3 Jun 2000 17:42:01 -0500
From: root <root@nitrol2.nitrogen.com>
Message-Id: <200006032242.RAA01443@nitrol2.nitrogen.com>
To: root@nitrol2.nitrogen.com
Subject: nitrol2.nitrogen.com 06/03/00:17.42 ACTIVE SYSTEM ATTACK!
Status: O
 

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: SYN/Normal scan from host: 192.168.0.2/192.168.0.2 to TCP port: 885
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: Host 192.168.0.2 has been blocked via wrappers with string: "ALL: 192.168.0.2"
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: Host 192.168.0.2 has been blocked via dropped route using command: "/sbin/route add -host 192.168.0.2 reject"
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: SYN/Normal scan from host: 192.168.0.2/192.168.0.2 to TCP port: 114
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: Host: 192.168.0.2/192.168.0.2 is already blocked Ignoring
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: SYN/Normal scan from host: 192.168.0.2/192.168.0.2 to TCP port: 233
Jun 3 17:38:12 nitrol2 portsentry[712]: attackalert: Host: 192.168.0.2/192.168.0.2 is already blocked Ignoring
Jun 3 17:38:14 nitrol2 portsentry[712]: attackalert: SYN/Normal scan from host: 192.168.0.2/192.168.0.2 to TCP port: 29
Jun 3 17:38:14 nitrol2 portsentry[712]: attackalert: Host: 192.168.0.2/192.168.0.2 is already blocked Ignoring
snip>>>>>>>>>>.

Jun 3 17:40:00 nitrol2 CRON[1409]: (root) CMD
(/sbin/rmmod -a) Jun 3 17:42:00 nitrol2 CRON[1422]: (root) CMD ([ -x
/usr/sbin/cronloop ] && /usr/sbin/cronloop Hourly) Jun 3 17:38:12 nitrol2
in.ftpd[1383]: refused connect from 192.168.0.2 Jun 3 17:38:12 nitrol2
uucico[1384]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
ipop3d[1385]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
swat[1386]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
in.telnetd[1391]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
in.rshd[1392]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
in.rlogind[1393]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
imapd[1396]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
ipop2d[1395]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
in.fingerd[1397]: refused connect from 192.168.0.2 Jun 3 17:38:13 nitrol2
in.rexecd[1394]: refused connect from 192.168.0.2
snip>>>>>>>>>>>>.

I'd say both these programs work, eh????

searchSearch Index