Linux PortSentry
Overview
Firewalls help us to protect our network for unsolicited intrusions. With them we choose which ports we want to open and which ones we don’t. Information is kept private by your organization and responsibility. Nobody from the outside knows implicitly knows this information, but attackers know as well as spammers that for some kinds of attacks you can use a special program to scan all the ports on a server to glean this valuable information (what is open and what is not).
As explained in the PortSentry introduction:
A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an attack and is a critical piece of information for properly defending your information resources. PortSentry is a program designed to detect and respond to port scans against a target host in real-time and has a number of options to detect port scans. When it finds one it can react in the following ways:
• A log indicating the incident is made via syslog().
• The target host is automatically dropped into 7etc/hosts.deny” for TCP Wrappers.
• The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.
• The local host is automatically re-configured to drop all packets from the target via a local
packet filter.
The purpose of this is to give an admin a heads up that their host is being probed.
These installation instructions assume
Commands are Unix-compatible.
The source path is 7var/tmp” (other paths are possible).
Installations were tested on Red Hat Linux 6.1 and 6.2.
All steps in the installation will happen in super-user account “root”.
Portsentry version number is 1.0
Packages
Portsentry Homepage Site: http://www.psionic.com/abacus/portsentry/ You must be sure to download: portsentry-1.0.tar.gz
Tarballs
It is a good idea to make a list of files on the system before you install Portsentry, and one afterwards, and then compare them using ‘diff’ to find out what file is placed where. Simply run ‘find /* > Portsentryl’ before and ‘find /* > Portsentry2′ after you install the software, and use ‘diff Portsentryl Portsentry2 > PortSentry-lnstalled’ to get a list of what changed.
Compilation
Decompress the tarball (tar.gz).
[root@deep /]# cp portsentry-version.tar.gz /var/tmp/ [root@deep /]# cd /var/tmp