Linux PortSentry
The “rm” command will remove all the source files we have used to compile and install PortSentry. It will also remove the PortSentry compressed archive from the 7var/tmp” directory.
Configurations
Configure the “/usr/psionic/portsentry/portsentry.conf’ file
The 7usr/psionic/portsentry/portsentry.conf” file is the main configuration file for the PortSentry Software; you can specify which ports you want to listen to, which IP addresses are denied, monitor, ignore, disables automatic responses, and so on. For more information read the “README.install” file under the PortSentry source directory.
Edit the portsentry.conf file (vi /usr/psionic/portsentry.conf) and check/change the following options to fit your needs:
# PortSentry Configuration
#
# $ld: portsentry.conf.v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Htm
# Port Configurations #
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII Him
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the “low” end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are Ignored* for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
#TCP_PORTS=”1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2
000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,4
0421,40425,49724,54320″
#UDP_PORTS=”1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,3277
0,32771,32772,32773,32774,31337,54321″
#
# Use these if you just want to be aware:
TCP_PORTS=”1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32
771,32772,32773,32774,40421,49724,54320″
UDP_PORTS=”1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321″
#
# Use these for just bare-bones
#TCP_PORTS=”1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,327
74,49724,54320″
#UDP_PORTS=”1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321″
# Advanced Stealth Scan Detection Options #
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII #
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1023.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don’t recommend you
# bind over this number of ports. Realistically: I DON’T RECOMMEND YOU MONITOR
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You’ve been
# warned! Don’t write me if you have have a problem because I’ll only tell
# you to RTFM and don’t run above the first 1023 ports.
#
#
ADVANCED_PORTS_TCP=”1023″ ADVANCED_PORTS_UDP=”1023″ #
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldn’t* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#