PortSentry usage

PortSentry usage

Post by Tom Co » Sat, 02 Jun 2001 10:43:26



I think I'm getting "visited" pretty regularly and I'm trying to tighten up
my security.

I installed Portsentry to see if I could catch some of these late night
"visits" but I'm not getting anything.  Should I see Portsentry running in
the list of processes?

I've entered the following commands:

/usr/psionic/portsentry/portsentry -atcp
/usr/psionic/portsentry/portsentry -sudp

They both seem to start and run ok except, I see a process for the udp entry
but not tcp.  I monitor the messages log the only thing that ever gets
caught is an internal machine on my network trying to use port 80.  I also
monitor the secure log and I haven't seen any more ftp visitors since
turning off ftpd, but I did get a telnet visitor yesterday.  I was expecting
to catch a few hits on port 21 but it's not happening.

Any idea if Portsentry is even running?

Thanks
Tom Cox

 
 
 

PortSentry usage

Post by coffe » Sat, 02 Jun 2001 12:57:29



> I think I'm getting "visited" pretty regularly and I'm trying to tighten up
> my security.

> I installed Portsentry to see if I could catch some of these late night
> "visits" but I'm not getting anything.  Should I see Portsentry running in
> the list of processes?

Yes. ps -A

Quote:

> I've entered the following commands:

> /usr/psionic/portsentry/portsentry -atcp
> /usr/psionic/portsentry/portsentry -sudp

> They both seem to start and run ok except, I see a process for the udp entry
> but not tcp.  I monitor the messages log the only thing that ever gets
> caught is an internal machine on my network trying to use port 80.  I also
> monitor the secure log and I haven't seen any more ftp visitors since
> turning off ftpd, but I did get a telnet visitor yesterday.  I was expecting
> to catch a few hits on port 21 but it's not happening.

> Any idea if Portsentry is even running?

Its running if ps -A shows it.

Quote:

> Thanks
> Tom Cox

I used to run portsentry but I found that it generated alot more scans then
without it. Besides, If you have a strong chains set you really dont need it.
It doesnt to that much for you really in the way of blocking connections as
far as I could tell. It can drop the route to that ip  but then after a while
of different ips the routing table gets kinda big.

JMO
coffee

 
 
 

PortSentry usage

Post by Ian Whitehous » Sun, 03 Jun 2001 01:03:27




> > I think I'm getting "visited" pretty regularly and I'm trying to tighten
up
> > my security.

> > I installed Portsentry to see if I could catch some of these late night
> > "visits" but I'm not getting anything.  Should I see Portsentry running
in
> > the list of processes?

> Yes. ps -A

> > I've entered the following commands:

> > /usr/psionic/portsentry/portsentry -atcp
> > /usr/psionic/portsentry/portsentry -sudp

> > They both seem to start and run ok except, I see a process for the udp
entry
> > but not tcp.  I monitor the messages log the only thing that ever gets
> > caught is an internal machine on my network trying to use port 80.  I
also
> > monitor the secure log and I haven't seen any more ftp visitors since
> > turning off ftpd, but I did get a telnet visitor yesterday.  I was
expecting
> > to catch a few hits on port 21 but it's not happening.

> > Any idea if Portsentry is even running?

> Its running if ps -A shows it.

> > Thanks
> > Tom Cox

> I used to run portsentry but I found that it generated alot more scans
then
> without it. Besides, If you have a strong chains set you really dont need
it.
> It doesnt to that much for you really in the way of blocking connections
as
> far as I could tell. It can drop the route to that ip  but then after a
while
> of different ips the routing table gets kinda big.

> JMO
> coffee

I second coffee's comments: I ran portsentry for a while, but it was so
twitchy regarding access attempts all over that in the end I gave up.
A strong(ish) firewall with kernel logging and Psionic Logcheck mailing
"access denied" results every so often works wonders for me.
 
 
 

PortSentry usage

Post by Tom Co » Sun, 03 Jun 2001 03:03:11


Great, Thanks for the help.

I guess the next logical question is do I have to figure out my own ipchains
rules or can I find a nice default set somewhere.

I read the Ipchains HOWTO and used "Rusty's Three-Line Guide..." in the "I'm
confused" chapter to get started.  But obviously this isn't stopping people
from getting to my Linux "firewall" machine.  It might be keeping from
getting beyond that, but my poor Linux box is getting a lot of unusual
visits.

Thanks again.

Tom Cox

 
 
 

PortSentry usage

Post by Tom Co » Sun, 03 Jun 2001 03:07:55


I decided to check the FAQ for this group and sure enough there is a section
on sample rules for ipchains.  I'll pursue those links.

Thanks again
Tom Cox

 
 
 

PortSentry usage

Post by coffe » Mon, 04 Jun 2001 11:52:55






> > > I think I'm getting "visited" pretty regularly and I'm trying to tighten
> up
> > > my security.

> > > I installed Portsentry to see if I could catch some of these late night
> > > "visits" but I'm not getting anything.  Should I see Portsentry running
> in
> > > the list of processes?

> > Yes. ps -A

> > > I've entered the following commands:

> > > /usr/psionic/portsentry/portsentry -atcp
> > > /usr/psionic/portsentry/portsentry -sudp

> > > They both seem to start and run ok except, I see a process for the udp
> entry
> > > but not tcp.  I monitor the messages log the only thing that ever gets
> > > caught is an internal machine on my network trying to use port 80.  I
> also
> > > monitor the secure log and I haven't seen any more ftp visitors since
> > > turning off ftpd, but I did get a telnet visitor yesterday.  I was
> expecting
> > > to catch a few hits on port 21 but it's not happening.

> > > Any idea if Portsentry is even running?

> > Its running if ps -A shows it.

> > > Thanks
> > > Tom Cox

> > I used to run portsentry but I found that it generated alot more scans
> then
> > without it. Besides, If you have a strong chains set you really dont need
> it.
> > It doesnt to that much for you really in the way of blocking connections
> as
> > far as I could tell. It can drop the route to that ip  but then after a
> while
> > of different ips the routing table gets kinda big.

> > JMO
> > coffee
> I second coffee's comments: I ran portsentry for a while, but it was so
> twitchy regarding access attempts all over that in the end I gave up.
> A strong(ish) firewall with kernel logging and Psionic Logcheck mailing
> "access denied" results every so often works wonders for me.

Thanks man :)

What Ive found really helpful is that after I get a basic good working firewall
configured using ipchains I just backup the configuration and then use it on
similar machines connecting to the same server. As an example, A friend of mine

email him the file and let him restore on his system.

ipchains-save > /etc/ipchains.restore

Also, For me its easier to edit the ipchains.restore file and then restore
it after flushing the rules to update changes.

ipchains-restore < /etc/ipchains.restore

As a side note, Does anyone using athome networks find 24.0.0.203 annoying?

coffee

 
 
 

PortSentry usage

Post by Silviu Minu » Tue, 05 Jun 2001 01:13:29


Quote:

> As a side note, Does anyone using athome networks find 24.0.0.203 annoying?

I sure do!
 
 
 

PortSentry usage

Post by Bit Twist » Tue, 05 Jun 2001 01:39:33


On Sun, 03 Jun 2001 12:13:29 -0400, Silviu Minut


>> As a side note, Does anyone using athome networks find 24.0.0.203 annoying?

>I sure do!

Naw, I like it.
Put a rule in your firewall to drop and not log it like I did.

If I am not seeing hits on my firewall, I comment out the rule
to verify the firewall is running.

 
 
 

PortSentry usage

Post by phi » Tue, 05 Jun 2001 09:53:28



the following lines of wisdom:

Quote:> I installed Portsentry to see if I could catch some of these late night
> "visits" but I'm not getting anything.  Should I see Portsentry running in
> the list of processes?

> I've entered the following commands:

> /usr/psionic/portsentry/portsentry -atcp
> /usr/psionic/portsentry/portsentry -sudp
> Thanks

Portsentry is a toy, if you want to use some sort of serious
intrusion detection program, use a proper NIDS like Snort.
Phil.