 Using
PortSentry and LogCheck
Anthony Cinelli
A successful network roll out begins and ends with security. No
matter what amount of money is spent obtaining the latest and greatest
hardware and software for a system, it can be rendered worthless
if its security is compromised. Unfortunately, keeping up with system
security can be a tedious task. An administrator must constantly
stay aware of updates to currently used software, as well as the
latest system compromise techniques. Due to this difficulty, system
security is often lacking in many areas. All of this changed for
me when I discovered the freeware tools offered by Psionic Software,
Inc. called PortSentry and Logcheck. These tools can be quickly
installed and configured on a system to improve its security.
The Anatomy of PortSentry
Once a host is designated a target by an attacker, a port scan
is usually performed. The port scan is performed to expose all services
available on the target host, and thus provide a starting point
for break-in attempts. PortSentry detects such scans by monitoring
the unused ports on the host. Upon a connection attempt to one of
the unused ports, PortSentry is alerted and then has the ability
to issue any number of commands in response to the scan. The commands
issued are configured by the administrator within a configuration
file. Although any command may be used, the most useful will be
one in which the IP address of the attacker's host is essentially
"black holed" by issuing a routing command denying all
traffic from that address. The violation, and corresponding action
taken by PortSentry, is logged in the system log. Using Logcheck,
these security alerts are emailed to an administrator at any designated
interval. Thus, the host can now automatically retaliate against
a potential break-in attempt and notify the administrator of the
occurrence.
Installation and Configuration
Installation and configuration of these freeware utilities is
simple and straightforward. They compile on most operating systems
including Linux, Solaris, and FreeBSD. The system used for the following
install is an x86-based Web server using Red Hat Linux 7.0. The
tools can be downloaded from Psionic's Web site:
http://www.psionic.com/tools
The latest version of the tarballs, as of this writing, are Logcheck
1.1.1 and PortSentry 1.0.
Here's how to install and configure PortSentry:
1. Untar the archive and enter the PortSentry-version directory.
2. Read the README.install file for all configuration options
available if desired.
3. make <systype> (where systype is one of: Linux,
BSD, Solaris, HP-UX, HP-UX gcc, FreeBSD, OpenBSD, NetBSD, BSDi,
AIX, OSF, generic).
4. make install (installation directory can be
changed by editing the Makefile)
Next, install Logcheck:
1. Untar the archive and enter the logcheck-version directory.
2. Read the INSTALL file for all configuration options available,
if desired.
3. make <systype> (where systype is one of: Linux,
BSD, FreeBSD, Sun, generic, HP-UX, Digital).
4. make install (installation directory can be changed
by editing the Makefile)
Next, edit the /usr/local/psionic/portsentry/portsentry.conf
file to enable route drop. Find and uncomment the KILL_ROUTE
option, which corresponds to your operating system. For this example,
I will use the ipchains utility found in the Linux kernel
version 2.102+:
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l
This will drop all packets originating from that attacker's IP
address and log future connection attempts. Individual ports must
now be specified for monitoring within the configuration file. Commonly
used ports are already given, simply to be uncommented, depending
upon how secure the system needs to be:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,
12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,
32773,32774,31337,54321"
On this example Linux system, however, I will use PortSentry's
advanced stealth scan detection mode, which will automatically monitor
ports not being used below 1024 by default. This value can also be
altered, but not recommended. When using this advanced mode, ports
can also be manually excluded:
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
Once all services for the host have been started, PortSentry can now
be enabled. First, start up the TCP port monitor (leaving out the
-atcp switch for non-Linux systems):
/usr/local/psionic/portsentry/portsentry -atcp
Tailing our system log will give the following output:
Dec 1 14:23:20 hostname portsentry[18821]: adminalert: Advanced
Stealth scan detection mode activated. Ignored TCP port: 80
Dec 4 14:23:20 hostname portsentry[18821]: adminalert: PortSentry
is now active and listening.
A list of ignored TCP ports will be displayed followed by confirmation
of PortSentry's activation. Then, if desired, start up the UDP
port monitor (again, leaving out the -audp switch for non-Linux
systems):
/usr/local/psionic/portsentry/portsentry -audp
Tailing the system log once more will give the following output:
Dec 1 14:23:20 hostname portsentry[18821]: adminalert: Advanced
Stealth scan detection mode activated. Ignored UDP port: 137
Dec 4 14:23:20 hostname portsentry[18821]: adminalert: PortSentry
is now active and listening.
A list of ignored UDP ports will be displayed followed by confirmation
of PortSentry's activation. The command(s) can be placed within
a startup script, but should always be initialized after all other
services are active. In this example, I will include the above command
line into /etc/rc.d/rc.local. All actions taken by PortSentry
will be logged in the system log.
With PortSentry now running, you can configure LogCheck to email
an administrator with any suspicious network activity experienced
by the host. Edit /usr/local/etc/logcheck.sh to include the
email address of the administrator:
SYSADMIN=your_administrator@yourdomain.com
Finally, place the logcheck command into a cron script
to parse the system log at an interval best suited for your operations.
For this example, I set the interval at one hour. Open the crontab
for editing:
crontab -e
and place the following line into the crontab:
0 * * * * /usr/local/etc/logcheck.sh >> /dev/null
The following is a recent example of an emailed intrusion attempt
detected by PortSentry and parsed by Logcheck (names have been changed
to protect the innocent, not the guilty):
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: SYN/Normal
scan from host: telephony.titg.com/216.29.146.2 to TCP port: 111
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host
216.29.146.2 has been blocked via wrappers with string: "ALL:
216.29.146.2"
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host
216.29.146.2 has been blocked via dropped route using command:
"/sbin/ipchains -I input -s 216.29.146.2 -j DENY -l"
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: SYN/Normal
scan from host: telephony.titg.com/216.29.146.2 to TCP port: 111
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host:
telephony.titg.com/216.29.146.2 is already blocked Ignoring
Security Violations
=-=-=-=-=-=-=-=-=-=
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: SYN/Normal
scan from host: telephony.titg.com/216.29.146.2 to TCP port: 111
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host
216.29.146.2 has been blocked via wrappers with string: "ALL:
216.29.146.2"
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host
216.29.146.2 has been blocked via dropped route using command:
"/sbin/ipchains -I input -s 216.29.146.2 -j DENY -l"
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: SYN/Normal
scan from host: telephony.titg.com/216.29.146.2 to TCP port: 111
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host:
telephony.titg.com/216.29.146.2 is already blocked Ignoring
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: SYN/Normal
scan from host: telephony.titg.com/216.29.146.2 to TCP port: 111
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host
216.29.146.2 has been blocked via wrappers with string:
"ALL: 216.29.146.2"
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host
216.29.146.2 has been blocked via dropped route using command:
"/sbin/ipchains -I input -s 216.29.146.2 -j DENY -l"
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: SYN/Normal
scan from host: telephony.titg.com/216.29.146.2 to TCP port: 111
Dec 4 10:41:18 hostname portsentry[17879]: attackalert: Host:
telephony.titg.com/216.29.146.2 is already blocked Ignoring
We now have the host configured to detect and react to intrusion attempts
and to notify the administrator of such attempts, all fully automated.
Conclusion
With the use of these tools, system security is less of a chore.
Our systems have been using these freeware security utilities for
nine months, and they have performed flawlessly. Upon our initial
use of the utilities, I was amazed to see how many intrusion attempts
had been made over a 24-hour interval. The configuration is extremely
comprehensive and allows flexibility in constructing your own network
security policies. I have set up dozens of gateway/firewall systems
for enterprises and have incorporated these utilities into our standard
Linux/UNIX base installation.
Anthony Cinelli is the President/CTO of an IT consulting and
servicing company, A Reality Technologies, LLC (www.areality.com),
operating out of Santa Monica, California. He spent the previous
three years working for Paycom.net, an e-commerce transaction company.
He performed various Internet security and system development tasks.
When not hacking, he can be found proving that water is stronger
than rock. Anthony can be reached at: acinelli@areality.com.
|
