Warning network attacks.
An intrusion into a computer system usually begins with a preliminary assessment of the flaws in the protection of the network perimeter of your server connected to the network. In the course of such a “shoot-in,” the hacker first needs to know the list of open ports and evaluate the identity of your computer’s operating system. The previous article described the scanlogd program, which allows analyzing attempts to scan your server. However, attacks using veiled scanning techniques like “stealth” have become widespread in the modern Web. Based on this, using scanlogd alone will not give unambiguously positive results.
If you are not satisfied with the modest capabilities of scanlogd, there is a more advanced scan attempts analyzer – PortSentry. This program allows you not only to fix the scan of your computer over the network. It also provides an opportunity to adequately respond to this process (not to scan in response, of course, but simply to block access to the offending host to your server). You can analyze the scanning process of your host and run external programs (like iptables).
Installing PortSentryThe AltLinux installation of the PortSentry utility is performed using Synaptic and is a routine procedure. PortSentry, like scanlogd, runs in daemon mode. After the installation process is complete (in any Linux distribution), you should check the functioning of the daemon autorun script. To do this, check the presence of a symbolic link in the /etc/rc5.d/ directory of the /etc/init.d/portsentry file, for example, using the following command:
# ls -l /etc/rc5.d/*portsentry*
Of course, if there is no such link, it should be created (how to do this with reference to scanlogd, described above).
PortSentry main features PortSentry main features:
possibility of wide customization of default behavior policy. The PortSentry daemon can be run in one of three modes of operation. Thus, you can choose what is more important for you – stop the intruder of your network perimeter or fix the penetration attempt (the ability is regulated by specifying certain command line parameters, for which you should edit the init script (/etc/init.d/portsentry) to start the PortSentry daemon );
the ability to perform retaliatory actions (the author of the program highly recommends that you limit yourself to blocking the hacker’s host, and not take adequate measures such as a response scan) in relation to the intruder of your network boundaries. For example, you can add such a rule to the table of your firewall that will exclude the possibility of information exchange with the offending host (you can also add a line to the /etc/hosts.deny file);
fine-tuning of the ranges of ports to be listened to and ignored, and the ability to create a list of ignored hosts. The ability is necessary to eliminate the false positives of the protection system built on PortSentry. Thus, for example, you can exclude port 53 in order not to receive further warnings about scanning of this port by gaming programs that use network capabilities somewhat frivolously (ADVANCED_EXCLUDE_TCP or ADVANCED_EXCLUDE_UDP parameters, which are used in the advanced mode of launching the PortSentry daemon). Ignored hosts are listed in the file, which is described in the IGNORE_FILE configuration parameter.
PortSentry launch modesThe PortSentry daemon can be run in the following modes:
Classic (the daemon startup key -tcp or -udp). In this mode, the PortSentry daemon waits for connections on the ports listed in the TCP_PORTS configuration file settings (or UDP_PORTS), and blocks packet exchange with the remote host when trying to reconnect or scan. This mode of operation does not allow determining “stealth” scan of your computer;
enhanced (Enchanced) detection mode for stealth scans (start keys -stcp or -sudp). When you try to scan or connect to the ports listed in TCP_PORTS (or UDP_PORTS), the remote computer is blocked;
Advanced (Advanced) mode of detecting “stealth” scans. In this mode, all ports from the first to the specified in the ADVANCED_PORT_TCP parameter (ADVANCED_PORT_UDP) are checked for connectivity or scanning. The mode is activated by the command line switches -atcp or -audp.
Depending on the importance of your host, you should choose one of the three options for starting the PortSentry daemon. It should be noted that only one launch mode can be selected for each protocol at a time. For example, you can specify for both TCP and UDP protocols advanced detection mode for stealth scans. In this case, the value of the MODES variable should be edited in the /etc/init.d/portsentry file. For the specified combination of protocols and protection modes, you must specify MODES = “audp atcp” (in AltLinux 2.4, this value is set in /etc/init.d/portsentry by default).