Portsentry ne bloque plus

Support Debian
#1

Bonjour à tous,

J’ai installé portsentry pour bloquer les scans sur mon serveur.
Il fonctionné hier matin puis maintenant plus rien, j’ai beau essayer des modifications sur le fichier principal rien y fait !

[code]nano /etc/portsentry/portsentry.conf

PortSentry Configuration

$Id: portsentry.conf.Debian,v 1.6 2001/07/19 21:02:20 agx Exp $

Original portsentry.conf by Craig H. Rowland crowland@psionic.com

modified for Debian by Guido Guenther agx@debian.org

IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.

The default ports will catch a large number of common probes

All entries must be in quotes.

#######################

Port Configurations

#######################

Some example port configs for classic and basic Stealth modes

I like to always keep some ports at the “low” end of the spectrum.

This will detect a sequential port sweep really quickly and usually

these ports are not in use (i.e. tcpmux port 1)

** X-Windows Users **: If you are running X on your box, you need to be sure

you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).

Doing so will prevent the X-client from starting properly.

These port bindings are ignored for Advanced Stealth Scan Detection Mode.

Un-comment these if you are really anal:

#TCP_PORTS=“1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320”
#UDP_PORTS=“1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321”

Use these if you just want to be aware:

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS=“1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321”

Use these for just bare-bones

#TCP_PORTS=“1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320”
#UDP_PORTS=“1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321”

###########################################

Advanced Stealth Scan Detection Options

###########################################

This is the number of ports you want PortSentry to monitor in Advanced mode.

Any port below this number will be monitored. Right now it watches

everything below 1024.

On many Linux systems you cannot bind above port 61000. This is because

these ports are used as part of IP masquerading. I don’t recommend you

bind over this number of ports. Realistically: I DON’T RECOMMEND YOU MONITOR

OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You’ve been

warned! Don’t write me if you have have a problem because I’ll only tell

you to RTFM and don’t run above the first 1024 ports.

ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP=“1024”

This field tells PortSentry what ports (besides listening daemons) to

ignore. This is helpful for services like ident that services such

as FTP, SMTP, and wrappers look for but you may not run (and probably

shouldn’t IMHO).

By specifying ports here PortSentry will simply not respond to

incoming requests, in effect PortSentry treats them as if they are

actual bound daemons. The default ports are ones reported as

problematic false alarms and should probably be left alone for

all but the most isolated systems/networks.

Default TCP ident and NetBIOS service

ADVANCED_EXCLUDE_TCP=“113,139”

Default UDP route (RIP), NetBIOS, bootp broadcasts.

ADVANCED_EXCLUDE_UDP=“520,138,137,67”

######################

Configuration Files#

######################

Hosts to ignore

IGNORE_FILE="/etc/portsentry/portsentry.ignore"

Hosts that have been denied (running history)

HISTORY_FILE="/var/lib/portsentry/portsentry.history"

Hosts that have been denied this session only (temporary until next restart)

BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"

##############################

Misc. Configuration Options#

##############################

DNS Name resolution - Setting this to “1” will turn on DNS lookups

for attacking hosts. Setting it to “0” (or any other value) will shut

it off.

RESOLVE_HOST = “0”

###################

Response Options#

###################

Options to dispose of attacker. Each is an action that will

be run if an attack is detected. If you don’t want a particular

option then comment it out and it will be skipped.

The variable $TARGET$ will be substituted with the target attacking

host when an attack is detected. The variable $PORT$ will be substituted

with the port that was scanned.

##################

Ignore Options

##################

These options allow you to enable automatic response

options for UDP/TCP. This is useful if you just want

warnings for connections, but don’t want to react for

a particular protocol (i.e. you want to block TCP, but

not UDP). To prevent a possible Denial of service attack

against UDP and stealth scan detection for TCP, you may

want to disable blocking, but leave the warning enabled.

I personally would wait for this to become a problem before

doing though as most attackers really aren’t doing this.

The third option allows you to run just the external command

in case of a scan to have a pager script or such execute

but not drop the route. This may be useful for some admins

who want to block TCP, but only want pager/e-mail warnings

on UDP, etc.

0 = Do not block UDP/TCP scans.

1 = Block UDP/TCP scans.

2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="1"
BLOCK_TCP=“1”

###################

Dropping Routes:#

###################

This command is used to drop the route or add the host into

a local filter table.

The gateway (333.444.555.666) should ideally be a dead host on

the local subnet. On some hosts you can also point this at

localhost (127.0.0.1) and get the same effect. NOTE THAT

333.444.555.66 WILL NOT WORK. YOU NEED TO CHANGE IT!!

ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you

uncomment the correct line for your OS. If you OS is not listed

here and you have a route drop command that works then please

mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION

CAN BE USED AT A TIME SO DON’T UNCOMMENT MULTIPLE LINES.

NOTE: The route commands are the least optimal way of blocking

and do not provide complete protection against UDP attacks and

will still generate alarms for both UDP and stealth scans. I

always recommend you use a packet filter because they are made

for this purpose.

Generic

#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

Generic Linux

#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

Newer versions of Linux support the reject flag now. This

is cleaner than the above option.

KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)

#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

Generic Sun

#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

NEXTSTEP

#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"

FreeBSD

#KILL_ROUTE=“route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole”

Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)

#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"

Generic HP-UX

#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"

Using a packet filter is the PREFERRED. The below lines

work well on many OS’s. Remember, you can only uncomment one

KILL_ROUTE option.

ipfwadm support for Linux

#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"

ipfwadm support for Linux (no logging of denied packets)

#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"

ipchain support for Linux

#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

ipchain support for Linux (no logging of denied packets)

#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"

iptables support for Linux

#KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

iptables support for Linux with limit and LOG support. Logs only

a limited number of packets to avoid a denial of service attack.

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"

For those of you running FreeBSD (and compatible) you can

use their built in firewalling as well.

#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"

For those running ipfilt (OpenBSD, etc.)

NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!

#KILL_ROUTE="/bin/echo ‘block in log on external_interface from $TARGET$/32 to any’ | /sbin/ipf -f -"

###############

TCP Wrappers#

###############

This text will be dropped into the hosts.deny file for wrappers

to use. There are two formats for TCP wrappers:

Format One: Old Style - The default when extended host processing

options are not enabled.

#KILL_HOSTS_DENY=“ALL: $TARGET$”

Format Two: New Style - The format used when extended option

processing is enabled. You can drop in extended processing

options, but be sure you escape all ‘%’ symbols with a backslash

to prevent problems writing out (i.e. %c %h )

KILL_HOSTS_DENY=“ALL: $TARGET$ : DENY”

###################

External Command#

###################

This is a command that is run when a host connects, it can be whatever

you want it to be (pager, etc.). This command is executed before the

route is dropped or after depending on the KILL_RUN_CMD_FIRST option below

I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING

YOU!

TCP/IP is an unauthenticated protocol and people can make scans appear out

of thin air. The only time it is reasonably safe (and I never think it is

reasonable) to run reverse probe scripts is when using the “classic” -tcp mode.

This mode requires a full connect and is very hard to spoof.

The KILL_RUN_CMD_FIRST value should be set to “1” to force the command

to run before the blocking occurs and should be set to “0” to make the

command run after the blocking has occurred.

#KILL_RUN_CMD_FIRST = “0”

#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"

for examples see /usr/share/doc/portsentry/examples/

KILL_RUN_CMD = “/sbin/iptables -I INPUT -s $TARGET$ -j DROP && echo ‘Tentative de Scan par $TARGET$’ | mail -s ‘Tentative de Scan’ XXXXX@gmail.com

#####################

Scan trigger value#

#####################

Enter in the number of port connects you will allow before an

alarm is given. The default is 0 which will react immediately.

A value of 1 or 2 will reduce false alarms. Anything higher is

probably not necessary. This value must always be specified, but

generally can be left at 0.

NOTE: If you are using the advanced detection option you need to

be careful that you don’t make a hair trigger situation. Because

Advanced mode will react for any host connecting to a non-used

port below your specified range, you have the opportunity to

really break things. (i.e someone innocently tries to connect to

you via SSL [TCP port 443] and you immediately block them). Some

of you may even want this though. Just be careful.

SCAN_TRIGGER=“0”

######################

Port Banner Section#

######################

Enter text in here you want displayed to a person tripping the PortSentry.

I don’t recommend taunting the person as this will aggravate them.

Leave this commented out to disable the feature

Stealth scan detection modes don’t use this feature

#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."

EOF[/code]

[code]nano /etc/default/portsentry

/etc/default/portsentry

This file is read by /etc/init.d/portsentry. See the portsentry.8

manpage for details.

The options in this file refer to commandline arguments (all in lowercase)

of portsentry. Use only one tcp and udp mode at a time.

TCP_MODE="atcp"
UDP_MODE=“audp”[/code]

[code]cat /etc/portsentry/portsentry.ignore

/etc/portsentry/portsentry.ignore: Contains all IPs portsentry(8)

will never block.

This file was generated by /usr/lib/portsentry/portsentry-build-ignore-file.

DO NOT EDIT - edit /etc/portsentry/portsentry.ignore.static instead and use

“/etc/init.d/portsentry restart” to reload the configuration.

IPs from /etc/portsentry/portsentry.ignore.static:

127.0.0.1/32
0.0.0.0
66.249.64.0/19
109.XXX.XXX.XXX # Mon IP Publique

dynamically fetched IPs(via ifconfig -a):

91.XXX.XXX.XXX # IP de mon serveur
127.0.0.1[/code]

J’ai bien entendu redémarré portsentry après modification et pour le coup, je ne vois pas d’où vient le problème.

Qu’en pensez-vous ?

J’ai fait des tests hier soir et ce matin via des outils en ligne avec nmap et aucune IP bloqué.
Si vous voulez faire un test directement de chez vous avec nmap, je vous enverrai mon IP en MP.

Merci beaucoup

#2

Un petit UP car j’ai modifié le sujet de la discussion pour éviter de faire 2 sujets différent !

#3

Bonjour,

Je remonte ce sujet car je rencontre exactement le même soucis !

Déjà Rathorian si tu passe par là, est ce que tu as réussi à trouver une solution ?

Sinon Pour ma part, voici mes fichiers :

egrep -v '^(#|$)' /etc/default/portsentry

TCP_MODE="atcp"
UDP_MODE=“audp”

egrep -v '^(#|$)' /etc/portsentry/portsentry.conf

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP=“1024"
ADVANCED_EXCLUDE_TCP=“113,139"
ADVANCED_EXCLUDE_UDP=“520,138,137,67"
IGNORE_FILE=”/etc/portsentry/portsentry.ignore"
HISTORY_FILE=”/var/lib/portsentry/portsentry.history"
BLOCKED_FILE=”/var/lib/portsentry/portsentry.blocked"
RESOLVE_HOST = "0"
BLOCK_UDP="1"
BLOCK_TCP=“1"
KILL_ROUTE=”/sbin/route add -host $TARGET$ reject"
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
SCAN_TRIGGER=“0”

egrep -v '^(#|$)' /etc/portsentry/portsentry.ignore

127.0.0.1/32
0.0.0.0
XX.XX.XX.XX # Mon IP Publique
XX.XX.XX.XX # IP du serveur
10.1.0.1
127.0.0.1

Lorsque je regarde mes logs au démarrage de portsentry, j’ai cela :

portsentry[18533]: adminalert: PortSentry 1.2 is starting.
portsentry[18534]: adminalert: Advanced mode will monitor first 1024 ports
portsentry[18537]: adminalert: PortSentry 1.2 is starting.
portsentry[18538]: adminalert: Advanced mode will monitor first 1024 ports
portsentry[18538]: adminalert: Advanced mode will manually exclude port: 520
portsentry[18538]: adminalert: Advanced mode will manually exclude port: 138
portsentry[18538]: adminalert: Advanced mode will manually exclude port: 137
portsentry[18538]: adminalert: Advanced mode will manually exclude port: 67
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 111
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 161
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 664
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 674
portsentry[18534]: adminalert: Advanced mode will manually exclude port: 113
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 520
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 138
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 137
portsentry[18538]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 67
portsentry[18538]: adminalert: PortSentry is now active and listening.
portsentry[18534]: adminalert: Advanced mode will manually exclude port: 139
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 80
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 111
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 443
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113
portsentry[18534]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139
portsentry[18534]: adminalert: PortSentry is now active and listening.

Et lorsque je fait un nmap depuis un serveur qui n’est pas autorisé vers mon serveur où est installé portsentry, je sais que je devrait normalement avoir des logs du type portsentry[5898]: attackalert:mais je n’ai absolument rien !! Et je ne comprend pas pourquoi !

Portsentry est bien lancé également :

ps aux | grep portsentry | grep -v grep

root 18534 0.0 0.0 4244 1236 ? Ss 11:44 0:00 /usr/sbin/portsentry -atcp
root 18538 0.0 0.0 4244 1268 ? Ss 11:44 0:00 /usr/sbin/portsentry -audp

Avez vous une idée ? Car je sèche totalement, sachant que je fait déjà tourner portsentry sur un autre serveur et cela fonctionne.

Pour information, je suis sous Debian Jessie et j’ai installé portsentry via les package de Debian : portsentry/stable,now 1.2-13 amd64 [installé]

Je vous remercie d’avance.

#4

Je m’auto répond car j’ai réussi à comprendre mon soucis, si cela peut aider également les personnes qui ont le même soucis.

En faite je n’avais jamais d’attaque car mon Firewall était très restrictive, c’est à dire que mon pare feu n’autorisait uniquement les ports étant utilisé. Tout les autres ports était rejeté par le pare-feu, du coup lorsque je faisait un nmap vers mon serveur, les ports testé par le scan se faisait d’abord recalé par le parefeu avant de consulter portsentry. Il consultait ensuite portsentry, mais vu que les ports autorisés par le firewall était utilisé, il n’y avait pas d’attaque pour lui.

Maintenant autre question et je ne sais pas qui est préférable. Est ce que c’est mieux de laisser le parefeu tels quel et désintaller portsentry ou alors d’ouvrir juste un seul port (ou petite plage) non utilisé juste pour que portsentry puisse détecté un scan sur ce(s) port afin de bannir l’utilisateur ?

A votre avis ?

Merci