Portsentry is a tool to detect port scans and log it. Once a host is targeted by an attacker, a port scan is almost always performed.

PortSentry detects such scans by monitoring the unused ports on the host. Upon a connection attempt to one of the unused ports, PortSentry is alerted and has the ability to issue a number of commands in response to the scan.

Installation

# cd /usr/src/

# wget http://sourceforge.net/projects/sentrytools/files/latest/download

# tar -xzvf portsentry-1.2.tar.gz

# cd portsentry_beta/

# make linux

You may face the following error upon installation

./portsentry.c:1584:11: warning: missing terminating ” character

./portsentry.c: In function ‘Usage’:

./portsentry.c:1584: error: missing terminating ” character

./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function)

./portsentry.c:1585: error: (Each undeclared identifier is reported only once

./portsentry.c:1585: error: for each function it appears in.)

./portsentry.c:1585: error: expected ‘)’ before ‘dot’

./portsentry.c:1585: error: stray ‘\’ in program

./portsentry.c:1585:24: warning: missing terminating ” character

./portsentry.c:1585: error: missing terminating ” character

./portsentry.c:1595: error: expected ‘;’ before ‘}’ token

./portsentry_io.c: In function ‘ConfigTokenRetrieve’:

./portsentry_io.c:321: warning: cast from pointer to integer of different size

./portsentry_io.c:324: warning: cast from pointer to integer of different size

./portsentry_io.c: In function ‘IsBlocked’:

./portsentry_io.c:670: warning: cast from pointer to integer of different size

./portsentry_io.c: In function ‘SubstString’:

./portsentry_io.c:727: warning: cast from pointer to integer of different size

make: *** [linux] Error 1

To resolve the error, please follow the step

———

Open portsentry.c and look for the line 1584. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line

Then proceed with the installation.

After the successful installation, please edit the configuration file /usr/local/psionic/portsentry/portsentry.conf file to enable route drop.

1. Find and uncomment the KILL_ROUTE option that corresponds to your operating system

2. Uncomment the line

KILL_ROUTE=”/sbin/iptables -I INPUT -s $TARGET$ -j DROP”

This will drop all packets originating from an attacker’s IP address and log future connection attempts.

3. Uncomment the entries TCP_PORTS and UDP_PORTS and add the ports to be scanned.

TCP_PORTS=”1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724″

UDP_PORTS=”1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321″

4. Ports can also be manually excluded via the parameters

ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP

5. If you want to whitelist a particular IP, please add it under the file

/usr/local/psionic/portsentry/portsentry.ignore

This file contains the IP addresses that PortSentry should ignore if it connects to a monitored port.

The portsentry.ignore file is simply a list of IP addresses along with the associated netmask in “slash” notation as shown below

172.16.88.0/24 10.16.17.0/24 192.168.0.0/16 127.0.0.1/32

PortSentry can now be enabled.

First, we start up the TCP port monitor and then UDP port monitor
# /usr/local/psionic/portsentry/portsentry -atcp

# /usr/local/psionic/portsentry/portsentry -audp

Afterwards, when an IP is blocked on port scan, it will be recorded on the log file /var/log/secure.

Need expert assistance?

SupportPRO has a team of well experienced professionals. We can assist you in the installation and configuration of Portsentry in your server. Feel free to contact us if you need assistance.
If you require help, contact SupportPRO Server Admin