{"id":1412,"date":"2015-01-05T20:34:51","date_gmt":"2015-01-06T02:34:51","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=1412"},"modified":"2019-03-07T18:10:26","modified_gmt":"2019-03-08T00:10:26","slug":"installation-of-portsentry","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/installation-of-portsentry\/","title":{"rendered":"Installation of PortsEntry"},"content":{"rendered":"

Portsentry<\/strong> is a tool to detect port scans and log it. Once a host is targeted by an attacker, a port scan is almost always performed.<\/p>\n

PortSentry detects such scans by monitoring the unused ports on the host. Upon a connection attempt to one of the unused ports, PortSentry is alerted and has the ability to issue a number of commands in response to the scan.<\/p>\n

Installation<\/strong><\/span><\/p>\n

# cd \/usr\/src\/<\/span><\/em><\/p>\n

# wget http:\/\/sourceforge.net\/projects\/sentrytools\/files\/latest\/download<\/em><\/p>\n

# tar -xzvf portsentry-1.2.tar.gz<\/em><\/p>\n

# cd portsentry_beta\/<\/em><\/p>\n

# make linux<\/em><\/p>\n

You may face the following error upon installation<\/p>\n

.\/portsentry.c:1584:11: warning: missing terminating ” character<\/p>\n

.\/portsentry.c: In function \u201a\u00c4\u00f2Usage\u201a\u00c4\u00f4:<\/p>\n

.\/portsentry.c:1584: error: missing terminating ” character<\/p>\n

.\/portsentry.c:1585: error: \u201a\u00c4\u00f2sourceforget\u201a\u00c4\u00f4 undeclared (first use in this function)<\/p>\n

.\/portsentry.c:1585: error: (Each undeclared identifier is reported only once<\/p>\n

.\/portsentry.c:1585: error: for each function it appears in.)<\/p>\n

.\/portsentry.c:1585: error: expected \u201a\u00c4\u00f2)\u201a\u00c4\u00f4 before \u201a\u00c4\u00f2dot\u201a\u00c4\u00f4<\/p>\n

.\/portsentry.c:1585: error: stray \u201a\u00c4\u00f2\\\u201a\u00c4\u00f4 in program<\/p>\n

.\/portsentry.c:1585:24: warning: missing terminating ” character<\/p>\n

.\/portsentry.c:1585: error: missing terminating ” character<\/p>\n

.\/portsentry.c:1595: error: expected \u201a\u00c4\u00f2;\u201a\u00c4\u00f4 before \u201a\u00c4\u00f2}\u201a\u00c4\u00f4 token<\/p>\n

.\/portsentry_io.c: In function \u201a\u00c4\u00f2ConfigTokenRetrieve\u201a\u00c4\u00f4:<\/p>\n

.\/portsentry_io.c:321: warning: cast from pointer to integer of different size<\/p>\n

.\/portsentry_io.c:324: warning: cast from pointer to integer of different size<\/p>\n

.\/portsentry_io.c: In function \u201a\u00c4\u00f2IsBlocked\u201a\u00c4\u00f4:<\/p>\n

.\/portsentry_io.c:670: warning: cast from pointer to integer of different size<\/p>\n

.\/portsentry_io.c: In function \u201a\u00c4\u00f2SubstString\u201a\u00c4\u00f4:<\/p>\n

.\/portsentry_io.c:727: warning: cast from pointer to integer of different size<\/p>\n

make: *** [linux] Error 1<\/p>\n

To resolve the error, please follow the step<\/p>\n

———<\/p>\n

Open portsentry.c and look for the line 1584. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line<\/p>\n

Then proceed with the installation.<\/p>\n

After the successful installation, please edit the configuration file \/usr\/local\/psionic\/portsentry\/portsentry.conf<\/em> file to enable route drop.<\/p>\n

1. Find and uncomment the KILL_ROUTE option that corresponds to your operating system<\/p>\n

2. Uncomment the line<\/p>\n

KILL_ROUTE=”\/sbin\/iptables -I INPUT -s $TARGET$ -j DROP”<\/p>\n

This will drop all packets originating from an attacker’s IP address and log future connection attempts.<\/p>\n

3. Uncomment the entries TCP_PORTS and UDP_PORTS and add the ports to be scanned.<\/p>\n

TCP_PORTS<\/strong>=”1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724″<\/p>\n

UDP_PORTS<\/strong>=”1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321″<\/p>\n

4. Ports can also be manually excluded via the parameters<\/p>\n

ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP<\/p>\n

5. If you want to whitelist a particular IP, please add it under the file<\/p>\n

\/usr\/local\/psionic\/portsentry\/portsentry.ignore<\/em><\/p>\n

This file contains the IP addresses that PortSentry should ignore if it connects to a monitored port.<\/p>\n

The portsentry.ignore file is simply a list of IP addresses along with the associated netmask in “slash” notation as shown below<\/p>\n

172.16.88.0\/24 10.16.17.0\/24 192.168.0.0\/16 127.0.0.1\/32<\/p>\n

PortSentry can now be enabled.<\/p>\n

First, we start up the TCP port monitor and then UDP port monitor
\n# \/usr\/local\/psionic\/portsentry\/portsentry -atcp<\/em><\/p>\n

# \/usr\/local\/psionic\/portsentry\/portsentry -audp<\/em><\/p>\n

Afterwards, when an IP is blocked on port scan, it will be recorded on the log file\u00a0\/var\/log\/secure.<\/em><\/p>\n

Need expert assistance?<\/span><\/strong><\/p>\n

SupportPRO<\/strong><\/a> has a team of well experienced professionals. We can assist you in the installation and configuration of Portsentry in your server. Feel free to contact us if you need assistance.
\nIf you require help, contact SupportPRO Server Admin<\/a><\/p>\n

\"Server<\/a><\/span>