[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Portsentry & UDP ports (Howto: automatic reset of portsentry)
- Subject: Re: [cobalt-security] Portsentry & UDP ports (Howto: automatic reset of portsentry)
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 9 Apr 2001 13:27:38 +0200
- Organization: Forumworld.com
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Marc,
> > Then again, a cronjob which clears the ipchains rules or the hosts.deny
> > and restarts portsentry at certain times can reduce this danger
> > considerably.
>
> I would certianly recommend running something like this... even if port
> sentry itself left a host with an ipchains rule or in hosts.deny for like
> 10 mins and took them out this would be great - like a temporary ban for
> portscanning you :)
> However afaik it is not easily configured to act like this, and generally
> uses permanant a more permanant 'sin-bin' from which it is hard to remove
> hosts that have fallen in by mistake.
Actually it IS very easy to set up. Provided you use portsentry to simply
block the hosts by TCP wrappers as recommended. And with a few customizations
it will also work if you use ipchains. Portsentry uses a file called
portsentry.blocked.tcp or portsentry.blocked.udp to store the bad guys in.
Simply delete it if you want to reset it. There is a separate history file
which lists all IP addresses which will allow you to have an overview about
every bad dude you've ever did run into.
This is how I do it (at the moment I let portsentry use TCP wrappers for
blocking). Contends of my "portsentry_reload.sh":
-----------------
#!/bin/sh
killall -9 portsentry
rm /usr/local/psionic/portsentry/portsentry.blocked.*
cp /usr/local/psionic/portsentry/hosts.deny /etc/hosts.deny
/usr/local/psionic/portsentry/portsentry -atcp
-----------------
Explanation:
"killall -9 portsentry" will stop portsentry.
The "rm" line will delete portsentries database of currently blocked hosts.
The "cp" line will copy an empty hosts.deny file over to /etc/ to clear out
the hosts.deny that portsentry created while running. You need to create a
blank hosts.deny for this.
Final line: Restarts portsentry in advanced TCP scanning mode.
Custom cronjob of user "root":
00 * * * * /usr/local/psionic/portsentry/portsentry_reload.sh
Will start the above script once every hour. Meanwhile I changed it to 59 23
* * * to start it once every day.
If you prefer to work with IPchains instead, add a "ipchains -F" in the
script to flush all ipchains rules, then restart your custom firewall script
(if you have one) and finally restart portsentry.
--
Mit freundlichen Grüßen / Best regards
Michael Stauber