[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] [RaQ3] Port Sentry

Subject: Re: [cobalt-security] [RaQ3] Port Sentry
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Mon, 11 Jun 2001 15:59:49 +0200
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Kevin,

> Now this I like. I've actually considered setting up something like this
> myself... care to share that config and script?

Sure, no problem. But I'll have to leave out the randomized restart routine 
for NDA reasons <sigh>. Just bind this script to a cronjob that will run 
several times a day (1-3 times for instance) and you're there almost as good.

Make sure you understand what the script does before you attempt to use it! 
For instance: If you don't have SSH installed, then you will no longer be 
able to get to the shell, as it'll block the telnet port! :o)

#!/bin/sh
# This script makes sure that Portsentry does not generate
# too many false alerts. It also makes sure that Portsentry is 
# restarted periodically. When that happens existing
# Firewall rules will be flushed. So if a customer accidentially
# blocked himself, then a flush of the ruleset will make
# sure that he can get in again after a considerable wait.
# For questions ask cobalt@xxxxxxxxxxxxxx

# Stop all instances of Portsentry:
killall -9 portsentry

# Flush all existing Firewall rules
/sbin/ipchains -F
 
#Deny Telnet permanently (only if you have SSH!):
/sbin/ipchains -A input -l -i eth0 -d 0/0 23 -p tcp -j DENY
 
# Deny TCP and UDP packets to certain ports:
/sbin/ipchains -A input -i eth0 -d 0/0 137:139 -p udp -j DENY
/sbin/ipchains -A input -i eth0 -d 0/0 137:139 -p tcp -j DENY
/sbin/ipchains -A input -i eth0 -d 0/0 68 -p udp -j DENY
/sbin/ipchains -A input -i eth0 -d 0/0 67 -p udp -j DENY
/sbin/ipchains -A input -i eth0 -d 0/0 123 -p udp -j DENY
/sbin/ipchains -A input -i eth0 -d 0/0 161 -p udp -j DENY
 
# Remove portsentry history file:
rm /usr/local/psionic/portsentry/portsentry.blocked.*

# Restart Portsentry in both ATCP and AUDP mode:
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -audp

# Say something nice and exit gracefully:
echo "Firewall rules flushed and Portsentry restarted"


-- 

Mit freundlichen Grüßen / Best regards

Michael Stauber

 Stauber Multimedia Design ____ Phone:  +49-6471-923812
 Hauptstrasse 31 ______  D-56244 Goddert ______ Germany
 SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM

Follow-Ups:
- RE: [cobalt-security] [RaQ3] Port Sentry
  - From: Benoit Perreault

References:
- [cobalt-security] [RaQ3] Port Sentry
  - From: Sean Chester
- Re: [cobalt-security] [RaQ3] Port Sentry
  - From: Michael Stauber
- Re: [cobalt-security] [RaQ3] Port Sentry
  - From: Kevin D

Prev by Date: Re: [cobalt-security] [RaQ3] Portsentry's raison d'etre (used to be Port Sentry)
Next by Date: [cobalt-security] profile of a bind worm
Previous by thread: Re: [cobalt-security] [RaQ3] Port Sentry
Next by thread: RE: [cobalt-security] [RaQ3] Port Sentry

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index