Step 3: CONFIGURE Portsentry to take certain actions. First off, there are 2 config files for port sentry. Yes, I know, editing config files blah blah blah. Look on the bright side, you will have a dynamic firewall later one that blocks automatically and unblocks after a certain time frame. It’s extremely LOW maintenance. Heck you only need to check the logs, the rest will be done for you! Anyway, the 2 config files are: /usr/local/psionic/portsentry/portsentry.ignore where you configure your own networks. And /usr/local/psionic/portsentry/portsentry.conf where you configure your actions. First change the lines:

BLOCK_UDP="1"
BLOCK_TCP="1"

to:

BLOCK_UDP="2"
BLOCK_TCP="2"

Then set the line SCAN_TRIGGER="0" to SCAN_TRIGGER="2".
This way Portsentry will run an external command only and it wont block immediately everyone. You can only uncomment one “action” , so, we want to uncomment the line KILL_RUN_CMD and change it to this:
KILL_RUN_CMD="/opt/flosse/block.sh $TARGET$ $PORT$"
Using this option , and changing the directory to your own script directory, will execute block.sh and passing it 2 variables. Save the file and exit.

Step 4: CREATE block.sh. Yes, you are right and I hope you noticed it, the script block.sh has not been created yet, but no worries, here it is:

Contents of block.sh

#!/bin/sh
#
#
#block script , a response action for Portsentry
#
# by Flosse for 2blocksaway.com (c) 2007
#
today=`date +%Y%m%d`
dir=/opt/flosse
#
#First we find out if we have it blocked already:
#
for i in `cat blocked.list`
	do 

	if [ !  "grep '$1'" == "0" ]
	exit;
#
#If there is more then 0 matches, we exit. Otherwise we continue.
#
	else
		#
		# first we add that IP and the current date to the blocked.list file
		#
		echo $1 $today >> $dir/blocked.list
		#
		# Then we add that block to the iptables that are currently in effect
		#
		iptables -A blocked-list -i eth0 -p tcp,udp -s $1 -d 0.0.0.0/0 -j DROP
		#
		#And finally we save the current setup so that at a reboot
		# all those settings and blocked IPs will be in effect again
		#
		/sbin/iptables-save
		#
		#Then we log, just for kicks the IP and what ports it scanned.
		# you can comment this out if you want to.
		echo $1 scanned $2 >> $dir/scan.log
	fi
done

It is a very simple script and just copy it as block.sh into your scripts directory (or download it from the files page). Notice this contains Fedora specific options (such as the iptables-save command). It is self explanatory I think and there are the comments as to what each thing does. Please remember to modify in all my scripts the $dir variable to your script directory. You can periodically check the scan.log file to see what has been going on, it might surprise you.

Step 5: CLEANING the old IPs. Ok so we have so far accomplished the following: Portsentry, when started, will listen on specific ports, and based on those ports execute a script, which in turn will add a block rule and an entry to blocked.list. The file blocked.list will be read in case you make changes to your iptables script and have to run it manually again. All your IPs would be lost otherwise, but this way you have them constantly there. It will also make a log entry in scan.log. Pretty good I would say, only thing missing what I promised is getting rid of those old IPs that might be actually occupied by “normal” users by now. Well we create another script which will be listed in a second, and copy it to one of the following directories: /etc/cron.daily, cron.hourly or cron.monthly I would recommend cron.daily and since our script will be adjusted to remove any entries older then 5 days, that is teh way to go for this tutorial. Copy the following script there and make it executable (chmod a+x) and root owned (chown root.root block.cron)

Contents of block.cron

!/bin/sh
#
#Cronscript to find old dates in files basedon patterns
#
# by Flosse for 2blocksaway.com (c) 2007
#
dir=/opt/flosse
dateago=(date --date='5 days ago'  +%Y%m%d)

cat $dir/blocked.list | sed -e '/$dateago/d' > $dir/blocked.list.tmp
rm $dir/blocked.list && mv $dir/blocked.list.tmp $dir/blocked.list

What this simple thing does is, it scans the file blocked.list for a specific pattern every day (since you put it into cron.daily) and removes the lines that are 5 days old. There are no fail saves yet for even older entries, since this is supposed to run every day. If anyone wants to contribute please comments or mails are welcome. I chose the “temporary file” way with sed simply so that it is more “debuggable” and user friendly. This way EVERYONE understands it.

Step 6: CLEANING up. We are pretty much done, All thats missing is what? Correct, making Portsentry startup automatically every time to start your machine AND usable as a “service” command within Fedora. This is a simple implementation that gives you 3 options: start the service, which will start Portsentry in TCP and UDP listen mode, STOP which will stop the process and EXTREME-START which will start Portsentry with ALL options. Edit your portsentry.conf files before you use this and READ up on it.

Contents of portsentry

#!/bin/bash
#
#chkconfig: 3456 9 91
#
#description: start the portsentry service
#
#Simple Portsentry service file
#
# By Flosse for 2blocksaway.com (c) 2007
#
#This file is made available under the GNU Public License v.2
#
. /etc/rc.d/init.d/functions
[ -e /etc/sysconfig/network ] && . /etc/sysconfig/network
[ "${NETWORKING}" = "no" ] && exit 0
binary=portsentry
dir=/usr/local/psionic/portsentry

start() {
    echo -n $"Starting $binary with TCP and UDP monitoring:"
    daemon $dir/portsentry -tcp -udp
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch /var/lock/portsentry
    return $RETVAL;
}

stop () {
    echo -n $"Stopping $prog:"
    if [ -e /var/lock/portsentry ] ; then
        killproc portsentry -TERM
        RETVAL=$?
    fi;
    rm -f /var/lock/portsentry
    if [ $RETVAL -eq 0 ]; then
        success;
        echo;
    else
        failure;
        echo;
    fi;
}

extreme-start() {
    echo -n $"Starting $binary with EXTREME monitoring be careful! :"
    daemon $dir/portsentry -tcp -udp -atcp -audp -stcp -sudp
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch /var/lock/portsentry
    return $RETVAL;
}

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    status)
        status
        ;;
    reload)
        reload
        ;;
    restart)
        stop
        start
        ;;
    condrestart)
        if [ -f /var/lock/portsentry ]; then
            stop
            start
        fi
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|reload|condrestart|status}"
        RETVAL=1
esac

exit $RETVAL

Copy that file called portsentry into your /etc/rc.d/init.d directory and use the commands:

chkconfig --add portsentry
chkconfig --level 23456 on

in order to start it at boot. To start it then immediately type service portsentry start and it should tell you that it started OK.

All files are zipped and can be downloaded from here:

Hope you enjoyed this.
//Flosse

Popularity: 10% [?]

Pages: 1 2