Portsentry Setup
From Linuxhelp Wiki
| Author: | x2xtreme |
| Created On: | April 9th, 2000 |
| Updated On: | Unknown |
If you are paranoid with someone port scanning your box or you don't want people to see what services you are running then portsentry is a cool app. In event of a nmap scan to your box it will go into attack alert and send back fake responses,,and also put the host from which the scan came from in /etc/host.deny. It also leaves dumps alot in your /var/log/messages to make port scans more easily readable in your logs.
To install Portsentry first download the latest tarball from http://www.psionic.com/download/ and extract it. I have portsentry-1.0.tar.gz. So for oyu need to extract the archive and change into that directory with:
tar -zxvf portsentry-x.x.tar.gz cd portsentry-x.x
Edit portsentry.ignore. In there put all hosts that you want portsentry to ignore, it's like the /etc/hosts.allow file, but it will all now a host to scan you and not set off portsentry. Also edit portsentry.conf which is okay by default but you an edit it so that is will not listen to a certain port, and if you have changed the location of portsentry. Next do a make linux or make whatver *nix you have.
To compile the software, and then install it:
make su - make install
To run portsentry type:
/usr/local/psionic/portsentry/portsentry - protocol.
In most cases:
/usr/local/psionic/portsentry/portsentry -tcp
If you want it to start up on put then put the line "/usr/local/psionic/portsentry/portsentry -tcp" in your /etc/rc.d/rc.local file.
After starting portsentry your logs should read:
Mar 25 15:54:40 x2xtreme portsentry[20391]: adminalert: Going into listen mode on TCP port: 20034 Mar 25 15:54:40 x2xtreme portsentry[20391]: adminalert: PortSentry is now active and listening.
To test portsentry try to nmap, satan, or saint your box. You should get some like this:
Mar 25 15:57:51 x2xtreme portsentry[20418]: attackalert: Host: 192.168.0.2 is already blocked. Ignoring Mar 25 15:57:51 x2xtreme portsentry[20418]: attackalert: Connect from host: x2x/192.168.0.2 to TCP port: 1
After which check /etc/hosts.deny, /usr/local/psionic/portsentry/portsentry.ignore, and /usr/local/psionic/portsentry/portsentry.blocked.tcp to see if that host is listed in them files. If they are then you did everything right.
