Pages

Tuesday, December 7, 2010

Geeking Out with PortSentry

I have been super busy over the past few months! Thankfully, life seems to be slowing down a bit, but not much. Yesterday, I interviewed for a position as a Support Engineer with FireHost in Plano, TX. The interview went well and the opportunity is a ground-floor opportunity, which is absolutely awesome.

Aside from that, I have been dusting off some of my rusty old Linux sysadmin skills and rebuilding my knowledge and skills in that arena. In addition, I am also dipping my toe into the IT security realm a bit. For now, I am familiarizing myself with some of the more common tools for Intrusion Detection and Forensics. Once I'm comfortable with those tools I'll explore exploitation and cracking.

The first tool I got my hands dirty with is PortSentry. I installed it from the Official Ubuntu Repositories yesterday evening and settled in for what I expected to be a long process of learning how to configure and optimize the portsentry.conf file. As usual, I installed via command line, using the following command:

    ken@hostname:~$ sudo aptitude install portsentry

I backed up the default configuration file by running the following commands:

    ken@hostname:~$ cd /etc/portsentry/ 
    ken@hostname:~$ sudo cp portsentry.conf portsentry.conf.bak

*Note: I always leave the .bak files I create in place in the event that my custom configuration file ever becomes corrupted, deleted, or otherwise tampered with, thus providing a simple file to restore from.

Then, using an archived article from Linux.com, found at this link: http://linux.omnipotent.net/article.php?article_id=12540&page=-1 I began going through the configuration file one section at a time. To my pleasant surprise, I noticed that during the install, the configuration file was configured automatically. I only had to change two sections, one of which was optional. The first change was as follows.

In the IGNORE OPTIONS section, I changed the default:

    BLOCK_TCP="0"
    BLOCK_UDP="0"

to the more preferred setting of:

    BLOCK_TCP="1"
    BLOCK_UDP="1"

The final change I made to the configuration file was to uncomment the message in the PORT BANNER section. It's advised to leave it commented, but I felt better having a warning message display to anyone trying to gain unauthorized access to my home network.

Overall, the installation and configuration for PortSentry was completely painless, and I highly recommend that anyone interested in running a secure Linux system install PortSentry and utilize it as part of their security scheme.