LinuxFocus.org: Psionic Portsentry 1.1, the defender of the ports

Sep 08, 2001, 22:04 (0 Talkback[s])
(Other stories by Georges Tarbouriech)

"During the last decade, networking grew up at an incredible speed. The goal was to allow communication between machines using different OSes. Thus, proprietary networking systems were slowly replaced with TCP/IP. Internet did the rest ! Today, most networking relies on TCP/IP and TCP/IP relies on ports. To make it short, ports are attached to programs (clients or servers). The server listens till a client contacts it to establish a connection. The services (the programs above mentioned) are mapped to a specific port. On Unix systems, this mapping scheme is found in the /etc/services file. That is, everyone knows which port is dedicated to which service. If everyone knows, crackers know even better ! If we consider a port as a door, when a port is open (listening), it's like an unlocked door. And how do you get into a house ? Usually through the door (unless you prefer the window, it's up to you !). So do the black hats to get into your computer...

The first thing you can do to reduce the risk is to close as many ports as possible, that is to stop services. The less the better. But you hardly can close every port on a networked machine : it wouldn't communicate anymore, that would be a pity ! How to limit the number of active services or how to close the ports is beyond the scope of this article. You'll find a lot of literature on the subject, for instance going to the Linux Documentation Project or searching through LinuxFocus issues (for example, Bastille Linux or Security tools). So for the different ways to protect a machine, a network. On Linux, consider Bastille Linux as a must have.

And this is where portsentry comes. Portsentry can monitor ports and is able to block them if you ask it to do so. It provides you with different operating modes, some of them being specific to some OSes. As a matter of fact, OSes means Linux. Portsentry is able to benefit from packet filtering provided with ipfwadm, ipchains or iptables according to the Linux kernel you have. This is true for other Unix flavors using different tools (back on this later). There we are : portsentry greatest feature probably is "auto-blocking".

Complete Story

Related Stories:

• MachineOfTheMonth: Hacking the hacker(Aug 12, 2001)
• Linux Journal: PortSentry(Jul 14, 2001)
• ITWorld: Joe Barr gets cracked and recovers with NMAP(Apr 05, 2001)
• linux.ie: Port Sentry and Snort compared(Mar 12, 2001)
• Canada Computes: A Little Security in an Insecure World (Feb 25, 2001)
• LANSystems.com: Monitoring Connections To Your System [IPPL Guide](Jul 23, 2000)
• BSD Today: Deploying Portsentry; What to do before the kiddies come calling(Jul 21, 2000)
• TechRepublic: Linux 101: Basic network security(Jun 10, 2000)
• LinuxNewbie.org: Setting up Portsentry(May 27, 2000)
• Cork LUG: Security for the dial-up user [Portsentry review](Apr 03, 2000)