hi all i have two question:

1. is there a way that i could start Portsentry as a non-root? i dunno how it is to be done.

2. i use PMfirewall and Portsentry at the same time. i close ports using PMfirewall, but when i use Portsentry it opens some of the ports (yah! i know that portsentry need this to detect attacks). my question is, is there any way that i would only let portsentry listen to specific ports? e.g. 80,22,110,21,25...? so that PMfirewall will take responsibilities on other ports?

thanks in advance

-------------------------
"to be or not to be..
that is the question.."
-shakespeare-
-------------------------

[This message has been edited by flar (edited 11 December 2000).]

How do you start portsentry?

I also use PMfirewall and portsentry, portsentry is pretty useless after running a good PMfirewall and killing all you can live without in /etc/inetd.conf and doing a good job in hosts.deny and hosts.allow .
But nevertheless, running a backup like portsentry is a good thing http://www.linuxnewbie.org/ubb/smile.gif

regarding in what I said in the first remark, just let portsentry do it's thing by adding it in /etc/rc.d/rc.local with these two rules /usr/sbin/portsentry -atcp and /usr/sbin/portsentry -udp .

It will not hurt you and add a failsafe sort of anti portscan/faulty tcp packet security MIGHT your firewall take a crap.

That's just my .02 cents http://www.linuxnewbie.org/ubb/biggrin.gif

Jakieboy!

yah i put it on my rc.local. but when i 'ps aux', i saw that it was running as root? how will i make it to run as e.g. nobody?

-flar-

Dude, I don't think it will run other then root, I might be wrong though, I believe it will need to run as root to get the ipchains rules to work.

Anyone correct me if I'm wrong.

Jakieboy!

Ps. I think you'll want it *not* to run as root so if it is compromised it will not give root access, remember that you still have PMfirewall around (and they *do* need to break that one first) and if you've done a good job in the /etc/hosts series they are still around to protect your box as far as I know.


[This message has been edited by jakieboy (edited 11 December 2000).]

thanks much jakieboy! http://www.linuxnewbie.org/ubb/biggrin.gif cheers man!! http://www.linuxnewbie.org/ubb/smile.gif
but how bout my second question?

-flar-

You would have to make 'holes' in your PMfirewall for portsentry to react first, I don't think that's a good thing, just run a good PMfireall and have portsentry around as a 'backup'.

I am very tired at the moment so I won't go in the portsentry.conf file right now, not to be rude though.

But I think my first part explains where I stand.

Just let me know what your opinion on this remark is.

Jakieboy!

add a line in your portsentry.conf file that says:


TCP_PORTS="21,22,25,80,110"


then to open those ports up (i'm gonna do one example, just subsitute the port numbers):


#Variables already set in pmfirewall.conf
#$REMOTENET=0/0
#$OUTERIP=Your internet address
#$OUTERIF=Your interface that connects to internet
#accept ANY traffic on port 21 [open to the public]
$IPCHAINS -A input -p tcp -s $REMOTENET 21 -d $OUTERIP 21 -i $OUTERIF -j ACCEPT


regards,

~kyle


[This message has been edited by Fandelem (edited 11 December 2000).]

thanks much bro! im gonna try it and ill be right back to post the results.

more power!

[QUOTE]Originally posted by Fandelem:
[B]#Variables already set in pmfirewall.conf
#$REMOTENET=0/0
#$OUTERIP=Your internet address
#$OUTERIF=Your interface that connects to internet
#accept ANY traffic on port 21 [open to the public]
$IPCHAINS -A input -p tcp -s $REMOTENET 21 -d $OUTERIP 21 -i $OUTERIF -j ACCEPT


im gonna put this one on my PMfirewall? and a separate rule on every port?

-flar-


[This message has been edited by flar (edited 11 December 2000).]

hey here's what i've done. i put TCP_PORTS="ports,that,i,want,to,listen,to" in the line on portsentry, and remove the line UDP_PORTS. then i run PMfirewall to close ports that i dont use. am i right? or i am an idiot? (dont hesitate to tell me if i am) and lastly, if one will attempt to go through my box, which of the two will first block him? (heirarchy)

-flar-

p.s.
thanks fandelem

reason portsentry needs to be run as root is simply because unpriv'ed users cannot open those loverly ports below 1024, hence the need to be root.

I hope this clears something up, and I hope someone didn't already answer the question!

then i run PMfirewall to close ports that i dont use. am i right? or i am an idiot? (dont hesitate to tell me if i am) and lastly, if one will attempt to go through my box, which of the two will first block him? (heirarchy)


Alright, first off, you use PMFirewall [after you have inserted a rule for EACH port you wanted to open, hope that answers one question] to open or close ports.. the very last thing PMFirewall will do is close off (deny) every other port..

pmfirewall (ipchains) will block first, then portsentry.

but here's the thing you need to understand (which I don't think you do, it's okay though, it took me some time to realize this too): when you think of portsentry as "ports that I want to listen to" - think of it as "ports that NO DAEMON is already listening on portsentry *can* listen on" (ie. port 22, port 80, etc. would all HAVE a daemon (ssh,http) therefore portsentry *CAN'T* listen on them)

so, in other words [if you don't understand what I just said]: if you are running apache, running sshd, running ftpd, running telnetd, etc.. then portsentry *won't* work on these ports - and you will need to use IPCHAINS to filter or close these ports to the public. However, if you don't have any daemon running on these ports, then by all means, open them up via IPCHAINS and then have portsentry listen on them http://www.linuxnewbie.org/ubb/smile.gif

hope this makes more sense?

~kyle

thanks! http://www.linuxnewbie.org/ubb/smile.gif but i have one more question to ask.

what if ill just close (using IPCHAINS) ports that are no use on my system? (or no DAEMON running) if thats ok http://www.linuxnewbie.org/ubb/smile.gif

and lastly, when i ran nmap on my box to see if what ports are open, i see open ports that i dont specify to be open. and i dont know what are the purpose of these ports. could u tell me what are these for?

e.g.
111/tcp open sunrpc
587/tcp open submission
691/tcp open unknown
2049/tcp open nfs

thanks in advance

-flar-

what if ill just close (using IPCHAINS) ports that are no use on my system? (or no DAEMON running) if thats ok

interpreting this as best as I can: you mean just disable [or kill] the daemon so you don't have to worry about it? good idea. you should *always* take off what you aren't going to be using on a system :} if you mean something else, perhaps: using IPCHAINS to "close" off ports [to the outside world] is a smart thing to do - but you only need to be concerned with ports you have DAEMON's running on, because IPCHAINS will take care of the rest.

when you have a daemon running, let's take for instance, from your scan, 111/tcp (sunrpc) - it is open to *anyone* right then. I could issue a rpcinfo -p [your_ip] and could find out sensitive information.. so, what most people do, will be to either close or filter that port specifically (for every port [or range of ports, for example 6000:6100] you want to close/filter you *will* have to insert additional rules).

I have no clue what 587/tcp submission is, to find out any unknown port, issue:
fuser -v 691/tcp
and it will tell you what daemon is opening up that port

I believe you can close 111/tcp (sunrpc) [which you should consider!] by /etc/inetd.conf

if you're running NFS (2049/tcp) then you _really_ need to add an IPCHAINS rule to block outside stuff from getting into that port - if you don't need it, take it out - I'm not sure how to go about doing that, however.. maybe someone else can step in [never played around with NFS].

hope this helps,

~kyle

sorry if I didn't make myself clear, but let me try once more: any port that is open [from nmap, etc] is a security hazard, and isn't initially blocked by IPCHAINS [although using PMFirewall will aid you in this struggle to a certain degree]. Any port that *doesn't* show up from a scan, means that there is nothing running [daemon-wise] on that port, and you don't need to worry any further (because usually all IPCHAINS scripts [including pmfirewall] will have a generic DENY ALL at the end of your IPCHAINS ruleset). So when you are concerning yourself with IPCHAINS [for the most part], concern yourself with your open ports (on how to filter/close them off properly from the outside).

[This message has been edited by Fandelem (edited 12 December 2000).]

USER PID ACCESS COMMAND
691/tcp root 88 f.... rpc.mountd
USER PID ACCESS COMMAND
587/tcp root 1338 f.... sendmail



do i have to cut these off?

Do you want to run sendmail or rpc?

I haven't worked with either - I know there are security holes in both, however, and most likely, you have versions that have the security holes :}

can someone else help flar from here?

http://www.linuxnewbie.org/ubb/smile.gif fandelem. i put these rules on my PMfirewall. is this correct? or it will just messed up my system?


$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 691 -i $OUTERIF -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 691 -i $OUTERIF -j DENY
$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 587 -i $OUTERIF -j DENY
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 587 -i $OUTERIF -j DENY



-flar-

hehe, looks good- you may want to add -l to those (for logging) so you can see when people are trying to access them :}

good job on the ipchains commands :}

regards,

~kyle

ie:

$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 587 -i $OUTERIF -j DENY -l


[This message has been edited by Fandelem (edited 13 December 2000).]

http://www.linuxnewbie.org/ubb/biggrin.gif http://www.linuxnewbie.org/ubb/biggrin.gif http://www.linuxnewbie.org/ubb/biggrin.gif so it will go like these?


$IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 691 -i $OUTERIF -j DENY -l
$IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 691 -i $OUTERIF -j DENY -l


oh!! hehehehe http://www.linuxnewbie.org/ubb/smile.gif ok..

tnx FANDELEM!! ur the man! http://www.linuxnewbie.org/ubb/biggrin.gif

[This message has been edited by flar (edited 13 December 2000).]

Another main reason that portsentry can't be run as anything but uid 0 is because *nix only allows root to use SOCK_RAW, which is used by portsentry's more "advanced" features.

Jeremy

hmm which features are those jem?

The ability to use "advanced stealth scan detection modes", SOCK_RAW is required. These scans are anomalies in TCP/IP communication, and as such, are handled by the kernel, rather than the application. In order to see these anomalies, Portsentry needs to listen with a SOCK_RAW rather than the standard tcp socket, SOCK_STREAM.

Jeremy