OK I finally got Secure Design's (http://www.sdesign.net) port scan to work and it reported that I have 2 tcp ports open. I actually had to put their IP into portsentry.ignore because portsentry kept blocking them as soon as it started its scan. The scan reported tcp ports 631 and 6000 are open.
Now psionics portsentry says don't bind 6000 to portsentry or it will prevent X-client from starting properly. So I guess I have to leave that one alone? Is this a security risk?
What about tcp port 631? I don't see it even listed on the Secure Designs listing of common tcp ports. So what is it? Why is it open and accepting connections? Would it hurt to bind it to portsentry (thus blocking it from outside connections)?

631 is listed in the Common Ports Database as the Internet Printing Protocol, but of course on your system it could be anything.

Do this to find out what process owns the port:

lsof -i :631

(Install lsof if you don't already have it installed.)

Oh yeah, don't forget to scan UDP ports, also, or you're missing half the picture.

Now, let me say that I consider Portsentry to be 100% useless if you actually care about security. It's a fun toy, but that's about ALL it is. If your goal is to detect portscans, Snort is much better at that. If your goal is to block access to certain ports from the outside world, a firewall is much better about at that. In fact, I think the greatest danger of Portsentry is that it makes people think they don't need a firewall, then they get 0wn3d and wonder why. Ditch Portsentry, set up a firewall that blocks everything (including port 6000) from outside, and if you really WANT portscan/DoS logging (which isn't very usefull - if your system is secure, it's pretty unproductive to watch 500 script kiddies fail to break in each day), use Snort, because it's much more intelligent than Portsentry.

First of all the UDP ports. According to sdesign they determine an open UDP
port when no response is received from a connect attempt. I can't get to
sdesign right now, so I can't quote the reasoning behind this. But basically
portsentry would drop all UDP scans and the ports would appear open when
actually they are not. So I didn't do the UDP scan.

Now I would very much appreciate any enlightenment as to the useless
attributes of portsentry. Believe it or not psionic the makers
of portsentry have dubbed it the be-all end-all to internet
security. Now we all know that a software company would never
exaggerate their product... e.g. how many Win98 users were duped into
buying WinME (this is sarcasm)? But this product is GPL'd so you gotta wonder.
How is it bad that portsentry monitors tcp/udp connect attempts and blocks
them? I bought the psionic's FUD and thought this was a good thing. But I
know very little about internet security.

First, let me say that Psionic has published some excellent security documentation. Some of their stuff on securing FTP servers, on services with frequent vulnerabilities, etc. is top notch.

They also publish Logcheck, which I simply could not live without. Many programs similar to it exist, but I like it best. It's not even a "security product" per se, just a program that checks lines of a text file against lines in another text file.

Anyway, about Portsentry. I'm not saying there's anything necessarily wrong with it. Okay, I could say that there ARE a few things wrong with it, but at the core, it's a program that doesn't need to exist. This is UNIX, for cripe's sakes. Do you really want to trust your security to a USERLAND security program rather than just using a frickin' firewall?

This is the fundamental evil of Portsentry -- it's a userland program, whereas a firewall lives in the kernel. Incoming packets arriving through your network interface have to traverse kernelspace before even being allowed to userland. Now, tell me which of these you'd rather do with unwanted packets:

1. Block the packets at the kernel level so that they never make it into userland.

2. Expend the resources neccessary to pass the unwanted packets into user space where you *hope* they'll be blocked by some userland program that will *hopefully* be running when the unwanted packets arrive.

That's all I have to say about that.

Let me list the things that I believe are wrong with Portsentry:

A. It's a userland program -- see above.

B. In its "standard mode", it's an "evil port monitor" as security guru/lunatic calls it. While this isn't neccessarily a bad thing IF the user understands what it means, it's not a GOOD thing either for most people.

C. Logging of unwanted packets. There are three major things wrong with this:

C1: First, this could be done at the kernel level without giving packets the dignity (and overhead) of being allowed into userland.

C2: Second, this creates overt paranoia in the user by spamming him with threating-sounding information about events he effectively has control over. Anybody who's administered a firewall for a while has probably developed a healthy contempt for heavy logging: the attacks you see in your logs are attacks that *didn't* work, it's the stuff you don't see in your logs that you have to worry about. New administrators often panic during every portscan or routine security probe by every script kiddie, not yet realizing that the fact that they actually know about the attacks means that their security software is doing its job.

C3: For people who DO want to monitor and log attacks, Snort is a much better solution. It's an intelligent port scan/attack detector, it logs helpful messages like "Portscan still in progress from 123.123.123.123: (5215) TCP (3212) UDP ports scanned so far" instead of logging 7427 seperate lines of useless information, one for each port scanned. It can also analyze the behavior of a security probe and say things like "This is nmap's FIN scan" or "They're trying a buffer overflow against BIND". I know I said there were only three, but...

C4: Because of the heavy and redundant logging that Portsentry does, /var bombing is much easier against a Portsentry computer. A few minutes of Portscanning can generate several megabytes of logs, and since Portsentry keeps logging attempted connections from a host even after it's denied connections from that host (call that C5, probably one of the dumbest things it does), an attacker can keep port scanning until he fills up your filesystem. If you don't have a seperate /var partition, your system DIES when the filesystem fills up. /var bombing is still possible without Portsentry, certainly, but exploiting Portsentry's dumb logging is probaby one of the fastest /var bombing techniques out there.

C5: (See above)

D: Retaliatory and blocking behavior. Portsentry is capable (and by default, does) of "blacklisting" machines that send even one single packet to a port it's monitoring. I could go on for several pages about why this is bad, but they primarily fall into two categories: misunderstandings, and spoofings.

D1: Misunderstadings. Portsentry is dumb. You connect to an IRC server. The IRC server sends you an IDENT request. Portsentry is watching the IDENT port, whether or not you know it. Oops. Now that IRC server is blacklisted, and any packets from the server you were trying to connect to are dropped. Oops.

D2: Spoofing. This is what makes Portsentry really useless as a security product unless you disable all its blocking and retaliation, which basically makes it a dumbed down version of Snort. Best example:

1. Someone sends a spoofed SYN packet to port 23 on your machine.

2. Portsentry is watching port 23 on your machine.

3. The spoofed IP address on the SYN packet is the IP address of your machine's Internet gateway.

4. Portsentry blacklists your Internet gateway.

5. Your machine has no more Internet connection!!!

Holy mother of pearl!! Do you not think that's a PROBLEM? Yes, you can add your gateway address and your nameservers and everything else you can think of to your portsentry.ignore file, but an attacker with even one computer can forge tens of thousands of IP addresses per hour, eventually cutting you off from all of the Internet! Portsentry is a fun toy for home systems, but on any kind of public server, it's a flat-out JOKE. If you have Portsentry doing any sort of blocking (which is why it exists), anybody who can forge an IP can cut your system off from any part of the Internet they choose.

That was all I was going to do, but let me do more...

E: "Standard mode" is USELESS because it can't watch ports that are already in use by a service. Wait a minute -- are you saying that Portsentry in standard mode can only protect UNOPENED PORTS??? That's like a lock that can only protect empty buildings or a gun that can only shoot innocent people. C'mon. I think "stealth" (cough, cough) mode is like that too, and I have no idea about "advanced" (cough, cough) mode.

F. It gives users a false sense of security. "Look, I'm using Portsentry, I'm a leet security guru!" People use it and they think they're safe. I used it for over a year before I figured out what it really was. As a former user, let me tell you: just don't bother. Use a firewall. Turn on logging in the firewall if you absoltely insist. Use Snort for more intelligent attack reporting -- and it can use promiscuous mode, and watch your entire network.

I can post some more tomorrow, if you like.

Please, someone defend Portsentry. Please, someone explain to me how people actually consider this a serious security tool. I MUST be missing something. Portsentry defenders, where are you?

Holy BaGebas man! Damb I thought I was state of the art Security Joe. Protectin my little home dial-up-network with the mighty portsentry. OK I'm gonna look into this newfangaled firewall business.
Well I hate to appear even stupider than I already do but what about ZoneAlarm for Windows? Worthless? SemiWorthless? Quazilessworth?

Does anybody want to speak up for Portsentry? Please do... I promise I won't call you a Communist or a child-molestor like I usually do when I disagree with somebody.

(I promise I'll try, at least.)

ZoneAlarm is actually pretty cool if all you have is a Windows machine. It starts out by denying EVERYTHING in/out, then whenever an application tries to send data out of your machine, Zonealarm traps it and asks you if it's okay with you. Whenever a program wants to bind a port open, Zonealarm traps it and asks you if it's okay. Pretty decent. Of course, security on Windows is a completely different animal than on UNIX. On UNIX, your biggest concern is usually having exploitable services open to the world. Windows, being more of a consumer/client OS, your biggest concern is viruses and trojans. Zonealarm can help defend against trojans that try to open a port on your computer and/or communicate back to their owner, but a smart Trojan will kill Zonealarm before it engages in any network activity.