{"id":1322,"date":"2016-09-12T10:49:30","date_gmt":"2016-09-12T08:49:30","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1322"},"modified":"2020-10-31T10:27:18","modified_gmt":"2020-10-31T09:27:18","slug":"portsentry-un-valido-aiuto-al-firewall","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1322","title":{"rendered":"Portsentry un valido aiuto al firewall"},"content":{"rendered":"

Rifacendomi a questo articolo<\/a> e vedendo che la faccenda continua e si \u00e8 spostata sulla porta superiore e quindi vogliono proprio sfondarmi ho deciso di passare al pi\u00f9 presto possibile all’autenticazione ssh con certificati, una “breve” burocrazia e al pi\u00f9 presto possibile lo far\u00f2.
\nPer il momento per\u00f2 ho deciso di rendere ancora pi\u00f9 difficile la vita a quel\/quei “CENSURA” che hanno deciso di rovinarmi la macchina.
\nRiflettendo sul come rompere le scatole ai rompiscatole m’\u00e8 venuto in mente il buon vecchio portsentry.
\nPortsentry nato in psionic.com assorbita poi da Cisco, \u00e8 un programma che analizza le scansioni delle porte e quindi a seconda di come \u00e8 istruito reagisce di conseguenza.
\nAl solito parliamo di macchina Debian in questo caso una oldstable (7.x) e quindi apt-get install portsentry che si porta dietro le dipendenze relative.
\nPer default portsentry non blocca nulla bisogna istruirlo su cosa fare e, al solito la directory dove ci sono le configurazioni \u00e8 \/etc\/ in cui si trova la subdirectory portsentry.
\nAll’interno ci sono 3 files
\nportsentry.conf che contiene tutte le configurazioni e che \u00e8 il file su cui lavorare.
\nportsentry.ignore che viene generato dinamicamente
\nportsentry.ignore.static dovve aggiungere quegli IP\/classi che non devono essere processati.
\nVediamo In breve come configurare i parametri in portsentry.conf<\/p>\n

#######################
\n# Port Configurations #
\n#######################
\n# Un-comment these if you are really anal:
\nTCP_PORTS=”1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320″
\nUDP_PORTS=”1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321″
\n#
\n# Use these if you just want to be aware:
\n#TCP_PORTS=”1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320″
\n#UDP_PORTS=”1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321″
\n#
\n# Use these for just bare-bones
\n#TCP_PORTS=”1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320″
\n#UDP_PORTS=”1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321″
\n###########################################
\n# Advanced Stealth Scan Detection Options #
\n###########################################
\nADVANCED_PORTS_TCP=”1024″
\nADVANCED_PORTS_UDP=”1024″
\n# Default TCP ident and NetBIOS service
\nADVANCED_EXCLUDE_TCP=”113,139″
\n# Default UDP route (RIP), NetBIOS, bootp broadcasts.
\nADVANCED_EXCLUDE_UDP=”520,138,137,67″
\n######################
\n# Configuration Files#
\n######################
\n#
\n# Hosts to ignore
\nIGNORE_FILE=”\/etc\/portsentry\/portsentry.ignore”
\n# Hosts that have been denied (running history)
\nHISTORY_FILE=”\/var\/lib\/portsentry\/portsentry.history”
\n# Hosts that have been denied this session only (temporary until next restart)
\nBLOCKED_FILE=”\/var\/lib\/portsentry\/portsentry.blocked”<\/p>\n

##############################
\n# Misc. Configuration Options#
\n##############################
\n#
\n# DNS Name resolution – Setting this to “1” will turn on DNS lookups
\n# for attacking hosts. Setting it to “0” (or any other value) will shut
\n# it off.
\nRESOLVE_HOST = “1”<\/p>\n

##################
\n# Ignore Options #
\n##################
\n# 0 = Do not block UDP\/TCP scans.
\n# 1 = Block UDP\/TCP scans.
\n# 2 = Run external command only (KILL_RUN_CMD)<\/p>\n

BLOCK_UDP=”1″
\nBLOCK_TCP=”1″<\/p>\n

###################
\n# Dropping Routes:#
\n###################
\n# This command is used to drop the route or add the host into
\n# a local filter table.
\n#
\n# The gateway (333.444.555.666) should ideally be a dead host on
\n# the *local* subnet. On some hosts you can also point this at
\n# localhost (127.0.0.1) and get the same effect. NOTE THAT
\n# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
\n#
\n# ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
\n# uncomment the correct line for your OS. If you OS is not listed
\n# here and you have a route drop command that works then please
\n# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
\n# CAN BE USED AT A TIME SO DON’T UNCOMMENT MULTIPLE LINES.
\n#
\n# NOTE: The route commands are the least optimal way of blocking
\n# and do not provide complete protection against UDP attacks and
\n# will still generate alarms for both UDP and stealth scans. I
\n# always recommend you use a packet filter because they are made
\n# for this purpose.
\n# iptables support for Linux with limit and LOG support. Logs only
\n# a limited number of packets to avoid a denial of service attack.
\nKILL_ROUTE=”\/sbin\/iptables -I INPUT -s $TARGET$ -j DROP && \/sbin\/iptables -I INPUT -s $TARGET$ -m limit –limit 3\/minute –limit-burst 5 -j LOG –log-level DEBUG –log-prefix ‘Portsentry: dropping: ‘”<\/p>\n

###
\n# TCP Wrappers#
\n###############
\n# This text will be dropped into the hosts.deny file for wrappers
\n# to use. There are two formats for TCP wrappers:
\nKILL_HOSTS_DENY=”ALL: $TARGET$ : DENY”
\n###################
\n# External Command#
\n###################
\n# This is a command that is run when a host connects, it can be whatever
\n# you want it to be (pager, etc.). This command is executed before the
\n# route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
\nKILL_RUN_CMD_FIRST = “0”
\n# for examples see \/usr\/share\/doc\/portsentry\/examples\/
\nKILL_RUN_CMD=”\/usr\/local\/bin\/scan-detect
\n#####################
\n# Scan trigger value#
\n#####################
\n# Enter in the number of port connects you will allow before an
\n# alarm is given. The default is 0 which will react immediately.
\n# A value of 1 or 2 will reduce false alarms. Anything higher is
\n# probably not necessary. This value must always be specified, but
\n# generally can be left at 0.
\n#
\n# NOTE: If you are using the advanced detection option you need to
\n# be careful that you don’t make a hair trigger situation. Because
\n# Advanced mode will react for *any* host connecting to a non-used
\n# port below your specified range, you have the opportunity to
\n# really break things. (i.e someone innocently tries to connect to
\n# you via SSL [TCP port 443] and you immediately block them). Some
\n# of you may even want this though. Just be careful.
\n#
\nSCAN_TRIGGER=”0″
\nridotto questo \u00e8 il file di configurazione.
\nAdesso il passo successivo e’ quello di modificare in \/etc\/default da tcp e udp in atcp e audp in modo da portare il funzionamento in modo avanzato\/reverse (man portsentry per un approfondimento).
\nUltimo step, in \/etc\/portsentry\/portsentry.ignore.static andiamo ad aggiungere uno per riga
\nIP.Di.Casa.per.connessione.remota
\n1\u00b0 IP.DI.CHI.ci.fa.assistenza
\n2\u00b0 IP.DI.CHI.ci.fa.assistenza
\nquesto perch\u00e8 pu\u00f2 essere utile dare il permesso a qualcuno di fare scansione per capire cosa succede in caso di problemi
\n\/etc\/init.d\/portsentry restart e il gioco \u00e8 fatto.
\nIn seguito ad un nmap in syslog possiamo trovare qualcosa di simile:<\/p>\n

Sep 10 16:11:33 sangiorgio portsentry[4077]: attackalert: TCP SYN\/Normal scan from host: 10.9.8.8\/10.9.8.8 to TCP port: 135 Sep 10 16:11:33 sangiorgio portsentry[4077]: attackalert: Ignoring TCP response per configuration file setting. Sep 10 16:11:33 sangiorgio portsentry[4077]: attackalert: TCP SYN\/Normal scan from host: 10.9.8.8\/10.9.8.8 to TCP port: 53 Sep 10 16:11:33 sidlol portsentry[4077]: attackalert: Host: 10.9.8.8\/10.9.8.8 is already blocked Ignoring
\ne facendo un cat di \/etc\/hosts.deny troveremo
\n...
\n<\/code><\/p>\n

ALL: 10.9.8.8 : DENY<\/pre>\n
Quindi adesso il rompiscatole di turno ha la vita un po pi\u00f9 difficile, e io un po meno patema d’animo.<\/p>\n
\u00a0<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"
Rifacendomi a questo articolo e vedendo che la faccenda continua e si \u00e8 spostata sulla porta superiore e quindi vogliono proprio sfondarmi ho deciso di passare al pi\u00f9 presto possibile all’autenticazione ssh con certificati, una “breve” burocrazia e al pi\u00f9 presto possibile lo far\u00f2. Per il momento per\u00f2 ho deciso di rendere ancora pi\u00f9 difficile […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110,8,14,6],"tags":[112,103],"class_list":["post-1322","post","type-post","status-publish","format-standard","hentry","category-ids","category-linux","category-networking","category-work","tag-ids","tag-iptables"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1322"}],"version-history":[{"count":4,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1322\/revisions"}],"predecessor-version":[{"id":1326,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1322\/revisions\/1326"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1322"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}