Commonsense Preventive Measures
| < Day Day Up > |
Detecting Attacks in Progress: Intrusion DetectionNot only are there tools for limiting network access, but there are also tools for detecting an attack in progress. These tools are known as intrusion detection tools. We will look at Tripwire, PortSentry, and Snort. TripwireTripwire is a utility that monitors the integrity of important files or directories. It stores information in a database about files and directories that you've specified. You can then use Tripwire to check whether there have been any changes to your files. It checks the current state of the files against the information in its database. There is an open source version of Tripwire available at http://sourceforge.net/projects/tripwire/. A patched version that runs on Mac OS X is available at http://www.frenchfries.net/paul/tripwire/. This is the version that we discuss. If you are interested in learning more about Tripwire, you might also check the commercial site, which unfortunately does not include a Mac OS X version, at http://www.tripwire.com/. Remember that Tripwire can't detect any unauthorized changes that have already been made on your system. If you have any doubts about the system's current integrity, you can reinstall the operating system and then install Tripwire. Download the patched version of Tripwire and compile it using the standard: ./configure make make install Note that you will have to root privileges to install the package. During the installation process, you will be asked to create a site key and a local key by selecting good passphrases for each. The installation script recommends that your passphrase include uppercase and lowercase letters as well as numbers and punctuation, for a length of at least eight characters. Don't forget your site and local passphrases because you will need them to perform some tasks with Tripwire. Tripwire comes with two main files: a configuration file and a policy file. Clear text versions of the files are included, but Tripwire itself uses binary versions of these files. The configuration file contains basic configuration information regarding the Tripwire software, whereas the policy file contains the information on how you want Tripwire to behave. The patched version of Tripwire installs these files in /usr/local/etc. The default /usr/local/etc/twcfg.txt file is shown next: ROOT =/usr/local/sbin POLFILE =/usr/local/etc/tw.pol DBFILE =/usr/local/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/usr/local/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/usr/local/etc/site.key LOCALKEYFILE =/usr/local/etc/dogbone-local.key EDITOR =/usr/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t A couple of the more interesting items in this file are the LOOSEDIRECTORYCHECKING and SYSLOGREPORTING settings. Whenever a file is modified, Tripwire reports changes to the file and directory where the file is stored, creating redundant items in a report. To avoid the redundancy, the LOOSEDIRECTORYCHECKING variable is set to false. Also set to false by default is the SYSLOGREPORTING variable. This might be what you would like Tripwire to ultimately do, but as you are setting up Tripwire, you might find it useful to have its activities logged in the system log. With this variable turned on, Tripwire's activities are logged to /var/log/system.log. If there are any settings you would like to change here, change them. Then update the configuration file by running: dogbone:/usr/local/etc root# /usr/local/sbin/twadmin --create-cfgfile -S /usr/local/etc The clear text version of the policy file is /usr/local/etc/twpol.txt. This is quite an extensive document. The clear text version of the policy file is /usr/local/etc/twpol.txt. This is quite an extensive document. The sample policy file provides details on the syntax of the file. You can specify directories or files for Tripwire to check and what kind of checking it should do in the twpol.txt file. The basic form of a line in the file is <file> <flags>. The sample twpol.txt file provides a rather detailed description about the available flags and modifiers to <file>, and the man page provides even more details. Basically, there are flags for a number of things to have Tripwire check, such as permissions, user ID, access time, modification time, and so on. Additionally, there are template definitions for certain combinations of the flags. You can use the template definitions for assigning how you want a file or directory to be checked, you can just assign flags, or you can assign a combination of the template with instructions to ignore something in the template or not to ignore something that's being ignored in the template. The default file contains entries that are more suitable to basic Mac OS X 10.3 or earlier installations. To start to get a feel for how to work with the twpol.txt file, you might run Tripwire with the default policy file and then update it. That will give you basic experience with updating the policy file. Then, if you like, you can experiment with making more sophisticated changes to the policy file. Tripwire has four basic modes: database generation, integrity checking, database update, and test. Before you can use Tripwire, you have to generate, or initialize, the database. You do this by running /usr/local/sbin/tripwire -init or /usr/local/sbin/tripwire -m i Initializing the database with the current default twpol.txt files yields the following results: dogbone:/usr/local/etc root# /usr/local/sbin/tripwire --init Please enter your local passphrase: Parsing policy file: /usr/local/etc/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /usr/local/etc/local.key ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /private/var/db/prebindOnDemandBadFiles ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /private/var/msgs/bounds ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /private/var/spool/lock ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /Applications (Mac OS 9) ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /System Folder ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /System Folder/Extensions ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /System Folder/Clipboard ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /private/var/spool/clientmqueue ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /System Folder/Preferences ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /System Folder/Apple Menu Items ### No such file or directory ### Continuing... Wrote database file: /usr/local/lib/tripwire/dogbone.twd The database was successfully generated. Note that you have to enter your local passphrase to initialize the database. Also note that for my system, the default configuration checks a number of files that do not exist on my system. I can reduce the number of warnings by editing the twpol.txt file and updating the database. My system does not have any of the Classic environment files, and the default policy file does not have the right local key file listed to check. It checks for /usr/local/etc/local.key, rather than /usr/local/etc/dogbone-local.key. After making changes to the twpol.txt file, the updated policy can be implemented by or /usr/local/sbin/tripwire -m p -Z low /usr/local/etc/twpol.txt Do expect your Tripwire actions to take a bit of time to run. By default, Tripwire runs this in high security mode, which causes it to print a list of violations, but not update the database. The low security mode option also causes the updates to the database to be made automatically. When you are satisfied with your basic configuration and policy files, run an integrity check by running /usr/local/sbin/tripwire -check or /usr/local/sbin/tripwire -m c Here is a sample integrity check that shows no changes of particular concern. This was run after changing the policy and machine location. dogbone:/usr/local/etc root# /usr/local/sbin/tripwire --check Parsing policy file: /usr/local/etc/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /usr/local/lib/tripwire/report/dogbone-20050425-084515.twr Tripwire(R) 2.3.0 Integrity Check Report Report generated by: root Report created on: Mon Apr 25 20:45:15 2005 Database last updated on: Sun Apr 24 23:49:42 2005 =============================================================================== Report Summary: =============================================================================== Host name: dogbone Host IP address: Unknown IP Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/dogbone.twd Command line used: /usr/local/sbin/tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- * Usr Local Files 60 1 0 1 Tripwire Binaries 100 0 0 0 * Tripwire Data Files 100 1 0 2 OS Binaries and Libraries 100 0 0 0 * OS Boot and Configuration Files 100 1 0 2 * Variable System Files 60 0 0 4 Variable System Files 100 0 0 0 Running Services 60 0 0 0 (/private/var/run) Mount Points 60 0 0 0 System Devices 60 0 0 0 (/dev) Home Directories 60 0 0 0 (/Users) Total objects scanned: 141251 Total violations found: 12 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/usr/local/lib/tripwire/dogbone.twd.bak" Modified: "/usr/local/lib/tripwire" ------------------------------------------------------------------------------- Rule Name: Usr Local Files (/usr/local/etc) Severity Level: 60 ------------------------------------------------------------------------------- Added: "/usr/local/etc/tw.pol.bak" Modified: "/usr/local/etc" ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/etc/tw.pol) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/usr/local/etc/tw.pol" ------------------------------------------------------------------------------- Rule Name: OS Boot and Configuration Files (/private/etc) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/private/etc/appletalk.cfg" Modified: "/private/etc" "/private/etc/printcap" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var" "/private/var/slp.regfile" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var/tmp) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var/tmp" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var/spool/cups) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var/spool/cups" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. Here is a sample integrity check that shows that an unexpected file modification: dogbone:/usr/local/etc root# /usr/local/sbin/tripwire --check Parsing policy file: /usr/local/etc/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /usr/local/lib/tripwire/report/dogbone-20050425-094933.twr Tripwire(R) 2.3.0 Integrity Check Report Report generated by: root Report created on: Mon Apr 25 21:49:33 2005 Database last updated on: Sun Apr 24 23:49:42 2005 =============================================================================== Report Summary: =============================================================================== Host name: dogbone Host IP address: Unknown IP Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/dogbone.twd Command line used: /usr/local/sbin/tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- * Usr Local Files 60 1 0 1 Tripwire Binaries 100 0 0 0 * Tripwire Data Files 100 1 0 3 * OS Binaries and Libraries 100 0 0 2 * OS Boot and Configuration Files 100 1 0 2 * Variable System Files 60 0 0 7 Variable System Files 100 0 0 0 Running Services 60 0 0 0 (/private/var/run) Mount Points 60 0 0 0 System Devices 60 0 0 0 (/dev) Home Directories 60 0 0 0 (/Users) Total objects scanned: 141251 Total violations found: 18 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/usr/local/lib/tripwire/dogbone.twd.bak" Modified: "/usr/local/lib/tripwire" ------------------------------------------------------------------------------- Rule Name: Usr Local Files (/usr/local/etc) Severity Level: 60 ------------------------------------------------------------------------------- Added: "/usr/local/etc/tw.pol.bak" Modified: "/usr/local/etc" ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/etc/tw.pol) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/usr/local/etc/tw.pol" ------------------------------------------------------------------------------- Rule Name: OS Boot and Configuration Files (/private/etc) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/private/etc/appletalk.cfg" Modified: "/private/etc" "/private/etc/printcap" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var" "/private/var/root" "/private/var/root/.viminfo" "/private/var/slp.regfile" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var/db) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var/db/shadow/hash/7F79E4B7-8239-48F1-BE5C-C0E8DEE478B9.state" ------------------------------------------------------------------------------- Rule Name: OS Binaries and Libraries (/bin) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/bin" "/bin/ls" ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/lib/tripwire/report) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/usr/local/lib/tripwire/report" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var/tmp) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var/tmp" ------------------------------------------------------------------------------- Rule Name: Variable System Files (/private/var/spool/cups) Severity Level: 60 ------------------------------------------------------------------------------- Modified: "/private/var/spool/cups" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. You'll have to run integrity checks regularly to start to get a feel for what types of modifications occur regularly on your system. In this report, notice that the /bin/ls file has been modified. That is a file that we would not ordinarily expect to be modified, except possibly as a result of a system update. If you weren't expecting this change, you should be suspicious. To make Tripwire useful, you should run it regularly. The easiest way to do so is to run Tripwire in a daily cron job and have the results mailed to you. The Tripwire test mode allows you to test its email functionality. Even if you don't have the results emailed to you, you can always read the report it generated by running twprint. If you enabled syslogging, expect entries like this to appear in /var/log/system.log: Apr 24 22:47:32 dogbone tripwire[1137]: Database initialized: /usr/local/lib/tripwire Be sure to read the all the man pages for Tripwire, especially those for tripwire, twadmin, twconfig, twpolicy and twreport. Snort and HenWenSnort, available from http://www.snort.org/, is a freely available package that has a packet sniffer mode and a network intrusion detection system mode. HenWen, available from http://seiryu.home.comcast.net/henwen.html, is a graphical interface to snort. HenWen also includes a slightly modified version of snort in its distribution. It's free for personal, education, and government users, but commercial users are asked to pay a shareware fee. Just as BrickHouse does for ipfw, HenWen provides an opportunity for you to learn how the snort configuration file works. The current version of HenWen, HenWen 2.0.4, runs on Mac OS X 10.2 or 10.3. As of this writing, it does not appear to work on 10.4, but given that the website does make an older version available for Mac OS X 10.1, we would expect the author to update the package sometime to support Tiger. If you want to download and compile Snort yourself, it compiles and installs easily on Mac OS X. It follows the basic approach: ./configure make make install By default, Snort installs in /usr/local. There are a number of compile-time options, including support for openssl and mysql. The mysql option can be useful for a number of reporting packages for Snort. After you have Snort compiled, you might want to run it in packet-sniffing mode for a few seconds just to see how that looks and to verify that it runs. If you're interested in doing so, run snort -v. If you get no activity upon issuing this command, you might need to specify an interface. The snort -v output indicates which interface it is checking. Use snort -v -i <interface> to specify the interface. This prints TCP/IP packet headers to the screen. Here's an example of the very end of some output: 12/05-17:29:10.916730 147.229.16.120:1028 -> 224.2.127.254:9875 UDP TTL:48 TOS:0x0 ID:43660 IpLen:20 DgmLen:277 Len: 249 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-17:29:11.015725 140.192.141.155:1029 -> 224.2.127.254:9875 UDP TTL:55 TOS:0x0 ID:13852 IpLen:20 DgmLen:315 Len: 287 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-17:29:11.045173 131.151.10.7:1029 -> 224.2.127.254:9875 UDP TTL:52 TOS:0x0 ID:48504 IpLen:20 DgmLen:308 Len: 280 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-17:29:11.049176 140.254.104.143:138 -> 140.254.105.255:138 UDP TTL:64 TOS:0x0 ID:25539 IpLen:20 DgmLen:218 Len: 190 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-17:29:11.068150 193.190.113.20:37990 -> 224.2.127.254:9875 UDP TTL:240 TOS:0x0 ID:0 IpLen:20 DgmLen:669 DF Len: 641 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/05-17:29:11.077319 205.155.71.103:1026 -> 224.2.127.254:9875 UDP TTL:48 TOS:0x0 ID:32136 IpLen:20 DgmLen:336 Len: 308 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ^C =============================================================================== Snort received 269 packets Analyzed: 269(100.000%) Dropped: 0(0.000%) =============================================================================== Breakdown by protocol: TCP: 84 (31.227%) UDP: 121 (44.981%) ICMP: 0 (0.000%) ARP: 7 (2.602%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 3 (1.115%) OTHER: 18 (6.691%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Snort exiting To run Snort in intrusion detection mode, however, you must edit the configuration file and run it as a daemon. The distribution comes with a default snort.conf file that you can edit. You should periodically get updates to the rules from http://www.snort.org/dl/rules/. To be able to run Snort in intrusion detection mode, manually complete your installation as follows: ryoohki:/Users/sage/builds/snort-2.3.0RC1 root# mkdir -p /usr/local/etc/snort/rules ryoohki:/Users/sage/builds/snort-2.3.0RC1 root# cp rules/* /usr/local/etc/snort/rules/ ryoohki:/Users/sage/builds/snort-2.3.0RC1 root# cp etc/* /usr/local/etc/snort/ ryoohki:/Users/sage/builds/snort-2.3.0RC1 root# chmod -R 600 /usr/local/etc/snort ryoohki:/Users/sage/builds/snort-2.3.0RC1 root# mkdir /var/log/snort In the configuration file, snort.conf, you configure network variables, preprocessor statements, output options, and Snort rules. The preprocessor statements determine how packets are handled before actually matching them against any rules. The output options determine how the Snort output is handled. Options include logging to a syslog or a database, such as MySQL. The rules are set up as separate files in a rules directory, like the services files for xinetd. It's easier to update the rules by storing them in a separate directory and having include statements in the configuration file for the rules rather than including them directly in the configuration file. If you manually complete the installation as described earlier, the rules are copied to a separate rules directory located in /usr/local/etc/snort/rules, and snort.conf, like the rules directory, is also located in /usr/local/etc/snort. At the very least, the snort.conf file has to be edited to reflect this. Change the var RULE_PATH ../rules line to var RULE_PATH rules To run Snort in daemon mode, try a statement like this: sort -D -c <path-to-snort.conf> -i <interface> In this example, to run Snort on an AirPort interface, that would be snort -D -c /usr/local/etc/snort/snort.conf -i en1 If you're satisfied with what Snort does, you might want to consider adding it to the startup scripts. Assuming that an updated version of HenWen becomes available for Tiger, you might find it useful for familiarizing yourself with the configuration file. HenWen provides a graphical interface for setting up a basic snort.conf file and also comes with a detailed manual on setting up the configuration file. You can either use HenWen as its own package or for creating a base snort.conf file. By default, it creates a snort.conf file within its own hierarchy, but you can also choose to save a copy elsewhere. Additionally, you can have it start at boot. Figure 31.14 shows the Network section of HenWen setup. This is HenWen's interface for setting up the network variables in the snort.conf file. The Preprocessors tab configures the preprocessors portion of the snort.conf file. The Output section configures the output options section of snort.conf. The Alerts section configures the rules portion; the Snort section, the snort decoder and detection engine; the Spoof Detector section, the arpspoof section of the preprocessors portion of snort.conf. HenWen's snort.conf file and rules directory are located in HenWen.app/Contents/Resources. If you install HenWen, you can still periodically update the rules statements as you can with the regular Snort distribution. Here's an example of what you might see in the Snort alert log: [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] [Priority: 2] 12/05-20:52:04.206816 140.254.104.107:64331 -> 140.254.104.243:705 TCP TTL:43 TOS:0x0 ID:15400 IpLen:20 DgmLen:60 DF ******S* Seq: 0x52322FEA Ack: 0x0 Win: 0xFFFF TcpLen: 40 TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 266875018 0 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013] [Xref => http://cve Figure 28.27. You can configure the network variables for snort.conf under the Network section in HenWen's interface. name=2002-0012][Xref => http://www.securityfocus.com/bid/4132] [Xref => http://www PortSentryPortSentry 1.2 is a utility available from http://sourceforge.net/projects/sentrytools/. It's part of the Sentry Tools suite, a suite of free host-based security and intrusion tools. Sentry Tools also include LogSentry, which helps you monitor your system logs and HostSentry, which detects anomalous login behavior. The project recently moved to SourceForge, and is in the process of updating its licenses. As a result, HostSentry and PortSentry 2.x are not yet available. PortSentry 1.0 for Mac OS X is also available from http://www.osxgnu.org/software/Security/portsentry/. Currently the Mac OS X port does not appear to install, but we expect that to change as Tiger becomes more prevalent. PortSentry monitors connections to ports specified in the portsentry.conf file. If PortSentry detects a connection on one of those ports, you can choose to have it simply log the connection. You can also configure PortSentry to immediately block the connection. PortSentry adds a deny line for the host to your /etc/hosts.deny or /etc/hosts.allow, depending on which way you're using TCP Wrappers. It then blocks the connection via route or ipfw. You can also provide PortSentry with a list of hosts whose connections it should ignore. You must do some testing until you're completely satisfied with your PortSentry configuration. PortSentry cleanly compiles on Mac OS X, so be sure to read the documentation carefully before you begin. The author clearly outlines the installation procedure in a step-by-step manner. Compiling with make generic works fine. By default, the package installs in /usr/local/psionic/portsentry. The most important file you'll work with is portsentry.conf. The first part of the configuration file is the Port Configurations section. Here you specify which TCP and UDP ports are monitored. The author has provided three basic selections: anal, aware, and bare-bones. Of course, you can add any additional ports to whichever set you select. Next is the Advanced Stealth Scan Detection Options section. Because these options apply only to Linux, you can ignore this section. PortSentry 2.0 is supposed to be able to detect stealth scans. That version is not available on SourceForge yet, but if you would like to try it, the source code for it is still available at http://www.macosxunleashed.com/downloads/portsentry-2.0b1.tar.gz. If you choose make bsd, in portsentry.h, in the section that starts with #ifdef BSD, comment out the line that reads #include <netinet/ip_ether.h> by placing // at the beginning of that line. The section that follows is the Configuration Files section, where you specify the location of portsentry.ignore, portsentry.history, and portsentry.blocked. The portsentry.ignore file is where you specify which hosts' connections the program should ignore. The portsentry.history file is where PortSentry logs a history of the actions it has taken. The portsentry.blocked file is where PortSentry logs a history of its actions for the current session. The next section is the Misc. Configurations Options section, which only has one configuration option. Here you set whether DNS lookups are done on attacking hosts. The default is off. The next section is the Response Options section. In this section, you specify what the automatic response should be for TCP and UDP connections. In the Ignore Options subsection, you specify what level of ignore PortSentry should follow for TCP and UDP connections. You can have PortSentry block scans, not block them, or execute some external command. The Dropping Routes subsection is where you select what the blocking response should be. The program can be configured to block via route or via ipfw. I recommend using ipfw if you have it running. If you select ipfw, PortSentry, by default, adds a deny rule to ipfw. Of course, you can modify that rule. In the TCP Wrappers subsection, select the correct TCP Wrappers syntax for the way you are using it. An external command can be specified in the External Commands subsection. In the Scan Trigger Value subsection, you configure the number of port connects that are allowed before an alarm is given. In the Port Banner section, you can specify what text, if any, should be displayed when PortSentry is tripped. After you have a basic portsentry.conf file, and you've installed the package, run the following to start PortSentry: /usr/local/psionic/portsentry/portsentry -tcp /usr/local/psionic/portsentry/portsentry -udp Check /var/log/system.log for the PortSentry startup response. For each PortSentry, you'll see some initial startup lines, a line for each port it's monitoring, and a final line indicating that PortSentry is active and listening. If PortSentry is set to immediately block a connection, here's the type of response you will see in the log: Sep 11 01:11:51 localhost portsentry[1164]: attackalert: Host 192.168.1.200 has been Check your /etc/hosts.deny and run ipfw show. You'll see that it does add the offending host to the /etc/hosts.deny file and add an ipfw rule. If PortSentry isn't set to block connections, here is a sample response in the log file: Sep 11 01:03:52 localhost portsentry[1125]: attackalert: Connect from host: 192.168.1.200 |
/site.key /usr/local/etc/twcfg.txt| < Day Day Up > |
EAN: 2147483647
Pages: 251