Practical 5

Portsentry is a simple program for implementing a host based IDS, specifically a (single host)
Greynet-like functionality.
How could you use portsentry to setup a greynet-like system on an enterprise network?
It listens to ports on a host that are not bound to applications, and detects connection requests (TCP
SYN packets) destined for these ports.
Events are logged in /var/log/messages
Events can trigger an external program/script to run. Thing these programs could perform any task.
A common one could be to update the firewall of the host being scanned (to block the machine
performing the scan). The program could also send an email, SMS, etc.
Installation:
Standard install methods will work with the source code for portsentry
Modification of configuration file:
After the installation, you to modify the configuration file portsentry.conf
This is stored here: /usr/local/psionic/portsentry
1. Modify the iptables for Linux section:
#iptablessupportforLinux
KILL_ROUTE="/sbin/iptablesIINPUTs$TARGET$jDROP"
Change the line to match the above (it will be different in the default configuration file)
What does the above line do?
2. Modify the TCP Wrappers section:
#KILL_HOSTS_DENY="ALL:$TARGET$"
By adding the comment character (#) to start of the line.
Run Portsentry:
/usr/local/psionic/portsentry/portsentryatcp
/usr/local/psionic/portsentry/portsentryaudp
What do the two lines above do?
Monitor Portsentry:
Now check /var/log/messages - did it start?
To validate that portsentry is working, get another PC to nmap you.
Observe /var/log/messages and check your filewall rules before, during and after the nmap scan.
Also check
/usr/local/psionic/portsentry/portsentry.ignore
and
/usr/local/psionic/portsentry/portsentry.blocked.tcp
before and after the scan.