Cornfed
n00b
Joined: 22 Dec 2003
Posts: 59
|
 Posted: Wed Feb 02, 2005 8:12 pm Post subject: Fun with Portsentry |
 |
|
I think in most offices there is always some d00d that just picked up some "How to Hack" book and likes to scan the admin's system. Later, you'll get "Dude! I just scanned your machine, and you have blah blah blah open. har har har".
Time to fix this guy.
Now edit /etc/portsentry/portsentry.conf
I modified the ports to look for common attempts like telnet, ftp, web and so on. I don't run any of these services, so people connecting are checking things out.
| Code: | TCP_PORTS="13,21,22,23,25,80,110,111,194,220,389,443,1080,1234,2283,2535,
2745,3127,3410,5554,6667,8080,8866,9898,10000,10080,12345,17300,27374,31337,
65506"
UDP_PORTS="1,7,9,53,69,161,162,514,31337" |
I also added some known trojan ports, looking for anyone trying to connect to them.
I want to drop the connection and prevent them from connecting again, so I uncommented this:
| Code: | # iptables support for Linux
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" |
I want to know right away if someone is checking me out so I enabled external commands
| Code: | KILL_RUN_CMD_FIRST = "0"
KILL_RUN_CMD="/usr/local/sbin/got_scanned $TARGET$ $PORT$" |
Finally, a little something for their curiosity
| Code: | | PORT_BANNER="** FOOLISH MORTAL! ** I JUST LOGGED THAT ATTEMPT AND I AM REPORTING YOU!! **" |
Ok, you can have the script do just about anything you want. I want to know right away if someone is trying to mess with me so email is out. We don't allow instant messenger, so no jabber fun. So, I wrote a simple popup. If you want to use this, you'll need perl-tk
Then create /usr/local/sbin/got_scanned
| Code: |
#!/usr/bin/perl
#
use Tk;
use strict;
my $mw = MainWindow->new;
my $data="$ARGV[0] attempted to connect to port $ARGV[1].";
my $button = $mw->Button(-text => "$data", -command => \&exit);
$button->pack;
MainLoop;
|
Since Portsentry is run as a different user, I had to allow access. I created .xprofile in my home directory, and added:
You MIGHT need to modify (in my case gdm) /etc/X11/gdm/gdm.conf
I -think- that is only for remote systems connecting to yours. You might not need that just for localhost. I threw it in just in case.
Now when d00d tries to connect to my system, he gets a message letting him know he's been busted. His machined gets "banned" from connecting to mine. And I am alerted with a popup the instant it happens.
Your mileage may vary. I'm sure there are better ways to do this, but it's working for me. |
|
Networking & Security
