Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.



Name:
Email:

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• ssl
• Training
• Uncategorized
• Viruses
• Wireless Security

Protect Your Ports

By Ian Scott

Port scanners are great little tools for an administrator to have. I regularly port scan my boxes to see what ports are listening for connections. There shouldn’t be anything open that I don’t know about – if there is, then I’d be doing some really quick checking to see what was going on, and I’d suspect an intrusion with a root kit installation.

My favorite portscanner is nmap, available from http://www.insecure.org/nmap/. Portscanners were created for utilization by network security people and like much other software, nmap is open source and readily available to anyone. That means even the bad guys can get a hold of it. Which means they can portscan your machines to see what services are running and accepting connections. This is one good reason to run services that you only absolutely need to be available.

But of course, it’s not enough to limit listening services. If a vulnerability appears that, if taken advantage of, allows access to your machine, it’s pretty darn likely that some black hatted cracker is going to be doing some portscanning, looking for potential targets to take advantage of the vulnerability.

I’m of the opinion that NO ONE other than people I might designate or give permission to, should be portscanning any of my computers! There is simply no reason for them to do so. This security policy may seem a bit strict at first. More on that later.

So, what to do to protect those ports? Well, some years ago, I learned about a nifty piece of software called “PortSentry,” after reading about it in Securing And Optimizing Linux: Redhat Edition by Gerhard Mourani.

At that time, PortSentry was available for free from Psionic. Unfortunately, after Cisco aquired Psionic, PortSentry was no longer available at their website. However, I still have a copy of it, and because the license allows distribution, I can send it to you if you’d like. Just leave a comment with an email address, and I’ll get it off to you.

What PortSentry does is detect portscans. It comes with an easy to modify and well documented configuration file which allows you to change some settings and other neat stuff. Once you’ve got PortSentry running, it will sit there and wait for portscans and then immediately drop the route of the IP address that is doing portscanning. In other words, you become “invisible” to that IP address. Your box will no longer accept any connections from that IP.

Of course, PortSentry has it’s own “white list” as well. Just because I have PortSentry running, and am using other security tools does not mean I’m invulnerable (another problem that many people believe after instituting some security policy is complacency). I still want to port scan my own machines, so I can add my IP address to an ignore file. PortSentry will then ignore portscans from the IP’s I’ve listed in the ignore file.

Now, I mentioned earlier that my policy was pretty strict, and yes, there are times when this strictness causes problems. Remember, all security initiatives can and probably will create some inconveniences. You will have to decide if the inconvenience is worth it to you for the additional security you get.

In PortSentry’s case, sometimes owners of MicroSoft Windows operating systems, that have been infected by a worm or trojan, will be port scanning for insecure ports. Most times, the MS Windows user doesn’t even know they have been infected. And there have been the odd time when one of my boxes has been portscanned by a legitimate user of one of my systems because their system was infected. This meant they were unable to connect to any services on my machine.

Yes, at first, the user complains and thinks we are having a problem. But it only takes about 5 minutes to do a quick investigation, discover their IP address has been blocked. Then a quick:
# /sbin/route del (ip_address) reject will provide them with access again.

And usually, those users appreciate finding out that they have an infected system that needs to be serviced.

I’d rather spend the five minutes once in a blue moon doing this, than giving too much information away to some cracker that’s obviously just looking for ways to break into a server!

There’s a lot more information about PortSentry in the README.install file and different options available. But if you’re looking for another tool in your arsenal to keep out intruders, consider PortSentry.

Read more in: Computer Security |

© SecPriv.com | About/Disclaimer | Privacy Policy