To protect against the scan of ports with portsentry

en:To protect against the scan of ports with portsentry he:כדי להגן מפני הסריקה של יציאות עם portsentry ro:Pentru a proteja împotriva scanarea de porturi cu portsentry ru:Для защиты от сканирования портов с portsentry pl:Do ochrony przed skanowanie portów z portsentry ja:Portsentry とポートのスキャンから保護するには ar:للحماية من مسح للمنافذ مع بورتسينتري zh:为了防止与 portsentry 的端口扫描 de:Zum Schutz vor der Untersuchung der Ports mit portsentry nl:Te beschermen tegen het scannen van poorten met portsentry it:Per proteggere contro la scansione delle porte con portsentry pt:Para proteger contra a varredura de portas com portsentry es:Para proteger contra la exploración de puertos con portsentry fr:Se protéger contre le scan de ports avec portsentry

This article has been created by an automatic translation software. You can view the article source here.

Your Server may be subject to different port scans to identify, for example, services that are in place on your Server or even the operating system installed (that enables for example, Nmap, ). This information could then be exploited by a malicious person to achieve integrity of your Server.

To protect against these practices, you can implement portsentry which will block the IP addresses of the connections at the origin of these scans.

Portsentry can be a complement to fail 2ban if you want to enhance the security of your Server. Indeed, fail 2ban blocking the IP addresses of connections that perform unsuccessful authentication while portsentry, he performs a blocking of IP addresses that are aiming to identify open ports on your Server. Both packages can be complementary and thus to enhance the security of your Server.

We start by proceeding with the installation of the package which concerns us with the following command :

root@flex:~# apt-get update && apt-get install portsentry

A warning message will tell you that portsentry will apply no blocking unless you tell it to do :

Once the installation is complete, we will therefore proceed to portsentry configuration.

As a first step, we will stop service :

root@flex:~# /etc/init.d/portsentry stop
Stopping anti portscan daemon: portsentry.

We will then implement the exceptions to not to block various IP addresses (at minimum your IP address as well as the IP addresses of Servers of monitoring, etc.).

For the beaches of IP addresses to allow and used by our  Server monitoring, please refer to the following article  : https://fr.ikoula.wiki/fr/Quelles_sont_les_IP_%C3%A0_autoriser_dans_mon_firewall_pour_qu%27Ikoula_ait_acc%C3%A8s_%C3%A0_mon_Server

To implement these exceptions, we will edit the file /etc/portsentry/portsentry.ignore.static

At the start of service, the contents of the file will be added to the file /etc/portsentry/portsentry.ignore.

To add an exception to portsentry, just add one IP address per line. You can also and just add one or a CIDR.

Now that you've added your /your IP addresses in list White, we will configure portsentry to properly spoken by editing the configuration file which is accessible via /etc/portsentry/portsentry.conf.

We use portsentry in advanced mode for the TCP and UDP protocols. To do this, you must modify the file /etc/default/portsentry in order to have :

TCP_MODE="atcp"
UDP_MODE="audp"

We also wish that portsentry is a blockage. We therefore need to activate it by passing BLOCK_UDP and BLOCK_TCP to 1 as below :

##################
# Ignore Options #
##################
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="1"
BLOCK_TCP="1"

We opt for a blocking of malicious persons through iptables. We will therefore comment on all lines of the configuration file that begin with KILL_ROUTE except the next :

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

You can verify that this is the case, once the saved file using cat and grep :

cat portsentry.conf | grep KILL_ROUTE | grep -v "#"

We can now relaunch service portsentry and it will now begin to block the port scans :

root@flex:~# /etc/init.d/portsentry start
Starting anti portscan daemon: portsentry in atcp & audp mode.

Portsentry logs in the file /var/log/syslog and as you can see below, following a port made for the care of this tutorial with Nmap, scan the address has been blocked through iptables :

Mar 17 16:59:02 sd-24527 portsentry[6557]: adminalert: PortSentry is now active and listening.
Mar 17 17:00:29 sd-24527 portsentry[6553]: attackalert: Connect from host: 178.170.xxx.xxx/178.170.xxx.xxx to TCP port: 1
Mar 17 17:00:29 sd-24527 portsentry[6553]: attackalert: Host 178.170.xxx.xxx has been blocked via wrappers with string: "ALL: 178.170.xxx.xxx : DENY"
Mar 17 17:00:29 sd-24527 portsentry[6553]: attackalert: Host 178.170.xxx.xxx has been blocked via dropped route using command: "/sbin/iptables -I INPUT -s 178.170.xxx.xxx -j DROP"
Mar 17 17:00:29 sd-24527 portsentry[6553]: attackalert: Connect from host: 178.170.xxx.xxx/178.170.xxx.xxx to TCP port: 79
Mar 17 17:00:29 sd-24527 portsentry[6553]: attackalert: Host: 178.170.xxx.xxx is already blocked. Ignoring
[...]

If you want to throw a block, you can check the IP addresses banned via iptables. There's the IP that was blocked following our previous test :

root@flex:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 52381 packets, 6428K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 794 42696 DROP       all  --  *      *       178.170.xxx.xxx      0.0.0.0/0      

So let's delete the entry :

iptables -D INPUT -s 178.170.xxx.xxx -j DROP

PS : don't forget to allow the IP addresses of our Servers of monitoring in the exceptions of portsentry to avoid false positives and cause unnecessary alerts.