Install and setup Portsentry in CentOS 6 64-bit on a VPS or dedicated server

Monday, October 13th, 2014 | CentOS / RHEL, Systems Administration
Author: Michael Balcos

1] I used a minimal CentOS 6.5 64-bit installation for this blog post. I've tested this documentation on a VPS and a dedicated server.
2] Login as root in your CentOS installation.
3] "yum install gcc wget"
4] "wget http://www.malaya-digital.org/portsentry-1.2.tar.gz"
5] "tar xzf portsentry-1.2.tar.gz"
6] "cd portsentry_beta"
7] Open portsentry.c in a text editor. Look for the following 2 lines(I got this hint from http://www.mysql-apache-php.com/basic-linux-security.htm):
printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
sourceforget dot net>\n");

Removing the carriage return between the 2 lines, and then save. The mentioned lines should then appear as one line, like the following:
printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");

8] You can ignore the warnings when you execute: "make linux"
9] "make install"
10] "yum remove gcc ppl cloog-ppl mpfr cpp kernel-headers glibc-headers glibc-devel"
11] "cd /usr/local/psionic/portsentry"
12] Edit portsentry.conf.
12.A] Make sure you have appropriate settings for "TCP_PORTS" and "UDP_PORTS" if you want to use basic Stealth modes. The ports you assigned there will be monitored by Portsentry for port scans in the said Stealth modes. This blog post is optimized for Advanced Stealth Scan Detection Mode. As suggested by themselves, "TCP_PORTS" hold ports monitored for TCP scans. And "UDP_PORTS" hold ports monitored for UDP scans. Also, make sure that the ports you used are not blocked by a firewall.
12.B] If necessary for you, you might want to change the following. This is for advanced stealth scan detection. Any ports below the following number will be monitored through advanced stealth scan. Please note that you should not assign a port number above 61000. Also, it is not recommended to assign a port number above 1024. Also, please make sure that a firewall does not block the ports you want Portsentry to monitor using advanced stealth scan detection.
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
12.C] You may want to also assign values to "ADVANCED_EXCLUDE_TCP" and "ADVANCED_EXCLUDE_UDP" if you use advanced stealth scan detection. These ports will be ignored by Portsentry.
12.D] Look for the following line:
#KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"

Uncomment and change the mentioned line to the following:

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
13] Make a "/etc/init.d/portsentry" startup script. It's contents can be the following script ( source: http://www.falkotimme.com/howtos/chkrootkit_portsentry/ ). Note that this script makes Portsentry use advanced stealth scan detection: http://www.malaya-digital.org/portsentry

13.A] "chmod 755 /etc/init.d/portsentry"
13.B] Create the following symbolic links so that your "portsentry" startup script will be executed at boot time:
ln -s /etc/init.d/portsentry /etc/rc2.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc3.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc4.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc5.d/S20portsentry
ln -s /etc/init.d/portsentry /etc/rc0.d/K20portsentry
ln -s /etc/init.d/portsentry /etc/rc1.d/K20portsentry
ln -s /etc/init.d/portsentry /etc/rc6.d/K20portsentry
13.C] To start portsentry: "/etc/init.d/portsentry start"
13.D] To stop portsentry: "/etc/init.d/portsentry stop"
14] HINT: You may want to include the IPs of your DNS servers in "/usr/local/psionic/portsentry/portsentry.ignore".

No comments yet.

Install and setup Portsentry in CentOS 6 64-bit on a VPS or dedicated server

Leave a comment

Authors

Search

Archives

Categories

Blogroll