ComputerSecurityStudent (CSS) [Login] [Join Now]


|UNIX >> Ubuntu >> Ubuntu 12.04 Desktop >> Current Page |Views: 37089

(Ubuntu: Lesson 14)

{ Installing and Testing PortSentry against NMAP }

Section 0. Background Information
  1. What is PortSentry
    • PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time.
    • PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans.
    • PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect "random" port probing. PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. Once a scan is detected your system will turn into a blackhole and disappear from the attacker.
     
  2. Prerequisite
  3. Lab Notes
    • In this lab we will how to do the following:
      1. We will install PortSentry on Ubuntu.
      2. We will test NMAP on an un-configured PortSentry
      3. We will configure PortSentry.
      4. We will test NMAP on a configured PortSentry
      5. We will show you how to unblock an attacker.

  4. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Ubuntu 12.04
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Verify Virtual Machine Settings.
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Edit virtual machine settings

     

  3. Configure Network Adapter
    • Instructions
      1. Click on Network Adapter
      2. Click on the Bridged Radio Button
      3. Click on the Close Button

     

  4. Start the Ubuntu 12.04 VM
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Play virtual machine

 

Section 2: Login to Ubuntu
  1. Change to Gnome Classic
    • Instructions:
      1. Click on the Circle

     

  2. Select Gnome Classic
    • Instructions:
      1. Double Click on GNOME Classic

     

  3. Login to Server
    • Instructions
      1. User: Student
      2. Password: Please supply the student password.

 

Section 3: Become Root and Verify Network Connection
  1. Start up a Terminal
    • Instructions
      1. Click on the Terminal

     

  2. Become Root
    • Instructions
      1. sudo su -
      2. Supply the student password.

     

  3. Verify you have a network connection
    • Instructions
      1. ifconfig -a
        • eth0 is the name of my interface.
        • 192.168.1.104 is my network IP address.
    • Note(FYI):
      • If you do not have an DHCP IP Address try the following:
        • dhclient
          • OR
        • /etc/init.d/networking restart

 

Section 3: Update apt-get's package index
  1. Update apt-get's package index
    • Instructions
      1. apt-get update
    • Note(FYI):
      • update is used to resynchronize the package index files from their sources. I.e., The "update" flag updates apt-get's local database with debian server's pkglist files. The indexes of available packages are fetched from the location(s) specified in /etc/apt/sources.list.

 

Section 4: Search for portsentry
  1. Search for portsentry
    • Instructions
      1. apt-cache search portsentry
    • Note(FYI):
      • apt-cache is a command to manipulate and obtain information from the ubuntu packages.

     

Section 5: Install portsentry
  1. Install portsentry
    • Instructions
      1. apt-get install portsentry

     

  2. PortSentry Informational
    • Note(FYI):
      • PortSentry does not block anything by default.
      • Messages are dumped into /var/log/syslog.
      • We will use the /etc/portsentry/portsentry.conf to configure PortSentry.
    • Instructions
      1. Press <Enter>

     

  3. View PortSentry configuration files
    • Instructions
      1. ls -l /etc/portsentry/
    • Note(FYI):
      1. portsentry.conf
        • This is the PortSentry configuration file.
      2. portsentry.ignore
        • This file contains a list of IP addresses that PortSentry should ignore if it connects to a monitored port.
      3. portsentry.ignore.static
        • If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via ifconfig.

     

  4. View PortSentry Message in /var/log/syslog
    • Instructions
      1. grep portsentry /var/log/syslog
    • Note(FYI):
      • Right after PortSentry is installed, notice starts listening (i.e., monitoring) on various TCP and UDP ports.

 

Section 6: Startup Script for PortSentry
  1. Startup Script for PortSentry
    • Instructions
      1. ls -l /etc/init.d/portsentry
        • As part of the portsentry installation, the portsentry startup script is placed in /etc/init.d/portsentry.
      2. find /etc/rc*.d/* -print | xargs ls -l | grep portsentry
        • Identifies start up and kill scripts for portsentry.
      3. runlevel
        • Identifies the current run level.
          • 0 System Halt
          • 1 Single user
          • 2 Full multi-user mode (Default)
          • 3-5 Same as 2
          • 6 System Reboot

     

  2. Stopping and Starting PortSentry with /etc/init.d/portsentry
    • Instructions
      1. cd /etc/init.d
      2. ./portsentry stop
      3. ps -eaf | grep -v grep | grep portsentry | wc -l
        • Notice, that 0 is returned, because portsentry is not running.
      4. ./portsentry start
      5. ps -eaf | grep -v grep | grep portsentry
        • Now two lines are returned, because portsentry is running.
      6. ps -eaf | grep -v grep | grep portsentry | wc -l

     

  3. Stopping and Starting PortSentry with the "service" command
    • Instructions
      1. service portsentry status
        • Notice the PortSentry startup script does not have a status option.
      2. service portsentry stop
        • This command will stop the portsentry daemon.
      3. ps -eaf | grep -v grep | grep portsentry | wc -l
        • wc -l, returns 0 for the number of portsentry processes returned.
      4. service portsentry start
        • This will start the portsentry daemon/service.
      5. ps -eaf | grep -v grep | grep portsentry | wc -l
        • wc -l, returns 2 for the number of portsentry processes returned.  (e.g., TCP and UDP).

     

Section 7: Configure BackTrack Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 8: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 9: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

Section 10: Test NMAP on unconfigured PortSentry
  1. Test BackTrack's NMAP on Ubuntu's unconfigured PortSentry
    • Note(FYI):
      • Issue the below commands from the BackTrack Terminal.
    • Instructions:
      1. nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80 192.168.1.106
        • Replace 192.168.1.106 with Ubuntu's IP address you obtained in (Section 3, Step 3).

     

  2. Check Ubuntu's syslog
    • Note(FYI):
      • Issue the below commands from the Ubuntu Terminal.
    • Instructions:
      1. grep "attackalert" /var/log/syslog
        • Now you will see a lot of attackalert coming from BackTrack(192.168.1.107).
        • In your case the IP address will be the IP Address Obtained in (Section 9, Step 2).

     

  3. Check Ubuntu's syslog
    • Note(FYI):
      • Issue the below commands from the BackTrack Terminal.
    • Instructions:
      1. ping -c 5 192.168.1.106
        • Replace 192.168.1.106 with Ubuntu's IP address you obtained in (Section 3, Step 3).
        • Notice BackTrack can ping Ubuntu and is not blocked by PortSentry yet.

 

Section 11: Configure PortSentry on Ubuntu
  1. Configure PortSentry on Ubuntu
    • Note(FYI):
      • Issue the below commands from the Ubuntu Terminal.
    • Instructions:
      1. grep -n "BLOCK_UDP=" /etc/portsentry/portsentry.conf
        • This will show you the line number of where "BLOCK_UDP=" exists.
        • In my case, the line number is 135.
      2. vi +135 /etc/portsentry/portsentry.conf

     

  2. Configure UDP/TCP Blocking
    • Instructions:
      1. For line, BLOCK_UDP="0", arrow over to the 0 and press the "r" key to replace the 0 with a 1.
      2. For line, BLOCK_TCP="0", arrow down and over to the 0 and press the "r" key to replace the 0 with a 1.
      3. Press the <ESC> Key
      4. Type ":wq!"
      5. Press <Enter>

     

  3. Restart PortSentry
    • Instructions:
      1. service portsentry stop
      2. service portsentry start

 

Section 12: Test NMAP on a configured PortSentry
  1. Test BackTrack's NMAP on Ubuntu's unconfigured PortSentry
    • Note(FYI):
      • Issue the below commands from the BackTrack Terminal.
    • Instructions:
      1. nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80 192.168.1.106
        • Replace 192.168.1.106 with Ubuntu's IP address you obtained in (Section 3, Step 3).
     
  2. Tested Blocked Ubuntu Host from BackTrack
    • Instructions:
      1. ping -c 5 192.168.1.106
        • Replace 192.168.1.106 with Ubuntu's IP address you obtained in (Section 3, Step 3).
        • Notice the Ubuntu host is now unreachable using ICMP.
      2. telnet 192.168.1.106 22
        • Port 22/SSH is blocked.
      3. telnet 192.168.1.106 80
        • Port 80/HTTP is blocked.

 

Section 13: Analyzing Ubuntu Deny Host Logs
  1. Analyzing Ubuntu Deny Host Logs
    • Note(FYI):
      • Make sure you are on the Ubuntu Server.
    • Instructions:
      1. grep -n DENY /etc/hosts.deny
        • Notice that BackTrack's IP Address is blocked.
        • This will block SSH connectivity.
      2. grep -n Blocked /var/lib/portsentry/portsentry.blocked.tcp
        • This file shows IP address that have been blocked for TCP scans.
      3. grep -n Blocked /var/lib/portsentry/portsentry.history
        • This file shows IP address that have been blocked for both UDP and TCP scans.
      4. grep -n Blocked /var/lib/portsentry/portsentry.blocked.udp
        • This file shows IP address that have been blocked for UDP  scans.
      5. netstat -rn | grep "192.168.1.107"
        • Replace 192.168.1.107 with BackTrack's IP address you obtained in (Section 9, Step 2)

     

Section 14: Unblock BackTrack
  1. Stop PortSentry
    • Note(FYI):
      • Make sure you are on the Ubuntu Server.
    • Instructions:
      1. service portsentry stop

     

  2. Scrub the hosts.deny file
    • Instructions:
      1. cd /etc
      2. grep -v "192.168.1.107" hosts.deny > hosts.deny.new
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.107" hosts.deny.new | wc -l
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv hosts.deny hosts.deny.old
      5. mv hosts.deny.new hosts.deny

     

  3. Scrub the portsentry.history file
    • Instructions:
      1. cd /var/lib/portsentry/
      2. grep -v "192.168.1.107" portsentry.history > portsentry.history.new
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.107" portsentry.history.new | wc -l
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv portsentry.history.new portsentry.history

     

  4. Scrub the portsentry.blocked.tcp file
    • Instructions:
      1. cd /var/lib/portsentry/
      2. grep -v "192.168.1.107" portsentry.blocked.tcp > portsentry.blocked.tcp.new
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.107" portsentry.blocked.tcp.new | wc -l
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv portsentry.blocked.tcp.new portsentry.blocked.tcp

     

  5. Remove Reject Route
    • Instructions:
      1. netstat -rn
        • Show routing table.
        • Notice that BackTrack's IP Address is Rejected.
      2. route del -host 192.168.1.107 reject
        • Replace 192.168.1.107 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. netstat -rn
        • Notice that BackTrack's IP Address no longer exists.

     

  6. Start up PortSentry
    • Instructions:
      1. service portsentry start

     

  7. Ping Ubuntu
    • Note(FYI):
      • Make sure you are on the BackTrack Server.
    • Instructions:
      1. ping -c 5 192.168.1.106
        • Replace 192.168.1.106 with Ubuntu's IP address you obtained in (Section 3, Step 3).

 

Section 15: Proof of Lab
  1. Proof of Lab
    • Note(FYI):
      • Issue the below commands from the Ubuntu Terminal.
    • Instructions:
      1. cd /var/log/
      2. grep portsentry syslog | awk '{print $6}' | sort | uniq -c
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth