Topic: Ping Storms

[Vince]

For newbies is there any way to identify sources of ping storms and ban the source IP?

[Rick]

I think that could be done with Portsentry. Take a look here:

http://www.psionic.com/abacus/portsentry/

[Vince]

That looks like a great solution - especially with their other products.

Now I just have to take a few months (l'm so new to linux, I'm not even a newbie yet) and learn how to get them on the system and working without messing up e-smith.

Thanks for the lead.

[Rick]

Portsentry is very easy to install. If you want pe to post a working config for e-smith please let me now. It's a pretty basic config out-of-the-box.

Rick

[Vince]

Please do. If you have similar info on how to install their other products feel free to add that, also - it all looks good to me. Am I greedy or what?!?

Thanks,

Vince

[Rick]

Ok, here it is. Don't blame me, i am still an amateur ) This config works for me on my e-smith 4.1.1 box. Paste this in /etc/portsentry/portsentry.conf after installation of the RPM

========== cut ===========

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,3
2772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"

ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"

ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"

IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/log/portsentry/portsentry.history"
BLOCKED_FILE="/var/log/portsentry/portsentry.blocked"

BLOCK_UDP="1"
BLOCK_TCP="1"

KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

KILL_HOSTS_DENY="ALL: $TARGET$"

SCAN_TRIGGER="0"

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWA
Y."

# EOF
(END)

======== cut =========

[Phil]

Rick, I understand that e-smith installs somewhat of a "crippled" version of RedHat?
I don't have the "make" command, so I can't install PortSentry?

[Charlie Brady]

Phil wrote:
 
> Rick, I understand that e-smith installs somewhat of a
> "crippled" version of RedHat?

It is not crippled, it is security hardened.

> I don't have the "make" command, so I can't install PortSentry?

Please see the the technical FAQ - http://www.e-smith.org/faq.php3

A word of warning about installing adaptive firewalls such as PortSentry. They make denial of service attacks on your system much easier to mount, and can't guarantee that your system won't be broken into.

Charlie

[Phil]

Thanks charlie for your quick reply - in essence, the e-smith software itself is already quite tight on security, opening up only the required ports on the external interface?

Right now, my e-smith box simply acts as a gateway, and I have FTP and WWW open. I don't mind the extra logging of PortSentry, but I would like to see a feature that simply monitors incoming connections/attempts. I'm curious as to who may be hitting my box and if I need to take any preventive measures. Perhaps this should be a post in the wish list.....

[Charlie Brady]

Phil wrote:
 
> in essence, the e-smith
> software itself is already quite tight on security, opening
> up only the required ports on the external interface?

Correct. If you change the configuration, say to enable public ssh access, the packet filter gets adjusted automatically to match your new policy.
 
> Right now, my e-smith box simply acts as a gateway, and I
> have FTP and WWW open. I don't mind the extra logging of
> PortSentry, but I would like to see a feature that simply
> monitors incoming connections/attempts. I'm curious as to who
> may be hitting my box and if I need to take any preventive
> measures. Perhaps this should be a post in the wish list.....

Perhaps. Note that with version 4.1.1 all forbidden packets are logged, but the default setting for logging was changed to "none", as some systems on badly configured networks were doing so much packet logging they didn't get real work done.

Packet logging (currently) has three settings: "none", "all" and "some". "some" is defined as "all except netbios and RIP". To set:

/sbin/e-smith/db configuration setprop masq Logging xxx
/sbin/e-smith/signal-event remoteaccess-update


Hopefully this will do more or less what you want. Followup discussion should be to the developer mailing list.

Regards

Charlie

P.S. Note that, by definition, logged packets wouldn't have done you any harm, they would not have connected to an enabled service, and they would have been ignored. They will almost always indicate either misconfigured machines, or skript kiddie random sweeps.