I can send you a doc I used to do this with, If you go to the intrusion detection section and look up portsentry, it should give you all you need to do. I am using a version of it that is pretty good, you define what ports to listen to, which to allow access to, and what to do when that is violated, then if you use the other ones I have set up then you can get the firewall to mail you replies of what is being done to the computer. Hope it helps. 1.6 Intrusion Countermeasures The internet is a rough place, hackers are waiting for disk space, email services, and any information that they can sell for a price. It is imperative that security measures be taken whenever possible to protect your data, and the services your servers provide. The following software packages will be used to do just that. These packages can be found on the SuSE Goodies CD. Put them all in the /opt directory for installation. These are the following security programs that are used and their purpose. PortSentry-1.1 - PortScanner detection and IP Quarantine Tripwire-2.3 - Detects changes to your system file structure SecCheck-2.0- Checks security settings and reports suspicious activity Scanlogd --2.2 Logs the port scans that it encounters.used in conjunction with PortSentry. Logcheck-1.1.1 - Mails the logs of all the above to an account of your choosing. DTK - Masquerades your machine as a machine of another type and gives out false information regarding passwords and file system structure. HardenSuSE-3.5 WARNING: From this point on you MUST be careful with what you type and how you configure the software. Follow all directions to the letter. 1.6.1 Installing PortSentry 1. #mc 2. Browse to the /opt/portsentry-1.1 directory 3. highlight portsentry_config.h 4. Press F4 to open and edit the document 5. make sure the file looks like this Then save any changes. If you have problems with the installation instructions. README.install will give you a wealth of information about this software. 6. highlight makefile 7. edit makefile 8. Make sure you change two things in this file Change the INSTALLDIR to /var and the CHILDDIR to /portsentry. (This is done to keep all software as centralized as possible, otherwise you will end up losing where some of the config files are. Plus with the way the Linux installation is set up, if a crash occurs you will still be able to get this information for the extended partition while just remaking the boot and / partitions.) 9. Highlight and open the file portsentry.conf 10. You will need to edit the following lines to get this software to run correctly. 11. Uncomment the section that begins with "Use these if you just want to be aware" 12. Make sure the Configuration Files directories are set to /var/portsentry. 13. Set RESOLVE_HOST ="1" 14. Uncomment the KILL_ROUTE command for iptables support for Linux 15. Lastly, change the PORT_BANNER to personalize the message to users that try to hack your system. 16. Edit the file portsentry.ignore to add ip addresses of your trusted hosts. Usually you will want to add your intranet addresses and add any remote sites that you would want not to be blocked. In the case of Emergys, we would add the Chennai office IPs. 17. Browse to the /opt/portsentry-1.1 directory 18. #make linux 19. Browse to the /etc/init.d directory 20. edit boot.local 21. add portsentry -tcp and portsentry -udp to the bottom of the list (This file should look familiar) Your boot.local file should now look something like this. 22. Browse to /etc 23. edit syslog.conf Edit your file to look like the following The messages going to -/var/log/messages will get delivered to an account of your choosing. The changes will not take effect until reboot. Or if you think you can, try manually restarting the service. (Hint: Go to the directory /etc/init.d , the commands are invoked by ./<filename> start or stop . For the use of this software if you ever want to reinstate a host to allow it to enter your system again, at the command prompt type #route del reject or you can delete that entry from the file /etc/hosts.deny This concludes the installation of portsentry-1.1 1.6.2 Installing Tripwire-2.3 This software is very easy to install just take note of the directories that are invoked. 1. #mc 2. Browse to /opt/tripwire-2.3 3. edit install.cfg to look like the following 4. Highlight install.sh, press enter and run file. Enter passwords where appropriate and pick settings as you see fit. Site passphrase is emergys rules Local key file is emergys rocks Edit the file twpol.txt to your liking (located in /etc) 5. #twadmin -create-polfile twpol.txt 6. tripwire -init You may see some errors, do not be alarmed, this is just the software going through its installation. You will see something when it id done called. "The database was successfully generated. The installation of this software is done, A Vanilla Install of this product will give you rudimentary protection and is good when using the server as we are, if you want a more secure server or are running confidential databases, a stricter policy would be more effective. Occasionally the administrator should go to the /var/lib/tripwire directory and check the report that tripwire would generate. Once tripwire is activated you will get a detailed report of your system changes.I would advise against getting the report mailed as it can be quite lengthy. This concludes the installation of Tripwire-2.3 1.6.3 Installing seccheck-2.0 1. #mc 2. Browse to /opt/seccheck-2.0 3. highlight INSTALL 4. press enter 5. Browse to /etc 6. highlight rc.config and edit file 7. at the end of the file add SECCHK_USER="<useraccountthatyouwanttheemailtogoto>" 8. save the file 9. Browse to /etc 10. edit crontab 11. edit the file to look like the following The last three lines are what is needed for this to run correctly. You have now completed the installation of Seccheck 1.6.4 Installing Scanlogd 1. #yast2 2. Install/Remove Software 3. Search for scanlogd 4. install scanlogd 5. reboot This concludes the installation of Scanlogd 1.6.5 Installing Logcheck 1. #mc 2. Browse to /opt/logcheck-1.1.1/systems/linux 3. edit logcheck.sh and change the sysadmin setting to an email address of your choice 4. Browse to /opt/logcheck-1.1.1 5. #make linux 6. The config files for this software package is in the directory called, /usr/local/etc. Upon installation they are set to moderately log and notify you of certain logging violations. 7. Add the Logcheck entry to crontab in the /etc directory as follows Save this file and reboot This concludes the installation of logcheck-1.1.1 1.6.6 Installing DTK Installing DTK in a vanilla fashion does provide great protection but you want to take the time to customize the responses that are given out to unauthenticated users. 1. Browse to /opt/dtk 2. highlight configure 3. Press enter 4. Answer the questions with default values to be safe 5. For the test system we are emulating a Solaris Sun Machine. Any breach of DTK will be mailed to mailadmn@emergyscorp.com That concludes the installation of DTK -----Original Message----- From: Patrick [mailto:tracerb@sprintmail.com] Sent: Wednesday, April 10, 2002 10:22 AM To: 'SuSE List' Subject: Re: [SLE] Firewalls, Ports, etc. Ok Great! That sounds like what I need to do Michael as well as getting the firewall going, so could you give a step by step or lead me to the info? I will check the inetd.conf and hosts.deny, but the port scanner sounds interesting and I am completely lost on it! ;o) Patrick ======================== On Wednesday 10 April 2002 10:00 am, Michael Garabedian, was heard saying:

Some ports like telnet can be closed through the inetd.conf, others you can deny access to through the use of hosts.deny The usage I am not sure of but I am sure there is a howto somewhere. Or you can set your port scanner to automatically lock certain ports from the start.

-----Original Message----- From: Patrick [mailto:tracerb@sprintmail.com] Sent: Wednesday, April 10, 2002 9:43 AM To: SuSE List Subject: [SLE] Firewalls, Ports, etc.

Hi all,

I have just stepped over into some unchartered territory for me at least. Checking network things, using nmap to check ports and getting

a firewall started. I am not running a network yet, so that may be a subject to kinda stay off of right now, but in doing the nmap command for my machine, I find I have some open ports that probably should not

be! Although I am still on dialup with a dynamic IP address, I would like to shut these ports down just the same. Ports like telenet & printer, should not be open I am told and there may be some others?

Is there a way to just close certain ports temporarily or permanently until you need or want them? Some ports should not be open at all, I know, so I need to take these out of the list. I also tried to start the personal firewall to help protect me in the interim, but in booting up, it doesn't seem to be fully activating. It gets to the second phase and exits with a status 1. I can provide info from my boot.log if that will help, but I suspect you gurus here know all those already! ;o)

So, I need to close some ports and activate the firewall fully! Thanks in advance for your help.

Patrick

-- ---KMail 1.3.2--- SuSE Linux v7.3 Pro--- Registered Linux User #225206 Magic Page Products -- Amiga-SuSE-PC Sales & Service URL: http://home.sprintmail.com/~tracerb -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com

Thanks Pep, I did use the personal firewall and set it for modem masg in "reject all connections" thing. I think that is right and should take care of it, but not sure yet. I would still like to figure out how to close those open ports though. There must be a simple command to do so or setting you can change in one of the config files? Patrick ================== On Wednesday 10 April 2002 10:35 am, Pep Serrano, was heard saying:

The easiest you can do is to setup the personal firewall and this should close all incomming connections.

To test that it is efectively closed you should check your ports connection from outside. Don't scan your ports from your own host.

If you get any error messages while booting the firewall check that it is the personal firewall (not SuSEfirewall or SuSEfirewall2) and check your config (is quite simple config).

Pep Serrano

On Wednesday 10 April 2002 15:43, Patrick wrote:

...

Is there a way to just close certain ports temporarily or permanently

know, so I need to take these out of the list. I also tried to start the personal firewall to help protect me in the interim, but in booting

-- ---KMail 1.3.2--- SuSE Linux v7.3 Pro--- Registered Linux User #225206 Magic Page Products -- Amiga-SuSE-PC Sales & Service URL: http://home.sprintmail.com/~tracerb