Mailinglist Archive: opensuse (3378 mails)

< Previous Next >
RE: [SLE] Firewalls, Ports, etc.
  • From: "Michael Garabedian" <mikejr@xxxxxxxxxxxxxxx>
  • Date: Wed, 10 Apr 2002 13:27:01 -0400
  • Message-id: <000301c1e0b4$ee629de0$1800000a@xxxxxxxxxxxxxxxxxxxx>
I can send you a doc I used to do this with, If you go to the intrusion
detection section and look up portsentry, it should give you all you
need to do. I am using a version of it that is pretty good, you define
what ports to listen to, which to allow access to, and what to do when
that is violated, then if you use the other ones I have set up then you
can get the firewall to mail you replies of what is being done to the
computer. Hope it helps.
1.6 Intrusion Countermeasures

The internet is a rough place, hackers are waiting for disk space, email
services, and any information that they can sell for a price. It is
imperative that security measures be taken whenever possible to protect
your data, and the services your servers provide. The following
software packages will be used to do just that.

These packages can be found on the SuSE Goodies CD. Put them all in the
/opt directory for installation.

These are the following security programs that are used and their

PortSentry-1.1 - PortScanner detection and IP Quarantine
Tripwire-2.3 - Detects changes to your system file structure
SecCheck-2.0- Checks security settings and reports suspicious activity
Scanlogd --2.2 Logs the port scans that it encounters.used in
conjunction with PortSentry.
Logcheck-1.1.1 - Mails the logs of all the above to an account of your
DTK - Masquerades your machine as a machine of another type and gives
out false information regarding passwords and file system structure.
WARNING: From this point on you MUST be careful with what you type and
how you configure the software. Follow all directions to the letter.

1.6.1 Installing PortSentry

1. #mc
2. Browse to the /opt/portsentry-1.1 directory
3. highlight portsentry_config.h
4. Press F4 to open and edit the document
5. make sure the file looks like this

Then save any changes. If you have problems with the installation
instructions. README.install will give you a wealth of information
about this software.

6. highlight makefile
7. edit makefile
8. Make sure you change two things in this file

Change the INSTALLDIR to /var and the CHILDDIR to /portsentry. (This is
done to keep all software as centralized as possible, otherwise you will
end up losing where some of the config files are. Plus with the way the
Linux installation is set up, if a crash occurs you will still be able
to get this information for the extended partition while just remaking
the boot and / partitions.)

9. Highlight and open the file portsentry.conf
10. You will need to edit the following lines to get this software
to run correctly.
11. Uncomment the section that begins with "Use these if you just
want to be aware"
12. Make sure the Configuration Files directories are set to
13. Set RESOLVE_HOST ="1"
14. Uncomment the KILL_ROUTE command for iptables support for Linux
15. Lastly, change the PORT_BANNER to personalize the message to
users that try to hack your system.
16. Edit the file portsentry.ignore to add ip addresses of your
trusted hosts.

Usually you will want to add your intranet addresses and add any remote
sites that you would want not to be blocked. In the case of Emergys, we
would add the Chennai office IPs.

17. Browse to the /opt/portsentry-1.1 directory
18. #make linux
19. Browse to the /etc/init.d directory
20. edit boot.local
21. add portsentry -tcp and portsentry -udp to the bottom of the
list (This file should look familiar)

Your boot.local file should now look something like this.

22. Browse to /etc
23. edit syslog.conf

Edit your file to look like the following

The messages going to -/var/log/messages will get delivered to an
account of your choosing.
The changes will not take effect until reboot. Or if you think you can,
try manually restarting the service. (Hint: Go to the directory
/etc/init.d , the commands are invoked by ./<filename> start or stop .

For the use of this software if you ever want to reinstate a host to
allow it to enter your system again, at the command prompt type #route
del <ip_address> reject or you can delete that entry from the file

This concludes the installation of portsentry-1.1

1.6.2 Installing Tripwire-2.3

This software is very easy to install just take note of the directories
that are invoked.

1. #mc
2. Browse to /opt/tripwire-2.3
3. edit install.cfg to look like the following

4. Highlight, press enter and run file. Enter passwords
where appropriate and pick settings as you see fit.
Site passphrase is emergys rules
Local key file is emergys rocks
Edit the file twpol.txt to your liking (located in /etc)
5. #twadmin -create-polfile twpol.txt
6. tripwire -init
You may see some errors, do not be alarmed, this is just the software
going through its installation. You will see something when it id done
called. "The database was successfully generated.
The installation of this software is done, A Vanilla Install of this
product will give you rudimentary protection and is good when using the
server as we are, if you want a more secure server or are running
confidential databases, a stricter policy would be more effective.
Occasionally the administrator should go to the /var/lib/tripwire
directory and check the report that tripwire would generate. Once
tripwire is activated you will get a detailed report of your system
changes.I would advise against getting the report mailed as it can be
quite lengthy.

This concludes the installation of Tripwire-2.3

1.6.3 Installing seccheck-2.0

1. #mc
2. Browse to /opt/seccheck-2.0
3. highlight INSTALL
4. press enter
5. Browse to /etc
6. highlight rc.config and edit file
7. at the end of the file add
8. save the file
9. Browse to /etc
10. edit crontab
11. edit the file to look like the following

The last three lines are what is needed for this to run correctly.

You have now completed the installation of Seccheck

1.6.4 Installing Scanlogd

1. #yast2
2. Install/Remove Software
3. Search for scanlogd
4. install scanlogd
5. reboot

This concludes the installation of Scanlogd

1.6.5 Installing Logcheck

1. #mc
2. Browse to /opt/logcheck-1.1.1/systems/linux
3. edit and change the sysadmin setting to an email
address of your choice
4. Browse to /opt/logcheck-1.1.1
5. #make linux
6. The config files for this software package is in the directory
called, /usr/local/etc. Upon installation they are set to moderately
log and notify you of certain logging violations.
7. Add the Logcheck entry to crontab in the /etc directory as

Save this file and reboot

This concludes the installation of logcheck-1.1.1

1.6.6 Installing DTK

Installing DTK in a vanilla fashion does provide great protection but
you want to take the time to customize the responses that are given out
to unauthenticated users.

1. Browse to /opt/dtk
2. highlight configure
3. Press enter
4. Answer the questions with default values to be safe
5. For the test system we are emulating a Solaris Sun Machine. Any
breach of DTK will be mailed to mailadmn@xxxxxxxxxxxxxxx

That concludes the installation of DTK

-----Original Message-----
From: Patrick [mailto:tracerb@xxxxxxxxxxxxxx]
Sent: Wednesday, April 10, 2002 10:22 AM
To: 'SuSE List'
Subject: Re: [SLE] Firewalls, Ports, etc.

Ok Great! That sounds like what I need to do Michael as well as
getting the firewall going, so could you give a step by step or lead me
to the info? I will check the inetd.conf and hosts.deny, but the port
scanner sounds interesting and I am completely lost on it! ;o)

On Wednesday 10 April 2002 10:00 am, Michael Garabedian, was heard
> Some ports like telnet can be closed through the inetd.conf, others
> you can deny access to through the use of hosts.deny The usage I am
> not sure of but I am sure there is a howto somewhere. Or you can set
> your port scanner to automatically lock certain ports from the start.
> -----Original Message-----
> From: Patrick [mailto:tracerb@xxxxxxxxxxxxxx]
> Sent: Wednesday, April 10, 2002 9:43 AM
> To: SuSE List
> Subject: [SLE] Firewalls, Ports, etc.
> Hi all,
> I have just stepped over into some unchartered territory for me at
> least. Checking network things, using nmap to check ports and getting

> a firewall started. I am not running a network yet, so that may be a
> subject to kinda stay off of right now, but in doing the nmap command
> for my machine, I find I have some open ports that probably should not

> be! Although I am still on dialup with a dynamic IP address, I would
> like to shut these ports down just the same. Ports like telenet &
> printer, should not be open I am told and there may be some others?
> Is there a way to just close certain ports temporarily or permanently
> until you need or want them? Some ports should not be open at all, I
> know, so I need to take these out of the list. I also tried to start
> the personal firewall to help protect me in the interim, but in
> booting up, it doesn't seem to be fully activating. It gets to the
> second phase and exits with a status 1. I can provide info from my
> boot.log if that will help, but I suspect you gurus here know all
> those already! ;o)
> So, I need to close some ports and activate the firewall fully!
> Thanks in advance for your help.
> Patrick

---KMail 1.3.2--- SuSE Linux v7.3 Pro---
Registered Linux User #225206
Magic Page Products -- Amiga-SuSE-PC Sales & Service

To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx

Also check the archives at

< Previous Next >