Revision: $Revision: 1.13 $ ($Date: 2004-08-13 08:15:14 $)
This topic has a total weight of 10 points and contains the following objectives:
- (Objective 2.212.1 - not defined by LPI)
This objective was not defined by LPI
- Objective 2.212.2; Configuring a router (2 points)
The candidate should be able to configure ipchains and iptables to perform IP masquerading and state the significance of Network Address Translation and Private Network Addresses in protecting a network. This objective includes configuring port redirection, listing filtering rules and writing rules that accept or block datagrams based upon source or destination protocol, port and address. Also included is saving and reloading filtering configurations, using settings in
/proc/sys/net/ipv4to respond to DOS attacks, using/proc/sys/net/ipv4/ip_forwardto turn IP forwarding on and off and using tools such as PortSentry to block port scans and vulnerability probes.- Objective 2.212.3; Securing FTP servers (2 points)
The candidate should be able to configure an anonymous download FTP server. This objective includes configuring an FTP server to allow anonymous uploads, listing additional precautions to be taken if anonymous uploads are permitted, configuring guest users and groups with chroot jail and configuring ftpaccess to deny access to named users or groups.
- Objective 2.212.4; Secure shell (OpenSSH) (2 points)
The candidate should be able to configure sshd to allow or deny root logins and enable or disable X forwarding. This objective includes generating server keys, generating a user's public/private key pair, adding a public key to a user's authorized_keys file and configuring ssh-agent for all users. Candidates should also be able to configure port forwarding to tunnel an application protocol over ssh, configure ssh to support the ssh protocol versions 1 and 2, disable non-root logins during system maintenance, configure trusted clients for ssh logins without a password and make multiple connections from multiple hosts to guard against loss of connection to remote host following configuration changes.
- Objective 2.212.5; TCP_wrapper (1 point)
The candidate should be able to configure tcpwrappers to allow connections to specified servers from only certain hosts or subnets.
- Objective 2.212.6; Security tasks (3 points)
The candidate should be able to install and configure kerberos and perform basic security auditing of source code. This objective includes arranging to receive security alerts from Bugtraq, CERT, CIAC and other sources, being able to test for open-mail relays and anonymous FTP servers and installing and configuring an intrusion detection system, such as snort or Tripwire. Candidates should also be able to update the IDS configuration as new vulnerabilities are discovered and apply security patches and bug-fixes.
Sources of information: RFC1918
The candidate should be able to configure ipchains and iptables to perform
IP masquerading and state the significance of Network Address
Translation
and Private Network Addresses in protecting a network. This objective
includes configuring port redirection, listing filtering rules and
writing rules that accept or block datagrams based upon source or
destination protocol, port and address. Also included is saving and
reloading filtering configurations, using settings in
/proc/sys/net/ipv4 to respond to DOS attacks, using
/proc/sys/net/ipv4/ip_forward to turn IP forwarding on and off
and using tools such as PortSentry to block port scans and vulnerability
probes.
Key files, terms and utilities include:
| ipchains |
/proc/sys/net/ipv4 |
/etc/services |
| iptables |
| routed |
Why do Private Network Addresses exist ? It has been common practice to assign globally-unique addresses to all hosts that use TCP/IP. In order to extend the life of the IPv4 address space, address registries are requiring more justification concerning the need for extra address space than ever before, which makes it harder for organizations to acquire additional address space.
Hosts within enterprises that use IP can be partitioned into three categories:
- Category 1
These hosts do not require access to the hosts of other enterprises or on the Internet itself; hosts within this category may use IP addresses that are unambiguous within an enterprise, but may be ambiguous between enterprises.
- Category 2
These are hosts that need access to a limited set of outside services (e.g., E-mail, FTP, netnews, remote login), which can be handled by mediating gateways (e.g., application layer gateways). For many hosts in this category, unrestricted external access (provided via IP connectivity) may be unnecessary and even undesirable (for privacy/security reasons). These hosts, the same as category 1 hosts, may use IP addresses that are unambiguous within an enterprise, but may be ambiguous between enterprises.
- Category 3
These hosts need network-layer access outside the enterprise (provided via IP connectivity); hosts in the last category require IP addresses that are globally unambiguous.
We will refer to the hosts in the first and second categories as “private” and to hosts in the third category as “public”.
Many applications require connectivity only within one enterprise and do not need external (outside the enterprise) connectivity for the majority of internal hosts. In larger enterprises it is often easy to identify a substantial number of hosts using TCP/IP that do not need network-layer connectivity outside the enterprise.
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
We will refer to the first block as “24-bit block”, the second as “20-bit block”, and to the third as “16-bit” block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers and third block is a set of 256 contiguous class C network numbers.
The figure above displays s hypothetical situation which will serve as an example in the following explanation.
“The Firm” has four machines, 1 to 4, which are connected via a HUB and have private IP-Addresses in the 192.168.x.x range. Machine 4 serves as a router to the Internet and has two network interfaces. One connects the router to The Firm's internal network via the hub and has a private IP-address of 192.168.0.1, while the other connects the router to the Internet and has a valid (dynamic) IP-Address of 101.102.103.104.
Let's say that the user at Machine 2 wishes to look at a web page on Some Host (http://SomeHost.SomeCountry) with an IP-address of 201.202.203.204. To be able to see the web page, Machine 2 must be able to get information from the Internet and thus must be, in some way, connected to the Internet. And indeed, Machine 2 has an indirect connection to the Internet via Machine 4, but how can this work? Machine 2 has a private IP-address which is not supported on the Internet!
This is where NAT kicks in. Machine 4, the router, replaces the private IP-address of Machine 2 (and also of Machine 1 and 3 if needed) with its own IP-Address before sending the request to Some Host. Some Host thinks that a machine with IP-Address 101.102.103.104 asked for the web page and responds by sending the web page to Machine 4.
Machine 4 knows that it has replaced the IP-address of Machine 2 with its own before sending the request to Some Host so it also knows that the answer it got to the request has to go to Machine 2. Machine 4 accomplishes this by replacing its own IP-address in the answer by the IP-address of Machine 2.
This is, in a nutshell, what NAT does. For more detailed information consult RFC1631.
IP Masquerading is a form of NAT. To get IP Masquerading up and running on your Linux computer, your kernel must support this.
For more detailed information on compiling a kernel and modules, see Chapter 1, Linux Kernel (201).
Let's go back to The Firm's network. The IP masquerading rules on machine 4 can be set using the following ipchains commands:
# ipchains -P forward DENY
# ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ
The first line defines a policy (-P) that states that all packets that have a destination address in the outside world will not be forwarded (DENY) by the forward chain (forward). This is done because it is good practice to forbid all traffic by default except traffic that you explicitly want.
The second line adds (-A) a rule to the forward chain (forward) that states that all packages arriving (-i) at interface eth0 and coming from (-s) an ip-address in the range 192.168.0.0-192.168.0.255 will be masqueraded (-j MASQ) and forwarded to the outside world. The “/24” states that the first 24 bits always have the same value, in this case 192.168.0, and that the last 8 bits can have any value.
Machine 4 now knows WHAT to do with IP packets that come from Machines 1 to 4, but not WHERE to send them. To complete Machine 4's instructions, we add the following commands:
# route add -net 192.168.0.0 netmask 255.255.255.0 eth0
# route add default gw 101.102.103.104 eth1
The first line adds a route to the 192.168.x.x network via eth0.
The second line adds a default route via eth1, which is used if the destination is not in the 192.168.x.x range.
IP forwarding is the relaying of IP packets from one network to another. Let's go back to The Firm's network. We want Machine 4 to forward the IP packets to the Internet. This means that all of the Firms machines must use “real” IP addresses, as explained earlier, and that Machine 4 must know that certain IP addresses should go to the outside world, i.e., the Internet.
To enable forwarding, support must be enabled in the kernel (see Chapter 1, Linux Kernel (201) for more details) and forwarding itself must be enabled by issuing the command echo 1 > /proc/sys/net/ipv4/ip_forward.
Machine 4 now knows WHAT to do with IP packets that come from the Machines 1 to 4, but not WHERE to send them. To tell Machine 4 this, we use the following commands:
# route add -net 192.168.0.0 netmask 255.255.255.0 eth0
# route add default gw 101.102.103.104 eth1
The first line adds a route to the 192.168.x.x network via eth0. With kernel versions of 2.2 or higher this is done automatically.
The second line adds a default route via eth1 which is used if the destination is not in the 192.168.x.x range.
Port redirection is a mechanism which enables the redirection of IP packets based on destination port number to another port. To enable port redirection, support must be enabled in the kernel. See the section called “ IP Masquerading with IPCHAINS ” for more details.
Since it worked so well the last time, let's go back to The Firm's network again for an example.
Suppose Machine 2 has a web-server (or some other program) running which listens to port 2345, and people from the outside must be able to connect to that program. Since The Firm is using private IP addresses for their internal network, Machine 2 is not visible on the Internet. The solution here is to tell Machine 4 to route all data from the outside that is aimed at port 80 to port 2345 on Machine 2.
Now we've got a problem: with the command ipchains -j REDIR, the port must be on the same host and here this is not the case. So, what to do now ?
The solution lies in the ipmasqadm portfw command. Typing ipmasqadm portfw -h gives the following information:
# ipmasqadm portfw -h
Usage: portfw -a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] add entry
portfw -d -P PROTO -L LADDR LPORT [-R RADDR RPORT] delete entry
portfw -f clear table
portfw -l list table
portfw <args> -n no names
PROTO is the protocol, can be "tcp" or "udp"
LADDR is the local interface receiving packets to be forwarded.
LPORT is the port being redirected.
RADDR is the remote address.
RPORT is the port being redirected to.
PREF is the preference level (load balancing, default=10)
Executing the following commands on Machine 4 will achieve our goal:
# ipmasqadm portfw -f
# ipmasqadm portfw -a -P tcp -L 101.102.103.104 80 -R 192.168.0.11 2345
The first line empties the portfw table, the second line adds a portfw rule (portfw -a) for the tcp packets (-P tcp) arriving at port 80 on the external interface of Machine 4 (-L 101.102.103.104 80), which states that those packets must be sent to port 2345 on Machine 2 (-R 192.168.0.11 2345).
And what about the replies from Machine 2 in response to the requests? Shouldn't there be a rule for that too? The answer is no, because this works similarly to masquerading. Machine 2 has no idea whatsoever that the request came from the outside. To Machine 2, it looks like the request came from Machine 4, so the answer goes to Machine 4. Machine 4 knows that this is in answer to a request from the outside that has been rerouted to Machine 2, so it sends the answer to the same machine the request came from.
This figure shows the stages of the ipchains process.
IPCHAINS, nomen est omen, hence there are chains, a minimum of three to be precise. We've always got an INPUT, FORWARD and OUTPUT chain and, optionally, one or more user-defined chains.
A chain contains rules that determine the fate of a packet based on its source address, destination address, source port, destination port, protocol-type or any combination of these.
If a packet matches a rule, the packet is sent to the chain specified in the target. This can be ACCEPT, DENY, MASQ, REDIRECT or RETURN or a user-defined chain.
ACCEPT means that the packet will pass through. DENY means that the packet is not accepted and thrown away without any form of notification to the sender. MASQ means that the packet will be masqueraded if it came from the localhost or demasqueraded if it is a response to an earlier sent masqueraded packet. MASQ is only allowed for the forward chain and the user-defined chains. REDIRECT will redirect packets to a local port. REDIRECT is only allowed for the input chain and for user-defined chains. REJECT means that the packet is not accepted and that the sender will be notified of this fact by means of an ICMP message. RETURN has the same effect as a packet reaching the end of a user-defined chain without match, i.e., the next rule in the previous chain will be checked. If the end of a built-in chain is reached, or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
Descriptions of the various stages and their relationships:
- Checksum
The checksum is calculated on the header of the IP packet. If the checksum is incorrect, the packet is denied. The checksum field is the 16-bit one's complement of the one's complement sum of all 16-bit words in the header. For purposes of computing the checksum, the value of the checksum field is zero. See RFC791 for more information.
- Sanity
There is a sanity check before each firewall chain, but the check before the input chain is the most important. Some malformed packets might confuse the rule-checking code, and these are denied here (a message is printed to the syslog if this happens).
- INPUT
Let's say a packet arrives at eth0, has a correct checksum, and the sanity is ok too. The packet then enters the INPUT chain and is accepted, rejected or denied. The difference between deny and reject lies in the response sent to the sender of the packet. In case of deny, the sender is never notified, in case of reject, the sender is notified if the packet was not an ICMP packet.
- Demasquerade
In case masquerading is used, this is the step where the opposite is done. Afterward, the demasqueraded packet goes directly to the OUTPUT chain. If masquerading isn't used, the packet goes into the routing decision process.
- Routing decision
Here it is decided, based on the destination of the packet, if the packet should go to a local process on the same machine or to a process on another machine, in which case the packet is sent to the FORWARD chain.
- Local Process
This can be any local process that can accept and send packets.
- FORWARD
All packets arriving at this machine that are destined for another machine go through the FORWARD chain and are accepted, denied or rejected.
- OUTPUT
All packets that go out an interface pass through the OUTPUT chain and are accepted, denied or rejected.
The best way to secure things is to define what is allowed, consider everything else to be not allowed and see to it that what is not allowed is not possible.
How does this reflect on the usage of IPCHAINS ? Before explaining things, let's make a few functional assumptions in relation to the Firm's network:
We are running a nameserver on Machine 4
Packets from Machines 1-3 aimed at the outside world are masqueraded by Machine 4 and forwarded.
We can ping machines on our local net as well as machines in the outside world, but we ourselves do not respond to any pings from the outside world, i.e., arriving at our eth1 interface.
We are participating in a distributed.net project: rc564 cracking. We are running a proxy on Machine 4 that communicates with a server on the Internet. Machines 1-3 get their data from the proxy server and send their computed results to the proxy server.
Of course we also want to be able to view web-pages with http and https.
First, we delete all rules for all built-in chains:
# ipchains -F input
# ipchains -F forward
# ipchains -F output
Then we delete all user-defined chains:
# ipchains -X
The we tell ipchains to DENY all traffic:
# ipchains -P input DENY
# ipchains -P forward DENY
# ipchains -P output DENY
The next thing to do is allow traffic on a need basis. Let's start with forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward
We trust everything coming from the local Machines 1-3. Machine 4 receives this on its eth0 interface (192.168.0.1) and thus the ipchains commands needed are:
# ipchains -A input -i eth0 -j ACCEPT
# ipchains -A output -i eth0 -j ACCEPT
The same goes for the lo interface. Without this
definition, certain services, such as a caching DNS Server, will not
function correctly:
# ipchains -A input -i lo -j ACCEPT
# ipchains -A output -i lo -j ACCEPT
We want to be able to view web-pages. This is done via either the http or the https protocol which use port 80 and port 443 respectively:
# ipchains -A output -i eth1 -p tcp --dport 80 -j ACCEPT
# ipchains -A input -i eth1 -p tcp --sport 80 -j ACCEPT ! -y
# ipchains -A output -i eth1 -p tcp --dport 443 -j ACCEPT
# ipchains -A input -i eth1 -p tcp --sport 443 -j ACCEPT ! -y
# ipchains -A forward -p tcp -i eth1 -s 192.168.0.0/24 --dport 80 -j MASQ
# ipchains -A forward -p tcp -i eth1 -s 192.168.0.0/24 --dport 443 -j MASQ
We also want to enable our DNS, running on Machine 4, to do requests on other nameservers, DNS uses port 53 for sending the queries and for receiving the answers to the queries:
# ipchains -A output -i eth1 -p udp --dport 53 -j ACCEPT
# ipchains -A input -i eth1 -p udp --sport 53 -j ACCEPT
For the rc564 proxyserver running on Machine 4 which uses port 2064 to receive new and send computed keys, we need the following two lines:
# ipchains -A output -i eth1 -p tcp --dport 2064 -j ACCEPT
# ipchains -A input -i eth1 -p tcp --sport 2064 -j ACCEPT ! -y
We want to be able to ping hosts on the Internet. This is done with so-called ICMP packets. ICMP stands for Internet Control Message Protocol. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram or when the gateway can direct the host to send traffic on a shorter route. There are several ICMP types. Typing ipchains -h icmp will show you which types are valid:
Type Code Description
0 0 echo-reply (pong)
3 destination-unreachable
0 network-unreachable
1 host-unreachable
2 protocol-unreachable
3 port-unreachable
4 fragmentation-needed
5 source-route-failed
6 network-unknown
7 host-unknown
9 network-prohibited
10 host-prohibited
11 TOS-network-unreachable
12 TOS-host-unreachable
13 communication-prohibited
14 host-precedence-violation
15 precedence-cutoff
4 0 source-quench
5 redirect
0 network-redirect
1 host-redirect
2 TOS-network-redirect
3 TOS-host-redirect
8 0 echo-request (ping)
9 0 router-advertisement
10 0 router-solicitation
11 time-exceeded (ttl-exceeded)
0 ttl-zero-during-transit
1 ttl-zero-during-reassembly
12 parameter-problem
0 ip-header-bad
1 required-option-missing
13 0 timestamp-request
14 0 timestamp-reply
17 0 address-mask-request
18 0 address-mask-reply
Because we want to be able to ping hosts on the Internet, we need to allow outgoing echo-request or ping. Since we also want to be able to receive the answers to a ping, we must allow incoming echo-reply or pong:
# ipchains -A output -i eth1 -p icmp --icmp-type ping -j ACCEPT
# ipchains -A input -i eth1 -p icmp --icmp-type pong -j ACCEPT
We also allow incoming and outgoing destination-unreachable ICMP messages on both the internal (eth0) interface and the external (eth1) interface. These occur if a datagram can't be delivered to its destination.
# ipchains -A input -p icmp --icmp-type destination-unreachable -j ACCEPT
# ipchains -A output -p icmp --icmp-type destination-unreachable -j ACCEPT
If a gateway hasn't got the buffer space needed to queue the datagrams for output to the next network on the route to the destination network, it discards Internet datagrams and sends source-squench messages. On receipt of a source-quench message, the source host should cut back the rate at which it is sending traffic to the specified destination until it no longer receives source-quench messages from the gateway.
So we must also allow incoming and outgoing source-quench messages on both the internal (eth0) interface and the external (eth1) interface.
# ipchains -A input -p icmp --icmp-type source-quench -j ACCEPT
# ipchains -A output -p icmp --icmp-type source-quench -j ACCEPT
We do not allow redirect messages because this is not applicable in our situation. This kind of message is used to tell a host that there is a shorter route to a network via another gateway. We only have one gateway, Machine 4, so there is no need for it.
We do not allow router-advertisement and router-solicitation messages. These messages enable hosts attached to multicast or broadcast networks to discover the IP addresses of their neighboring routers. For more information, consult RFC1256.
Datagrams contain a field called TTL, which stands for Time To Live. This field is decremented by each gateway the datagram passes through. If a gateway sees that the value of the TTL field is zero, it will discard the datagram and notify the source of this situation by means of an ICMP time-exceeded message. We allow both incoming and outgoing ICMP time-exceeded messages on all interfaces:
# ipchains -A input -p icmp --icmp-type time-exeeded -j ACCEPT
# ipchains -A output -p icmp --icmp-type time-exeeded -j ACCEPT
If a datagram is discarded by a host or gateway because it can't be processed due to a problem with the header parameters, the host or gateway will send an ICMP parameter-problem message. We allow both incoming and outgoing ICMP parameter-problem messages on all interfaces:
# ipchains -A input -p icmp --icmp-type parameter-problem -j ACCEPT
# ipchains -A output -p icmp --icmp-type parameter-problem -j ACCEPT
We are also not interested in timestamp-request and timestamp-reply messages. For more information, consult RFC792.
A host can use ICMP address-mask-request messages to ask for the address mask of a certain machine. ICMP address-mask-reply messages are used to transmit the answer to the request. See RFC950 for more information if you're interested. We don't allow these type of messages because we don't need them.
Finally, we must allow the masquerading of any ICMP packet. As a result of the rules mentioned above, “any ICMP packet” can only be one of the packets we allow:
# ipchains -A forward -p icmp -i eth1 -s 192.168.0.0/24 -j MASQ
You don't have to know all icmp-types by heart. I've described them to point out that more happens than meets the eye. These topics are described in-depth in the RFC's 792, 950, and 1256, which are available from multiple sources on the Internet.
Linux kernels as of version 2.3.15 support a new framework designed for packet filtering called “netfilter” which must be compiled into the kernel. This is done by selecting “Networking options -->” which brings you to the “Networking options” page. Enabling the option “Network packet filtering” sets CONFIG_NETFILTER to “Y” and adds the “IP: Netfilter Configuration -->” option to the page. Selecting this option takes you to the “IP: Netfilter Configuration” page. You should at least enable the “Connection tracking (CONFIG_IP_NF_CONNTRACK)” and the “IP tables support (CONFIG_IP_NF_IPTABLES)”. The latter adds a lot of options from which you should at least enable “Connection state match support (CONFIG_IP_NF_MATCH_STATE)”, “Packet Filtering (CONFIG_IP_NF_FILTER)” and “Full NAT (CONFIG_IP_NF_NAT)”.
The user space tool iptables is used to tell the “netfilter” code in the kernel which packets to filter.
As the figure above shows, netfilter supports five different hooks in the protocol stack. Imagine for a moment that packets pass through a tube. A hook is a part in the tube, where an additional piece of tube can be inserted. In this piece of tube works a little man who examines and changes when needed, every passing packet based on his job description, the so called “rules”. The little man reports to his boss, netfilter, what to do with the packet.
By default five chains and three tables are supported. As the figure below shows, certain chains are only valid for certain tables.
The filter table is used for filtering packets. The filter table contains three chains. The INPUT chain is used for all packets that are for the firewall. The FORWARD chain is used for all packets that come from outside the firewall and are destined for another machine. The OUTPUT chain is used for all packets generated by the firewall.
The nat table is used for Network Address Translation. The nat table contains three chains. The PREROUTING chain is the first used to alter packets. The OUTPUT chain is used to alter packets generated by the firewall. The POSTROUTING chain is the last chain where packets can be altered as they leave the firewall.
The mangle table is used to mangle packets. We can change several things but we can't do masquerading or network address translation here. The mangle table contains two chains. The PREROUTING chain is the first chain alter packets. The OUTPUT chain is used to alter packets generated by the firewall.
Firewalls that are able to do connection tracking are called Stateful Firewalls. What it comes down to is that connections are tracked by remembering what (type of) packets have been received and sent.
Incoming packets in response to a ping, for instance, can be accepted by the firewall because the firewall knows that we've caused this ourselves by doing the ping in the first place.
The iptables option used for connection tracking is the “--state” option.
The manual page describes this as follows:
- state
This module, when combined with connection tracking, allows access to the connection tracking state for this packet.
- --state state
Where state is a comma-separated list of the connection states to match.
Possible states are:
- INVALID
- ESTABLISHED
The packet is associated with a connection which has seen packets in both directions.
- NEW
The packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions.
- RELATED
The packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
There are two modules for connection tracking:
Conntrack hooks in at PREROUTING, FORWARD, OUTPUT and POSTROUTING.
Each rule specifies what to do with a packet matching the rule. The “what-to-do” part is called the target. Standard targets always present are:
ACCEPT means let the packet through.
DROP means throw the packet on the floor
QUEUE means pass the packet to user space.
RETURN means stop traversing this chain and resume at the next rule in the previous calling chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN matches the packet, the target specified in the chain policy determines the fate of the packet.
Included in the standard distribution are a number of target extensions for which support in the kernel must be enabled if you wish to use them. Consult the man page of iptables for further details. Most of these targets have options. The extension LOG for instance, has the following five options: “--log-level”, “--log-prefix”, “--log-tcp-sequence”, “--log-tcp-options”, “--log-ip-options”. Please consult the man page for details on options per target.
The extended target modules included in the distribution are:
- LOG
Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (such as most IP header fields) via printk().
- MARK
This is used to set the netfilter mark value associated with the packet. It is only valid in the mangle table.
- REJECT
This is used to send back an error packet in response to the matched packet; otherwise, it is equivalent to DROP. This target is only valid in the INPUT, FORWARD and OUTPUT chains and user-defined chains which are only called by those chains.
- TOS
This is used to set the 8-bit Type of Service field in the IP header. It is only valid in the mangle table.
- MIRROR
This is an experimental demonstration target which inverts the source and destination fields in the IP header and retransmits the packet. It is only valid in the INPUT, FORWARD and OUTPUT chains and user-defined chains which are only called by those chains.
- SNAT
This target is only valid in the the POSTROUTING chain of the nat table. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined.
- DNAT
This target is only valid in the PREROUTING, OUTPUT and user-defined chains (which are only called by those chains) of the nat table. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined.
- MASQUERADE
This target is only valid in the POSTROUTING chain of the nat table. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behaviour when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).
- REDIRECT
This target is only valid in the PREROUTING, OUTPUT and user-defined chains (which are only called by those chains) of the nat table. It alters the destination IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address).
Each rule specifies what to do with a packet matching that rule. The “match” part is implemented by packet matching modules. Most of these modules support options. Please consult the man page for detailed information on the options.
The following modules are included in the distribution:
- tcp
These extensions are loaded if “--protocol tcp” is specified, and no other match is specified.
- udp
These extensions are loaded if “--protocol udp” is specified, and no other match is specified.
- icmp
This extension is loaded if “--protocol icmp” is specified, and no other match is specified.
- mac
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets entering the PREROUTING, FORWARD or INPUT chains for packets coming from an ethernet device.
- limit
This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the “!” flag is used).
- multiport
This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp.
- mark
This module matches the netfilter mark field associated with a packet (which can be set using the MARK target).
- owner
This module attempts to match various characteristics of the packet creator for locally-generated packets. It is only valid in the OUTPUT chain, and even then some packets (such as ICMP ping responses) may have no owner and hence, never match.
- state
This module, when combined with connection tracking, allows access to the connection tracking state for this packet.
- unclean
This module takes no options, but attempts to match packets which seem malformed or unusual. This is regarded as experimental.
- tos
This module matches the 8 bits of Type of Service field in the IP header (ie. including the precedence bits).
We all remember The Firm's network from the previous section. Let's visit it again. The picture below shows The Firm's network and the possible combinations of traffic initiation/destination.
We are running a DNS on the Firewall that needs to be able to consult other DNSes on the Internet (which use the UDP protocol and listen to PORT 53). We want to be able to use ssh (which uses the TCP protocol and port 22) to connect to other systems on the Internet. We are participating in a distributed.net project RC564 cracking and are running a proxy server on the Firewall (which uses the TCP protocol and PORT 2064 to communicate with the keyserver). We want to be able to ping hosts on the Internet (ping uses the ICMP protocol and message type “ping”). The Firewall communicates with the Internet through interface eth1. Taking all this into consideration, the iptables commands we need are:
iptables -t filter -A OUTPUT -o eth1 -p udp --destination-port dns \
-m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p tcp --destination-port 2064 \
-m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p icmp --icmp-type ping \
-m state --state NEW -j ACCEPT
These four iptables commands tell the firewall to allow outgoing connection-initialization packets for dns, ssh, RC564 cracking and ping.
We want to be able to use ssh, which uses the TCP protocol and port 22, to connect to our Firewall from other systems on the Internet. The iptables commands we need are:
iptables -t filter -A INPUT -i eth1 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
This iptables command tells the firewall to allow incoming connection initialization packets for ssh.
We want to be able to use ssh, which uses the TCP protocol and port 22, to connect to one of our internal machines from our Firewall. The iptables commands we need are:
iptables -t filter -A OUTPUT -o eth0 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
This iptables command tells the Firewall to allow outgoing SSH connection initialization packets destined for a machine on the Internal Network.
The machines on the internal network, using the dns of the firewall, must be able to connect to the firewall using ssh, are processing RC564 keys, must be able to talk to the proxy on the firewall using port 2064 and must be able to ping the Firewall for system administrative purposes. The iptables commands we need are:
iptables -t filter -A INPUT -i eth0 -p udp --destination-port dns \
-m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp --destination-port 2064 \
-m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type ping \
-m state --state NEW -j ACCEPT
These four iptables commands tell the Firewall to allow incoming connection-initialization packets for dns, ssh, RC564 cracking and ping.
Every connection from a machine on the internal network to a machine on the Internet is allowed. The iptables commands we need are:
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
This iptables command tells the Firewall to allow ALL outgoing connection initialization packets.
This does not occur because our local network uses private IP addresses that can't be used on the Internet. Our local machines aren't visible from the Internet.
What we could do to make one of our machines available on the Internet is to let people connect to a certain port on the firewall and use NAT to redirect them to a port on one of the machines on the Internal Network.
Suppose Machine 2 has a web-server (or some other program) running which listens to port 2345 and people from the outside must be able to connect to that program. Since The Firm is using private IP addresses for their Internal Network, Machine 2 is not visible on the Internet. The solution here is to tell Machine 4 that all data from the outside that is aimed at port 80 should be routed to port 2345 on Machine 2. The iptables commands we need are:
iptables -t nat -A PREROUTING -i eth1 -p tcp --destination-port 80 \
-j DNAT --to-destination 192.168.0.11:2345
iptables -t filter -A FORWARD -i eth1 -p tcp --destination-port 2345 \
-m state --state NEW -j ACCEPT
The first line changes the destination address and port. Since this then becomes traffic aimed at another machine, the traffic must pass the FORWARD filter. The second line sees to it that that happens.
So far, we've only specified that connection initiation traffic is allowed, but that is not enough. We also must allow ESTABLISHED and RELATED traffic.
Let's tell the firewall that all ESTABLISHED and RELATED traffic,
regardless of type, interface etc. is allowed. We must also allow
the initiation of traffic on the firewalls
lo interface because otherwise some services,
such a a caching DNS server, will not work. We need the
following iptables commands to realize this:
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -m state --state NEW -i lo -j ACCEPT
Remember that this can't be a problem because the packets are a result of the fact that we've accepted the initiation of the connection in the first place.
Adding stuff to start with a clean sheet and telling the firewall to masquerade packets from the internal network aimed at the Internet can be accomplished with the following commands:
################################################################################
# FLUSH ALL RULES IN THE MANGLE, NAT AND FILTER TABLES
################################################################################
iptables -t mangle -F
iptables -t nat -F
iptables -t filter -F
################################################################################
# DELETE ALL USER-DEFINED (NOT BUILT-IN) CHAINS IN THE TABLES
################################################################################
iptables -t mangle -X
iptables -t nat -X
iptables -t filter -X
################################################################################
# SET ALL POLICIES FOR ALL BUIL-IN CHAINS TO DROP
################################################################################
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
################################################################################
# (1) TRAFFIC INITIATED BY THE FIREWALL DESTINED FOR THE INTERNET
# DNS, SSH, RC564, PING
################################################################################
# ALLOW INITIATION BY THE FIREWALL
iptables -t filter -A OUTPUT -o eth1 -p udp --destination-port dns \
-m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p tcp --destination-port 2064 \
-m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p icmp --icmp-type ping \
-m state --state NEW -j ACCEPT
# ALLOW INCOMING RESPONSES
iptables -t filter -A INPUT -i eth1 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
# (2) TRAFFIC INITIATED BY THE OUTSIDE DESTINED FOR THE FIREWALL
# SSH
################################################################################
# ALLOW INITIATION
iptables -t filter -A INPUT -i eth1 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
# ALLOW RESPONSE
iptables -t filter -A OUTPUT -o eth1 -p tcp --destination-port ssh \
-m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
# (3) TRAFFIC INITIATED BY THE FIREWALL DESTINED FOR THE INTERNAL NETWORK
# SSH
################################################################################
# ALLOW INITIATION
iptables -t filter -A OUTPUT -o eth0 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
# ALLOW RESPONSE
iptables -t filter -A INPUT -i eth0 -p tcp --destination-port ssh \
-m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
# (4) TRAFFIC INITIATED BY THE INTERNAL NETWORK DESTINED FOR THE FIREWALL
# DNS, SSH, RC564, PING
################################################################################
# ALLOW INITIATION
iptables -t filter -A INPUT -i eth0 -p udp --destination-port dns \
-m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp --destination-port ssh \
-m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p tcp --destination-port 2064 \
-m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type ping \
-m state --state NEW -j ACCEPT
# ALLOW RESPONSE
iptables -t filter -A OUTPUT -o eth0 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
# (5) TRAFFIC INITIATED BY THE INTERNAL NETWORK DESTINED FOR THE OUTSIDE
# EVERYTHING WE CAN INITIATE IS ALLOWED
################################################################################
# ALLOW INITIATION OF EVERYTHING
iptables -t filter -A FORWARD -i eth0 -o eth1 \
-m state --state NEW -j ACCEPT
# ALLOW RECEPTION
iptables -t filter -A FORWARD -i eth1 -o eth0 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
################################################################################
# (6) TRAFFIC INITIATED BY THE OUTSIDE DESTINED FOR THE INTERNAL NETWORK
# ALL FORBIDDEN, EXCEPT WEBSERVER FORWARDING TO INTERNAL MACHINE
################################################################################
# ALLOW DESTINATION NAT FROM FIREWALL:80 TO INTERNAL MACHINE:2345
iptables -t nat -A PREROUTING -i eth1 -p tcp --destination-port 80 \
-j DNAT --to-destination 192.168.0.11:2345
iptables -t filter -A FORWARD -i eth1 -p tcp --destination-port 2345 \
-m state --state NEW -j ACCEPT
################################################################################
# (!) TRAFFIC AS A RESULT OF INITIATED TRAFFIC
# ALL ALLOWED
################################################################################
# ALLOW ALL PACKETS RESULTING FROM ALLOWED CONNECTIONS
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -m state --state NEW -i lo -j ACCEPT
################################################################################
# MASQUERADE PACKAGES FROM OUR INTERNAL NETWORK DESTINED FOR THE INTERNET
# THIS IS SNAT (SOURCE NAT)
################################################################################
iptables -t nat -A POSTROUTING -i eth0 -o eth1 -s 192.168.0.0/24 -j MASQUERADE
################################################################################
# ENABLE FORWARDING
################################################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
Firewall rules can be saved and restored easily by using the
commands ipchains-save, which writes to
stdout and ipchains-restore,
which reads from stdin. Assuming we use the
file fwrules.saved to save/restore the rules,
the two commands are:
ipchains-save > fwrules.saved
ipchains-restore < fwrules.saved
Similar commands exist for iptables:
iptables-save > fwrules.saved
iptables-restore < fwrules.saved
DoS attackers misuse the fact that resources on the Internet are limited and that services can be disrupted by taking away (one of) their resources: storage-capacity, bandwith or processor-capacity. This is done by “packet flooding”.
Packet flooding can be done with TCP, ICMP and UDP.
When using TCP mostly the SYN, ACK and RST flags are used.
When using ICMP, the message types echo request and echo reply are used. This is called “ping-flooding”.
When using UDP, the chargen and echo UDP services are used.
Also, two systems can be played out against each other by a third system. The third system changes the source IP-address of the packages it sends to the first system to that of the second system. The first system then thinks the packets came from the second system and starts sending replies to the second system. This method is called “DoS with IP address spoofing”.
Check the site http://www.cert.org/ for a complete history of DoS and DDos (Distributed DoS) attacks. And have a look at RFC2827 which describes Network Ingress Filtering, a method to prevent IP address spoofing. This doesn't prevent DoS attacks but makes it possible to trace the real IP address of the offender.
PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. Some of its more useful features include:
Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services.
Stealth scan detection (Linux only right now). PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Four stealth scan operation modes are available for you to choose from.
PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured options of either dropping the local route back to the attacker, using the Linux ipfwadm/ipchains command, *BSD ipfw command and/or dropping the attacker host IP into a TCP Wrappers hosts.deny file automatically.
PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect “random” port probing.
PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction with Logcheck it will provide an alert to administrators through e-mail.
Once a scan is detected your system will turn into a black hole and disappear from the attacker. This feature stops most attacks cold.
After you've downloaded the correct version, and untarred it, you've
got a directory portsentry-x.y which contains
the portsentry files and some README files. The information
below comes from those README files.
The first thing to do is verify (and change if appliccable) the
contents of the portsentry_config.h file:
The second thing to do is verify (and change if appliccable) the
contents of the portsentry.conf file:
TCP_PORTS - A comma delimited string of TCP ports you want PortSentry to listen to. This string CANNOT have any spaces in it. You can list as many sockets as you would like. PortSentry will try to bind them all up until the default limit of 64.
UDP_PORTS - The same as above, except for UDP ports. You need to be very careful with UDP mode as an attacker can forge a port sweep and make you block any number of hosts. Use this option with caution or not at all if your host is a well-known Internet connected system.
ADVANCED_PORTS_TCP - A value indicating the highest port number to monitor down from. Any port *below* this number is then monitored. The default is 1024 (reserved port range), but can be as large as 65535 (system max). I don't recommend going over 1024 with this option.
ADVANCED_EXCLUDE_TCP - A comma delimited string of TCP ports that should be manually excluded from monitoring in Advanced mode. These are normally ports that may get hit by mistake by remote clients and shouldn't cause alarms (ident, SSL, etc).
IGNORE_FILE - The path to the file that contains IP addresses of hosts you want to always be ignored. This will be explained later.
BLOCKED_FILE - The path to the file that contains the IP addresses of blocked hosts.
RESOLVE_HOST - This option turns off DNS resolution for hosts. If you have a slow DNS server it may be more effective to turn off resolution.
BLOCK_UDP - This option disables all automatic responses to UDP probes. Because UDP can be easily forged, it may allow an attacker to start a denial of service attack against the protected host, causing it to block all manner of hosts that should normally be left alone. Setting this option to “0” will disable all responses, although the connects are still logged. This option is mainly useful for Internet exposed hosts. For internal hosts you should leave this enabled. If someone internally is firing spoofed packets at you, then you have a much bigger problem than a denial of service.
BLOCK_TCP - Same as above, but for TCP. Packet forgery is not as big a problem though because PortSentry waits for a full connect to occur and this is much harder to forge in the basic modes. Leave this enabled, even for Internet connected hosts. For stealth-scan detection modes, the UDP warning applies: Using packet forgery, an attacker can cause you to incorrectly block hosts.
KILL_ROUTE - This is the command to drop the offending route if an attack is detected. This is the *full path* to the route command along with the necessary parameters to make the command work. The macro $TARGET$ will be substituted with the attacking host IP and is REQUIRED in this option. Your gateway should be a *dead host* on the local subnet. On some systems, you can just use the localhost address (127.0.0.1) and it will probably work. All packets from the target host will be routed to this address, so be careful!. More modern route commands will include a “-blackhole” or “-reject” flag. Check the man pages and, if your route command supports this feature, you should use it (although we recommend using packet filtering instead, see below).
KILL_HOSTS_DENY - This is the format of the string to drop into the
hosts.denyfile that TCP wrapper uses. Again the $TARGET$ macro is expanded out to be the IP of the attacker and is required. You can also drop in any TCP wrapper escape codes (%h, twist, etc). The macro $PORT$ will substitute the port hit by the attacker, but this is NOT required for this option. The macro $MODE$ reports which mode the blocking occurred (tcp, udp, stcp, sudp, atcp, audp), but is also NOT required.KILL_RUN_CMD - This is a command to run *before* the route is dropped to the attacker. You can put in any program/script you want executed when an attack is detected. Putting in retaliatory actions against an attacking host is not recommended . Virtually every time you're are port scanned, the host doing the scanning has been compromised itself. Therefore, if you retaliate, you are probably attacking an innocent party. Also the goal of security is to make the person GO AWAY. You don't want to irritate them into making a personal vendetta against you. Remember, even a 13 year old can run a [insert favorite D.O.S. program here] attack against you from their Windows box to make your life miserable. As above, the $TARGET$, $PORT$ and $MODE$ macros are available to you, but they are not required with this option.
KILL_RUN_CMD_FIRST - Setting this to “0” tells the command above to run before the route is dropped. Setting it to “1” makes the command run after the blocking has occurred.
SCAN_TRIGGER - PortSentry has a state engine that will remember hosts that have connected to it. Setting this value will tell PortSentry to allow X number of grace port hits before it reacts. This will detect both sequential and random port sweeps. The default is 0 which will react immediately. A setting of 1 or 2 will reduce false alarms, anything higher is probably too much as anything more than 3 hits to different ports is pretty suspicious behavior. Usually you can leave this at 0 without any problem except in Advanced stealth-scan detection modes where you may create a “hair trigger” if you aren't careful. Use your own discretion.
PORT_BANNER - A text banner you want displayed to the connecting host if the PortSentry is activated. Leave this commented out if you don't want this feature. If you do use it, try not to taunt the person too much. It is best to keep it professional and to the point. The banner is *not* displayed when stealth scan detection modes are used.
The third thing to do is to pull the portsentry.ignore file into your editor and add any host you want ignored if it connects to a tripwired port. This should always contain at least the localhost (127.0.0.1) and the IP's of the local interfaces. It is *not* recommended to put in every machine IP on your network, but you can use a netmask to do this. The format for this is:
<IP Address>/<Netmask Bits>
192.168.2.0/24
192.168.0.0/16
etc.
It is not recommended to ignore too much. It may be important for you to see who is connecting to you, even if it is a “friendly” machine. This can help you detect internal host compromises faster. To answer your question: yes, this does happen, and there have been cases of administrators ignoring too much and getting hacked by their own machines as a result.
The fourth thing to do is compile the package. Type
make and pick your system type and allow it to
build and install. The default directory is
/usr/local/psionic/portsentry. If you don't like
this directory just edit the Makefile and make
sure your portsentry.conf and
portsentry_config.h files reflect the new path.
Type make install after the build to have it copy files to your install directory.
The fifth thing to do is start up PortSentry. PortSentry has six modes of operation. Only one protocol mode type can be started at a time (i.e., one TCP mode and one UDP mode). The available modes are:
portsentry -tcp (basic port-bound TCP mode). PortSentry will check the config files and then bind to all TCP ports in the background. To check the init status, just look in the local syslog file to which messages are sent.
portsentry -udp (basic port-bound UDP mode). PortSentry will check the config files and then bind to all UDP ports in the background. If you want to check the init status you, just look in the local syslog to which messages are sent. UDP/Stealth scan warnings apply (read: README.stealth).
portsentry -stcp (Stealth TCP scan detection). PortSentry will use a raw socket to monitor all incoming packets. If an incoming packet is destined for a monitored port it will react to block the host. This method will detect connect() scans, SYN/half-open scans and FIN scans. UDP/Stealth scan warnings apply (read: README.stealth).
portsentry -atcp (Advanced TCP stealth scan detection). PortSentry will start by making a list of all the ports listening in the port area under the ADVANCED_PORTS_TCP option and will then create an exclusion list based on these ports. Any host connecting to *any port* in this range that is *not excluded* (i.e., not a listening network daemon [SMTP, HTTP, etc.]) is blocked. This has some very powerful implications that you should be aware of: (1) This mode is the m ost sensitive and the most effective of all the protection options. It reacts to port probes with lightning speed because you don't have to wait for them to hit a tripwired port. (2) Because it reacts so abruptly, you may cut off legitimate traffic. An FTP site may send an ident request to you. If you are monitoring the ident port (113 TCP) then you have just cut off the FTP site you were going to! As a result you should put in this list all ports that fall into this situation.
Advanced Logic Mode - PortSentry is intelligent about how it monitors ports. For some protocols such as FTP, the client actually opens up ports in the ephemeral range (1024-65535) and the server then connects *back* to you. This would normally cause the port scanner to activate. However, PortSentry will look at the incoming connection and determine if it is destined for one of these “temporary” bindings. If it is, then the connection is ignored for that one time. As soon as the connection is torn down the window closes and full protection is back again. This is, in fact, a rudimentary stateful inspection engine. UDP/Stealth scan warnings apply (read: README.stealth).
portsentry -sudp ("Stealth" UDP scan detection). This operates in a manner similar to the TCP stealth mode above. UDP ports need to be listed and are then monitored. This does not bind any sockets, and while not really “stealth” scan detection (doesn't usually apply to UDP), it operates in a similar manner (reacts to *any* UDP packet). UDP/Stealth scan warnings apply (read: README.stealth).
portsentry -audp (Advanced “Stealth” UDP scan detection). This is the same as above except for the UDP protocol. This is a very advanced option and can cause false alarms. This is because PortSentry makes no distinction between broadcast and direct traffic. If you have a router on your local network putting out RIP broadcasts then there is a good chance you will block them. Use this option with extreme caution. You need to be sure to put exclusions into the ADVANCED_EXCLUDE_UDP line (i.e., 520 [RIP]) UDP/Stealth scan warnings apply (read: README.stealth).
Now we're ready to test the installation: Tail the local log and you should see several PortSentry initialization messages. A successful startup looks like this:
Oct 9 09:11:35 nemesis portsentry[1644]: adminalert: portsentry is starting.
Oct 9 09:11:36 nemesis portsentry[1644]: adminalert: Going into listen mode on
TCP port: 143
. . .
Oct 9 09:11:37 nemesis portsentry[1644]: adminalert: PortSentry is now active
and listening.
The last line indicates the PortSentry is properly initialized, If you don't see this then something has failed.