Sunday, February 3, 2013

How to use Portsentry with notifications and Iptable firewall rule expiraton

How to use Portsentry with notifications and Iptable  firewall rule expiration


Following is the how i use Portsentry  to block port scan activities.

By default Portsentry detect and block given ip/ports, but it will not expire the Iptable rules after given time,here i have a script written to do that job as well.


#Port Sentry On ubuntu 12.04
apt-get install portsentry


#I use the following config entries for my setup

#######################Start of Config file  entries################################
#######################
# Port Configurations #
#######################
#Under the Port Configurations first set is enabled.[comprehensive set]
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"

##################
# Ignore Options #
##################

BLOCK_UDP="1"
BLOCK_TCP="1"



###################
# Dropping Routes:#
###################

KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"



###################
# External Command#
###################
KILL_RUN_CMD_FIRST = "0"
#
#
KILL_RUN_CMD="/etc/portsentry/scripts/notify.sh $TARGET$ $PORT$ $MODE$"

#This script will notify when port scan trigger



#####################
# Scan trigger value#
#####################

SCAN_TRIGGER="2"

#######################End of Config file entries ################################


Below are the scripts used for Portsentry



#----------------------------------Notification script-----------------------------------------------------
##/etc/portsentry/scripts/notify.sh


#!/bin/bash


TARGET=$1
PORT=$2
MODE=$3


echo "Attack reported-${TARGET}- ${PORT} - ${MODE}" | mail -s 'Unauthorized Port scan  Alert'  email@address.com



------------------------------------------------------------------------------------------------------------


-----------Firewall rules expiration script------------------------------------------------------------------
#delete_fw_entries.sh
#This script is running as cronjob every 5 minutes



#!/bin/bash


BLOCKED_LIST_TCP="/var/lib/portsentry/portsentry.blocked.tcp"
BLOCKED_LIST_UDP="/var/lib/portsentry/portsentry.blocked.udp"
ECHO=/bin/echo
TOUCH=/usr/bin/touch
CAT=/bin/cat
AWK=/usr/bin/awk
DATE=/bin/date
EXPR=/usr/bin/expr
FW_EXPIRE_TIME=10 #Iptable rule expiration time in minutes
TR=/usr/bin/tr
CUT=/usr/bin/cut
IPTABLE=/sbin/iptables
SED=/bin/sed
#
#DO NOT CHANGE BELOW THIS LINE--------------------------------------------
#

get_time_diff() {

BLOCKED_TIME=$1

CURRENT_TIME=`${DATE} +%s`
TIME_DIFF_IN_SEC=`${EXPR} ${CURRENT_TIME} - ${BLOCKED_TIME}`
TIME_DIFF_IN_MIN=`${EXPR} ${TIME_DIFF_IN_SEC} / 60`


}



#Get the blocked list entries for processing



BLOCKED_LIST_TCP_ARRAY=(`${CAT} ${BLOCKED_LIST_TCP} | ${TR} -d " " |${TR} '\n' ' '  `)
BLOCKED_LIST_UDP_ARRAY=(`${CAT} ${BLOCKED_LIST_UDP} | ${TR} -d " " | ${TR} '\n' ' ' `)

#TCP

for i in "${BLOCKED_LIST_TCP_ARRAY[@]}"
do
BLOCKED_IP=`${ECHO} $i |${CUT} -d ":" -f4|${CUT} -d "/" -f1`
BLOCKED_TIME=`${ECHO} $i | ${CUT} -d "-" -f1`

get_time_diff ${BLOCKED_TIME}
echo "time$TIME_DIFF_IN_MIN"

echo "ip - ${BLOCKED_IP}"
if [ "${TIME_DIFF_IN_MIN}" -ge ${FW_EXPIRE_TIME} ];then
        echo "need to flush"
${IPTABLE} -D INPUT -s ${BLOCKED_IP} -j DROP
#remove entry from block lidt file
${SED} -i "/${BLOCKED_TIME}/d" ${BLOCKED_LIST_TCP}
else

        echo "wait and see"
fi




done

#UDP

for i in "${BLOCKED_LIST_UDP_ARRAY[@]}"
do    
BLOCKED_IP=`${ECHO} $i |${CUT} -d ":" -f4|${CUT} -d "/" -f1`
BLOCKED_TIME=`${ECHO} $i | ${CUT} -d "-" -f1`

get_time_diff ${BLOCKED_TIME}
echo "time$TIME_DIFF_IN_MIN"

        echo "ip - ${BLOCKED_IP}"
if [ "${TIME_DIFF_IN_MIN}" -ge ${FW_EXPIRE_TIME} ];then
        echo "need to flush"
${IPTABLE} -D INPUT -s ${BLOCKED_IP} -j DROP
#remove entry from block lidt file
                ${SED} -i "/${BLOCKED_TIME}/d" ${BLOCKED_LIST_UDP}


else

        echo "wait and see"
fi


done






------------------------------------------------------------------------------------------------------------


REF:-http://www.symantec.com/connect/articles/portsentry-attack-detection-part-one
REF:-http://www.symantec.com/connect/articles/portsentry-attack-detection-part-two


No comments: