Chapter 6. Additional Products

Table of Contents

6.1. Introduction
6.2. Portsentry
6.2.1. Getting Portsentry
6.2.2. Configuring Portsentry
6.3. NMAP
6.3.1. Getting and Installing NMAP
6.3.2. Using nmap

6.1. Introduction

The NetBSD release comes ready to roll with a host of advanced networking capabilities. However, an administrator may wish to use additional or alternative software. This section looks at other software that can run on NetBSD the administrator may find of interest.

6.2. Portsentry

The portsentry utility is a great tool. In a nutshell, portsentry watches your system for scans and connection attempts and then will take action to block a possible attacker. The main weakness portsentry has is that it takes one connection attempt for portsentry to determine that the host attempting to connect is hostile, so, if the first attempt is successful, you are still out of luck.

6.2.1. Getting Portsentry

Portsentry can be retrieved and installed using the pkgsrc system:

cd /usr/pkgsrc/security/portsentry
make && make install

6.2.2. Configuring Portsentry

On NetBSD, portsentry is configured in /usr/pkg/etc/portsentry.conf

6.2.2.1. Port Configurations

In the configuration file there are three sets of ports shown, of these, one for tcp and one for udp must be selected by uncommenting the line, the default is to use the middle sets, they should look something like this:

# Un-comment these if you are really anal:
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,
635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32
771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,66
6,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
#TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,
20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31
337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32
772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,543
21"

6.2.2.2. Advanced Stealth Detection

The number of ports portsentry should monitor in advanced mode, all of the ports below the listed number(s) are monitored this way:

ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"

Additionally in this section portsentry can be told certain items to exclude (such as loud NetBIOS services):

# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"

6.2.2.3. Configuration Files

Where files live, on NetBSD this is under /usr/pkg/*:

# Hosts to ignore
IGNORE_FILE="/usr/pkg/etc/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/pkg/etc/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/pkg/etc/portsentry.blocked"

6.2.2.4. Response Options

This section is pretty straightforward just as it says in the file:

# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP="1"
BLOCK_TCP="1"

6.2.2.5. Dropping Routes

This is the kill route option, the one used for NetBSD is already uncommented:

# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

It should be noted that some can actually modify firewall tables, for example, the FreeBSD packetfilter option:

# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"

If another type of firewall is being used on your system, it may be possible to add in something like this to your portsentry configuration.

6.2.2.6. TCP Wrappers

This section is the text that gets put into /etc/hosts.deny.

#
KILL_HOSTS_DENY="ALL: $TARGET$"

6.2.2.7. External Commands

Here, any external command (or script etc.) may be called.

#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"

As an example, altering the firewall could be here as well.

6.2.2.8. Scan Trigger Value

This is the number of port connects that portsentry allows before an alarm goes up, the default is 0, 1 is usually pretty safe as well (to keep down the false alarms).

6.2.2.9. Port Banner

This is a message that can be sent back to the person who tripped portsentry, unless they are using a very verbose tool it usually ends up in a logfile on their system (on NetBSD it ends up in /var/log/messages.

#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS
BEEN LOGGED. GO AWAY."

6.3. NMAP

The nmap utility is a portscanner. It can scan one host, a network or combinations therein. It is currently in the pkgsrc tree.

6.3.1. Getting and Installing NMAP

Use pkgsrc:

# cd /usr/pkgsrc/net/nmap
# make && make install

6.3.2. Using nmap

The nmap utility has a lot of options, we will look at three examples:

  1. scanning one host

  2. scanning several hosts

  3. scanning a NetBSD firewall

6.3.2.1. Scanning One Host

For this example we will use a pretty insecure system on an internal network:

% nmap -P0 172.16.14.12

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on marie.ipsosasi.net (172.16.14.12):
(The 1504 ports scanned but not shown below are in state: closed)
Port       State       Service
7/tcp      open        echo                    
9/tcp      open        discard                 
13/tcp     open        daytime                 
19/tcp     open        chargen                 
21/tcp     open        ftp                     
23/tcp     open        telnet                  
37/tcp     open        time                    
111/tcp    open        sunrpc                  
. . .

6.3.2.2. Scanning A Network

Now lets look at a whole bunch of machines!

% nmap -P0 172.16.14.0/24 >nmap.out

Whenever it is either done (which could be awhile) or interrupted/stopped take a peek at the file where all of the information was dumped, following is a sample from the network I scanned:

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
All 1523 scanned ports on  (172.16.14.0) are: closed
Interesting ports on somename.blah.net (172.16.14.1):
(The 1521 ports scanned but not shown below are in state: filtered)
Port       State       Service
23/tcp     open        telnet                  
68/tcp     closed      bootpc                  

All 1523 scanned ports on somename.blah.net (172.16.14.2) are: closed
Interesting ports on somename.blah.net (172.16.14.3):
(The 1520 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet                  
79/tcp     open        finger                  
80/tcp     open        http                    

Interesting ports on somename.blah.net (172.16.14.4):
(The 1513 ports scanned but not shown below are in state: closed)
Port       State       Service
7/tcp      open        echo                    
9/tcp      open        discard                 
19/tcp     open        chargen                 
...

6.3.2.3. Scanning a NetBSD Firewall

Last but definitely not least, lets nail a firewall:

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Interesting ports on  (216.68.250.60):
(The 1522 ports scanned but not shown below are in state: filtered)
Port       State       Service
22/tcp     open        ssh                     

Nmap run completed -- 1 IP address (1 host up) scanned in 772 seconds

Now that is more like it.