Table of Contents
The NetBSD release comes ready to roll with a host of advanced networking capabilities. However, an administrator may wish to use additional or alternative software. This section looks at other software that can run on NetBSD the administrator may find of interest.
The portsentry utility is a great tool. In a nutshell, portsentry watches your system for scans and connection attempts and then will take action to block a possible attacker. The main weakness portsentry has is that it takes one connection attempt for portsentry to determine that the host attempting to connect is hostile, so, if the first attempt is successful, you are still out of luck.
Portsentry can be retrieved and installed using the pkgsrc system:
cd /usr/pkgsrc/security/portsentry make && make install
On NetBSD, portsentry is configured in
In the configuration file there are three sets of ports shown, of these, one for tcp and one for udp must be selected by uncommenting the line, the default is to use the “middle” sets, they should look something like this:
# Un-comment these if you are really anal: TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540, 635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32 771,32772,32773,32774,31337,40421,40425,49724,54320" #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,66 6,700,2049,32770,32771,32772,32773,32774,31337,54321" # # Use these if you just want to be aware: #TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346, 20034,31337,32771,32772,32773,32774,40421,49724,54320" UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31 337,54321" # # Use these for just bare-bones #TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32 772,32773,32774,49724,54320" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,543 21"
The number of ports portsentry should monitor in advanced mode, all of the ports below the listed number(s) are monitored this way:
Additionally in this section portsentry can be told certain items to exclude (such as loud NetBIOS services):
# Default TCP ident and NetBIOS service ADVANCED_EXCLUDE_TCP="113,139" # Default UDP route (RIP), NetBIOS, bootp broadcasts. ADVANCED_EXCLUDE_UDP="520,138,137,67"
Where files live, on NetBSD this is under
# Hosts to ignore IGNORE_FILE="/usr/pkg/etc/portsentry.ignore" # Hosts that have been denied (running history) HISTORY_FILE="/usr/pkg/etc/portsentry.history" # Hosts that have been denied this session only (temporary until next restart) BLOCKED_FILE="/usr/pkg/etc/portsentry.blocked"
This section is pretty straightforward just as it says in the file:
# 0 = Do not block UDP/TCP scans. # 1 = Block UDP/TCP scans. # 2 = Run external command only (KILL_RUN_CMD) BLOCK_UDP="1" BLOCK_TCP="1"
This is the kill route option, the one used for NetBSD is already uncommented:
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
It should be noted that some can actually modify firewall tables, for example, the FreeBSD packetfilter option:
# For those of you running FreeBSD (and compatible) you can # use their built in firewalling as well. # #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
If another type of firewall is being used on your system, it may be possible to add in something like this to your portsentry configuration.
This section is the text that gets put into
# KILL_HOSTS_DENY="ALL: $TARGET$"
Here, any external command (or script etc.) may be called.
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
As an example, altering the firewall could be here as well.
This is the number of port connects that portsentry allows before an alarm goes up, the default is 0, 1 is usually pretty safe as well (to keep down the false alarms).
This is a message that can be sent back to the person who
tripped portsentry, unless they are using a very verbose tool it
usually ends up in a logfile on their system (on NetBSD it ends up in
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
The nmap utility is a portscanner. It can scan one host, a network or combinations therein. It is currently in the pkgsrc tree.
# cd /usr/pkgsrc/net/nmap # make && make install
The nmap utility has a lot of options, we will look at three examples:
scanning one host
scanning several hosts
scanning a NetBSD firewall
For this example we will use a pretty insecure system on an internal network:
%nmap -P0 172.16.14.12 Starting nmap V. 2.53 by firstname.lastname@example.org ( www.insecure.org/nmap/ ) Interesting ports on marie.ipsosasi.net (172.16.14.12): (The 1504 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 37/tcp open time 111/tcp open sunrpc . . .
Now lets look at a whole bunch of machines!
%nmap -P0 172.16.14.0/24 >nmap.out
Whenever it is either done (which could be awhile) or interrupted/stopped take a peek at the file where all of the information was dumped, following is a sample from the network I scanned:
Starting nmap V. 2.53 by email@example.com ( www.insecure.org/nmap/ ) All 1523 scanned ports on (172.16.14.0) are: closed Interesting ports on somename.blah.net (172.16.14.1): (The 1521 ports scanned but not shown below are in state: filtered) Port State Service 23/tcp open telnet 68/tcp closed bootpc All 1523 scanned ports on somename.blah.net (172.16.14.2) are: closed Interesting ports on somename.blah.net (172.16.14.3): (The 1520 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 79/tcp open finger 80/tcp open http Interesting ports on somename.blah.net (172.16.14.4): (The 1513 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 19/tcp open chargen ...
Last but definitely not least, lets nail a firewall:
Starting nmap V. 2.53 by firstname.lastname@example.org ( www.insecure.org/nmap/ ) Interesting ports on (18.104.22.168): (The 1522 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 772 seconds
Now that is more like it.