Hello,
I would normally not write this list to announce an update to a software
package, however there have been a number of very significant changes to
this program that users of it may want to upgrade and new users may want
to check out.
What it is
=-=-=-=-=-
Sentry is a port scan detector for Linux, *BSD, and most UNIX variants.
What it does
=-=-=-=-=-=-
Sentry monitors your systems for port probing activity and will then take
any of the following actions:
1) Log the attacker hostname/IP and ports probed.
2) Run external program.
3) Configure routing table to drop route of attacking host.
4) Configure local packet filter (ipfwadm/ipfw) to drop all packets from
attacking host.
New Features in version 0.60
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Full stealth scan detection and response
----------------------------------------
Sentry will now detect and respond to stealth scans against your host from
advanced scanners such as nmap:
http://www.dhp.com/~fyodor/nmap/index.html
Scan types detected include:
- Full connect() scans.
- SYN/Half-open scans.
- FIN scans.
- Any oddball packet with other TCP flags set.
- UDP scans
Scan detection modes
--------------------
Sentry now has several modes of operation for UDP and TCP. The two basic
types are a standard stealth port scan detection and "Advanced"
stealth
scan detection.
Standard stealth scan detection works by monitoring a list of ports
supplied with a raw socket, if a system hits any of those ports with any
type of packet it will alarm.
Advanced stealth scan detection uses an *experimental* technique I call
"Inverse Binding." It essentially takes a block of ports (1-?????) and
finds all bound daemons. It then creates an exclude list (as well as
excluding ports you tell it to in the config), and will monitor every
other port in this range for connections inbound. Because of the obvious
problems some protocols will face with this (i.e. FTP) Sentry has a
feature where it will temporarily suspend protection on a port if it sees
a listening socket has appeared there. Protection resumes once the
connection has been torn down. This is a rudimentary "stateful"
inspection
mechanism.
Last Words
=-=-=-=-=-
I would very much like people to download and test this program!! There
have been a number of new changes and new code added and I would like to
make sure it has as few problems as possible. I would also like to have
people do code audits of the program and let me know of any problems
found.
Also *please* read the docs. Stealth scan detection can lead to a variety
of potential denial of service problems that you should be aware of!
Supported systems
=-=-=-=-=-=-=-=-
The "Classic" mode has been tested on Linux, *BSD, NEXTSTEP, and HPUX.
The stealth modes have only been tested on RedHat Linux. I would love to
have tests done under the BSD variants.
Downloading
=-=-=-=-=-
Sentry can be downloaded for free from:
http://www.psionic.com/abacus/abacus_sentry.html
Thanks,
-- Craig
http://www.psionic.com
Here is the config file to give you an idea of the features:
# Sentry Configuration
#
# $Id: sentry.conf,v 1.12 1998/05/27 04:26:41 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding Sentry to port 6000 (or port 2000 for OpenWindows users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,2000,2001,4000,4001,6000,6001,6667,32771,32772,32773,32774,31337,49724"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,119,143,540,2000,6667,31337,32771,32772,32773,32774,49724"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,143,540,2000,32771,32772,32773,32774,49724"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want Sentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1024. If you feel adventurous, you can bump this number
# up to the maximum (65535) and monitor every port on your host.
# I have run into a problem on RedHat 5.0 where you cannot bind to ports
# above 61000. Until I find a resolution to this, I do not recommend you
# bind over this number of ports.
#
# Because of the "Smart Verify" feature of Sentry, this will work even
# with protocols such as FTP that may have incoming connections to the
# protected host.
#
# THIS IS AN EXPERIMENTAL FUNCTION. USE DISCRETION.
#
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
#
# This field tells Sentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldn''t* IMHO).
#
# By specifying ports here Sentry will simply not respond to
# incoming requests, in effect Sentry treats them as if they are
# actual bound daemons.
#
# Default TCP ident service
ADVANCED_EXCLUDE_TCP="113"
# Default UDP route (RIP) broadcasts and NetBIOS
ADVANCED_EXCLUDE_UDP="520,137"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/local/abacus/sentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/local/abacus/sentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/local/abacus/sentry.blocked"
###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you don''t want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don''t want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really aren''t that saavy.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Do block UDP/TCP scans.
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect.
#
# Generic
KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Generic BSD (BSDI)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#/usr/etc/route add $TARGET$ 127.0.0.1 1
# For those of you running Linux with ipfwadm installed you may like
# this better as it drops the host into the packet filter.
# You can only have one KILL_ROUTE turned on at a time though.
# This is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# New ipchain support for Linux kernel version 2.102+ (not well tested)
#KILL_ROUTE="/sbin/ipchains -A input -s $TARGET$ -j DENY -l"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to
any"
###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
#
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all ''%'' symbols with a
backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped. Try not to be too nasty OK?
#
#KILL_RUN_CMD="/some/path/here/pagerscript $TARGET$"
#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified, but
# generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you don''t make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really
# break things. (i.e someone innocently tries to connect to you via
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#
SCAN_TRIGGER="0"
######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the Sentry.
# I *don''t* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes don''t use this feature
#
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** Administrators alerted
to your connection. Go Away."
# EOF
