O portsentry fica localizado em /etc/portsentry. Se utilizarmos o netstat para ver as portas abertas, teremos apenas duas (antes de utilizar o portsentry).
┌──(user㉿kali)-[~/Desktop]
└─$ netstat -nlpt
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Quando startamos o serviço, podemos perceber que ele irá gerar as portas falsas.
┌──(user㉿kali)-[~/Desktop]
└─$ netstat -nlpt
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:12346 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:49724 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:540 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:20034 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:40421 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:119 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
No portsentry.conf há um parte em que você pode fazer o bloqueio de porta TCP e UDP, basta passar o valor de "1".
BLOCK_UDP="0"
BLOCK_TCP="0"
Por agora, vamos deixar como 0 para vermos alguns detalhes.
┌──(user㉿kali)-[/etc/portsentry]
└─$ sudo nmap -sV -Pn 192.168.2.134
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-07 17:15 EDT
Nmap scan report for 192.168.2.134
Host is up (0.0000030s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
1/tcp open tcpwrapped
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
79/tcp open tcpwrapped
80/tcp open http Apache httpd 2.4.46 ((Debian))
111/tcp open tcpwrapped
119/tcp open tcpwrapped
143/tcp open tcpwrapped
1080/tcp open tcpwrapped
1524/tcp open tcpwrapped
2000/tcp open tcpwrapped
6667/tcp open tcpwrapped
12345/tcp open tcpwrapped
31337/tcp open tcpwrapped
32771/tcp open tcpwrapped
32772/tcp open tcpwrapped
32773/tcp open tcpwrapped
32774/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Agora, vamos setar as configurações para bloquear.
BLOCK_UDP="1"
BLOCK_TCP="1"
Precisamos reiniciar o portsentry apĂłs isso.
Ao fazer o scan, percebemos que não há resposta alguma, e nosso IP foi colocado em uma lista de bloqueio.
┌──(user㉿kali)-[/etc/portsentry]
└─$ cat /etc/hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: 192.168.2.107 : DENY
┌──(user㉿kali)-[/etc/portsentry]
└─$ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.2.107 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Primeiramente precisamos parar o serviço do portsentry com service portsentry stop. Vamos localizar onde está o binário do portsentry com whereis portsentry. Vamos direto onde está o binário dele para aplicar uma outra configuração.