Guard Open Port with Portsentry on OpenWrt


Portsentry is a tool used to avoid ports scanning a variety of activities (especially stealth scanning) is performed by hackers and make your router disappeared from hacker after scanning activity.

With Portsentry on OpenWrt it can detect and protect your router from hacker attack including port scanning, discovery, and mapping attack then block the hosts with iptables temporarily

It is recommended that you install portsentry only on public Wi-Fi or public server not on personal or office network to avoid service lockdown problem.

Requirements

Minimum free space requirement = (125.00KB)

Installation

Step 1. Connect your router via web interface
  1. Select tabs system - software.
  2. Select Update list.
  3. In download and install package.
  4. Fill the search bar with "portsentry".
  5. Select Ok.
Step 2 : Configure portsentry to block port scanning activity
- Run following commands in OpenWrt SSH
  1. cd /etc
  2. mkdir portsentry
  3. cd portsentry
  4. touch portsentry.ignore
  5. touch portsentry.history
  6. touch portsentry.blocked
  7. vi /etc/portsentry.conf
  8. Edit the files
Replace the text with the text below
IGNORE_FILE="etc/portsentry/portsentry.ignore" IGNORE=FILE="var/run/portsentry/portsentry.ignore" BLOCK_FILE="var/run/portsentry/portsentry.blocked" 
To ->
IGNORE_FILE="etc/portsentry/portsentry.ignore"
IGNORE_FILE="etc/portsentry/portsentry.history"
IGNORE_FILE="etc/portsentry/portsentry.blocked"
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject" 
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

 Step 3 : Exclude You may want exclude some IP address or port from portsentry blocking to avoid false positive (Recommended) To exclude IP address from portsentry blocking, edit the portsentry.ignore file.
vi /etc/portsentry/portsentry.ignore
Then add the IP address you want to exclude e.g :
  • 127.0.0.1
  • 192.168.1.1
  • 192.168.1.0/24
To exclude Port from portsentry blocking, edit the portsentry.conf file: 
vi /etc/portsentry.conf
Then add the port you want to exclude e.g :
  • ADVANCED_EXCLUDE_TCP=”22,80″
  • ADVANCED_EXCLUDE_UDP=”53″
Step 4 : Start the portsentry from router Web Interface
  1. Select tabs system - startup
  2. Find portsentry at initscript
  3. Click enabled and start
To avoid lockdown, select start to test the configuration first.
You've finished the steps!

Testing

To test if portsentry work properly.

- In Linux
  1. Install Nmap first
  2. nmap -T4 -F 192.168.x.xxx (Your router or server ip address)
  3. After scanning complete try accessing your router web page or ssh
  4. It will be blocked
- In Windows
  1. Install port scanner e.g. (Angry IP Scanner, Advanced IP Scanner, or Nmap)
  2. Point IP address to router/server IP address.
  3. After scanning complete, try to access router web page or ssh
  4. It will be blocked
Reboot to unblock.

Troubleshooting

If there are port service can't be used or doesn't work after installation of portsentry. It is most likely the port is blocked by the portsentry. Try to read the system log to troubleshoot portsentry and exclude the IP address or port number. - On SSH
  • "logread"
- On Web interface
  • Select Tabs Status - System Log

References

  1. SourceForge.net: Sentry Tools
  2. Image by Bob Mical on Flickr

Comments

Post a Comment