Portsentry -- Cpanel -- Security Problem

**bmcpanel** · 08-03-2002 02:11 PM

If you have had a recent install of Cpanel, you should check your portsentry.conf file. The default install on my last two servers has portsentry only monitoring 2 ports for port scans!!! I suggest that you edit the file and I suggest using the setting that says &If you are really anal....&

We use Burstnet for our installs. I do not think this is a Burstnet specific problem. I think it is CPanel specific, or maybe Portsentry specific.

/etc/portsentry/portsentry.conf

Before I edited the above file, Portsentry only had 3 scans listed in /var/portsentry/portsentry.history. 2 hours after I edited the portsentry.conf file, it had picked up 15 scans -- in just 2 hours.

I have reported this to Dark Orb

**bmcpanel** · 08-03-2002 02:28 PM

Default ports protected by Portsentry in my last two Cpanel installs are....
TCP_PORTS=&1,111&
UDP_PORTS=&&

Not very effective.

I use these instead.... which include common RootKit ports such as ......

port 5002 by default in Rootkit IV for Linux
port 31337, &eleet& in cracker jargon
port 1008 (used by Lion Worm root kit)
port 47017 (Used by t0rn root kit)

# Un-comment these if you are really anal:
TCP_PORTS=&1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1008,1080,1524,2000,2001,4000,4001,5002,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,45576,47017,49724,54320,60008&
UDP_PORTS=&1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,5002,32770,32771,32772,32773,32774,31337,45576,47017,54321,60008&
#

**avara** · 08-04-2002 07:31 AM

Thanks for the advice, I have now uncommented the following on all our servers:

# Use these for just bare-bones
TCP_PORTS=&1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320&
UDP_PORTS=&1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321&

Do I need to restart portsentry for those to take effect?

**jumpdomain** · 08-04-2002 11:21 AM

[quote:42cb016c63]Do I need to restart portsentry for those to take effect?[/quote:42cb016c63]

Yes, you need to restart Portsentry so it will open these ports for monitoring.

**B12Org** · 12-29-2003 03:36 PM

how do you do that short of rebooting?

**rs-freddo** · 12-29-2003 04:08 PM

I have read that using Portsentry is not a good idea. PortSentry opens ports for monitoring. Personally i prefer to leave the ports closed. Who cares if the ports are scanned while closed. This was the opinion of the guy who wrote PSAD and it sounds pretty logical to me. He believed portsentry to be a security risk. I don't run portsentry at all.

**B12Org** · 12-29-2003 04:33 PM

Ok, well do you know the answer to my question or not?

LinkBack

Thread Tools

Portsentry -- Cpanel -- Security Problem

Portsentry Error While Update CPanel

Cpanel Security Problem

Any one use portsentry with cpanel??

New CPanel security problem!!!

Is Portsentry Installed In Cpanel?