The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Portsentry -- Cpanel -- Security Problem

Discussion in 'Security' started by bmcpanel, Aug 3, 2002.

  1. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    If you have had a recent install of Cpanel, you should check your portsentry.conf file. The default install on my last two servers has portsentry only monitoring 2 ports for port scans!!! I suggest that you edit the file and I suggest using the setting that says &If you are really anal....&

    We use Burstnet for our installs. I do not think this is a Burstnet specific problem. I think it is CPanel specific, or maybe Portsentry specific.

    /etc/portsentry/portsentry.conf

    Before I edited the above file, Portsentry only had 3 scans listed in /var/portsentry/portsentry.history. 2 hours after I edited the portsentry.conf file, it had picked up 15 scans -- in just 2 hours.

    I have reported this to Dark Orb
     
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Default ports protected by Portsentry in my last two Cpanel installs are....
    TCP_PORTS=&1,111&
    UDP_PORTS=&&

    Not very effective.

    I use these instead.... which include common RootKit ports such as ......

    port 5002 by default in Rootkit IV for Linux
    port 31337, &eleet& in cracker jargon
    port 1008 (used by Lion Worm root kit)
    port 47017 (Used by t0rn root kit)

    # Un-comment these if you are really anal:
    TCP_PORTS=&1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1008,1080,1524,2000,2001,4000,4001,5002,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,45576,47017,49724,54320,60008&
    UDP_PORTS=&1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,5002,32770,32771,32772,32773,32774,31337,45576,47017,54321,60008&
    #
     
  3. avara

    avara Well-Known Member

    Joined:
    Oct 28, 2001
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the advice, I have now uncommented the following on all our servers:

    # Use these for just bare-bones
    TCP_PORTS=&1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320&
    UDP_PORTS=&1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321&

    Do I need to restart portsentry for those to take effect?
     
  4. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    [quote:42cb016c63]Do I need to restart portsentry for those to take effect?[/quote:42cb016c63]

    Yes, you need to restart Portsentry so it will open these ports for monitoring.
     
  5. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    how do you do that short of rebooting?
     
  6. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I have read that using Portsentry is not a good idea. PortSentry opens ports for monitoring. Personally i prefer to leave the ports closed. Who cares if the ports are scanned while closed. This was the opinion of the guy who wrote PSAD and it sounds pretty logical to me. He believed portsentry to be a security risk. I don't run portsentry at all.
     
  7. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Ok, well do you know the answer to my question or not? :confused:
     
Loading...

Share This Page