IPNetSentry Sustworks Home   Configuring Net Sentry IPNetSentry is configured by placing specific commands into a text file which is called "IPNetSentry Config" and which resides within your System Preferences Folder: This file should have already been placed in your Preferences folder when you installed IPNetSentry. The factory configured Net Sentry settings will be all that are needed for most IPNetSentry users. You will only want to change these if you want to: Change the Notification behavior of IPNetSentry (how it alerts you to a potential intrusion). Change the default time a triggered filter remains into effect (how long the attacking IP Address will be banned). Change the logging mode (whether detailed or only triggered attacks are logged). Set up IPNetSentry triggers for different protocols and ports. Add additional filters permitting exclusive Internet access to your machine from one or more remote machines on the Internet (thereby automatically banning all others from accessing your machine). Example: you only want to permit Timbuktu access to your personal machine at home from a specific machine (IP address) at work. When you build a IPNetSentry Config file from this page, a new file will be generated and automatically downloaded to your machine. This file will replace your existing Net Sentry configuration file and restart Net Sentry. Directions (IMPORTANT: you should have JavaScript enabled in your browser to use this configuration page). Make desired selections from each of the sections listed below. When you are finished, click the "Build IPNetSentry Configuration" button. This will generate your Net Sentry Configuration file. Copy it, paste it into SimpleText, and save it in your Preferences Folder as "IPNetSentry Config". Default Filter Time Description: When IPNetSentry is triggered, it installs a filter which completely prohibits the remote machine from accessing your Macintosh. You can specify the time a filter should time out and automatically be removed from the IPNetSentry Aged Filters file. This will free up room in the Aged Filter table. Factory Setting: 7200 seconds (2 hours). Your Setting (seconds): or choose from this popup: Select Age Time 1 hour 2 hours 4 hours 12 hours 1 day 1 week 1 month (30 days) Never Notification Method Description: When IPNetSentry is triggered, a filter is automatically installed which completely prohibits the remote machine from accessing your Macintosh. You have several ways to be notified of such action (if you wish to be notified at all). Factory Setting: Alert notification box. (an alert appears telling you the triggering IP address, the protocol, the port, and the service (HTTP, FTP, SMTP, etc.). Note: Starting with IPNetSentry v1.0c3 you can use multiple notification methods. Options: No Notification (a log of the trigger event is still recorded in the IPNetSentry.log file) Alert Notification Box (factory setting) Browser Notification. Your running web browser is automatically taken to a page on the Sustworks site which provides you with more detailed information about the domain of the triggering party. This information can be very useful if you wish to contact an administrator at the remote party's ISP (informing them of the unauthorized intrusion). Alert & OPTIONAL Browser Notification. An alert appears telling you the triggering IP address, the protocol, the port, and the service (HTTP, FTP, SMTP, etc.). If you want more information about this trigger, you then hold down the Shift key on your keyboard and click the OK button in the notifcation alert box. This action will take your browser to a page on our site which will give you more information about this trigger. If you do not hold down the shift key while dismissing the alert, nothing more will happen. AppleScript Notification. You can direct IPNetSentry to launch an AppleScript when a trigger is hit. You MUST compile the AppleScript as a Run Only Application and place this compiled script in your System Preferences folder. You must also provide the name of this AppleScript in the edit box below. You should take a look at our example AppleScripts to see how the AppleScript can extract trigger information from IPNetSentry. Syslog Notification. A log message of the intrusion attempt is sent to a designated Syslog server via UDP port 514. You must supply either a Syslog server IP address or domain name. Notification(s) Selected: No Notification (no notification will overwrite any additional notifications selected) Alert Notification Browser Notification Alert & OPTIONAL Browser Notification AppleScript Notification AppleScript Name: (only required if AppleScript notification is selected) Syslog Notification SysLog Server IP Address or Domain Name: (only required if Syslog notification is selected) Logging Mode Description: A log file of every trigger event is kept in the file "IPNetSentry.log" which resides in your Preferences Folder. Standard Trigger Logging only logs trigger events. Detailed logging records several internal events which occur when IPNetSentry starts up and runs (such as showing when triggers are set and reset, etc.). Detailed logging with reset causes the log to start fresh each time IPNetSentry is restarted. Factory Setting: Detailed Logging Options: Standard Trigger Logging Detailed Logging Detailed Logging w/reset - resets the log each time IPNetSentry is restarted Your Setting: Standard Trigger Logging Detailed Logging Detailed Logging w/reset IPNetSentry Triggers Description: Net Sentry works by setting triggers (or trip wires) for unsuspecting intruders. When an intruder attempts to make a connection to or sends a packet to one of these triggers, a filter is immediately invoked which completely prohibits the intruder from any access to your Macintosh. You can specify any set of triggers (protocols and ports) you want t(up to 64 individual triggers). Good triggers include services which intruders typically scan to see if they are operating; for example: a SMTP (email) server (TCP Protocol - Port 25), a FTP server (TCP Protocol - Port 21) , a SNMP server (remote network management TCP Protocol - Port 161) , a Telnet server. (TCP Protocol - Port 23) or a DNS server (UDP Protocol - Port 53). Factory Settings: SMTP (TCP - 25) SNMP (TCP - 161) Telnet (TCP - 23) DNS (UDP - 53) FINGER (TCP - 79) POP3 (TCP - 110) Your Settings: TRIGGER_DATA Configure: You can manually add to or delete from the above list. You can also add a trigger by either: selecting a service from this popup menu and clicking the Add Trigger button OR by specifically entering a protocol, port and service name and clicking the Add Trigger button. Select Service Select Apple File Sharing (over TCP) ANAT ASIP Mail ASIP Shared Users ASIP Web & File Admin BGP DHCP server Discard Domain Name Service Echo Finger FTP (web sharing) FTP-Data Gopher HTTP (web sharing) HTTPS IMAP2 Internet Relay Chat Kerberos LDAP NetBIOS Session NetBIOS Name Service NetBIOS Datagram Service NNTP NTP PASS POP3 RTelnet SMTP SNMP SNMP Trap Socks SSH Sun RPC Syslog Telnet TFTP Timbuktu WhoIs XDMCP Or Enter Protocol (tcp or udp) Port Number (1 - 65535) Service Name Important: You must NOT add triggers which conflict with servers running on your Macintosh. For example, if you are running Personal Web Sharing, then you would not add a trigger for HTTP (web sharing) nor for FTP (web sharing). Doing so will cause a conflict. You MAY, however, want to limit access to these servers to specific remote machines. You limit such access by adding specific access filters. These access filters are configured in the next section. IPNetRouter users: IF you are sharing a cable modem connection which assigns your IP address via DHCP AND you have manually addressed your client machines, then a good trigger to add is DHCP (UDP Port 67). This will enable IPNetSentry to automatically add a filter any time one of your cable modem neighbors renegotiates a DHCP lease, thereby blocking them from accessing your machine. Access Filters Description: When you run an IP based server on your Macintosh (e.g. apple TCP file sharing, personal web sharing, a ftp server, Timbuktu, etc.) you are potentially giving access to your machine to anyone on the Internet. Adding access filters will permit you to limit which remote machine(s) have access to these servers running on your Macintosh. Factory Setting: No access filters are configured. Your Settings: FILTER_DATA Configure: You can manually add to or delete from the above list. (if you manually add a filter, please make sure it has the correct syntax). Choose a server service you are running on your Macintosh (or enter a specific protocol and port). Then enter an IP address of the remote machine for which you wish to grant access. Click the Add Access Filter button to complete this entry. IF you wish to grant more than one remote machine access to this server, select the number of remote machines from the popup menu. Server Service Or Enter Protocol (tcp or udp) Port Number (1 - 65535) Select Apple File Sharing (over TCP) ANAT ASIP Mail ASIP Shared Users ASIP Web & File Admin BGP DHCP server Discard Domain Name Service Echo Finger FTP (web sharing) FTP-Data Gopher HTTP (web sharing) HTTPS IMAP2 Internet Relay Chat Kerberos LDAP NetBIOS Session NetBIOS Name Service NetBIOS Datagram Service NNTP NTP PASS POP3 RTelnet SMTP SNMP SNMP Trap Socks SSH Sun RPC Syslog Telnet TFTP Timbuktu WhoIs XDMCP IP Address of Remote Machine How Many Remote Machines 1 2 4 8 16 32 64 128 256 Each access filter is actually composed of two IPNetSentry filters: the bottom most entry blocks ALL remote access to this server while the top most entry grants access to remote machines which fall within the IP address range specified. Do not be concerned about duplicate BLOCKing filter entries in your settings list. These duplicates will be removed when we build your IPNetSentry configuration file (which is the next, and final, step). There is one special access filter which you can add to the above list which will make your Macintosh invisible to PING and Trace Route type queries. This is an ICMP (Internet Control Message Protocol) filter. Adding this filter will prohibit any remote machine from Pinging your machine. In most cases adding such a filter is OK, but there may be some instances where your ISP may require a response from your machine in order to keep your Internet connection alive. (note: if you add this ICMP filter, then you will not be able to receive PING type responses during IPNetSentry testing). Build the IPNetSentry Configuration File You are now ready to build your complete IPNetSentry Configuration file. Just click the "Build IPNetSentry Configuration File" button to continue. Copyright 2000 by Sustainable Softworks.