Sustainable Sustworks - Tools for Internet Travel
Advanced Networking for Mactintosh Professionals
Search






 
Specifications
FAQ
SUPPORT
Installation
Release Notes

 


Configuring Net Sentry

IPNetSentry is configured by placing specific commands into a text file which is called "IPNetSentry Config" and which resides within your System Preferences Folder:

This file should have already been placed in your Preferences folder when you installed IPNetSentry.

The factory configured Net Sentry settings will be all that are needed for most IPNetSentry users. You will only want to change these if you want to:

  • Change the Notification behavior of IPNetSentry (how it alerts you to a potential intrusion).
  • Change the default time a triggered filter remains into effect (how long the attacking IP Address will be banned).
  • Change the logging mode (whether detailed or only triggered attacks are logged).
  • Set the maximum log size (IPNetSentry will alert you when this log size is exceeded upon restart).
  • Turn on/off matching filter logging. IPNetSentry can report incoming datagrams which match specific filters.
  • Enable standard firewall logging which creates a log compatible with Open Door Networks "Who's There" Firewall Advisor (IPNetSentry_FA.log)
  • Set up IPNetSentry triggers for different protocols and ports.
  • Add additional filters permitting exclusive Internet access to your machine from one or more remote machines on the Internet (thereby automatically banning all others from accessing your machine). Example: you only want to permit Timbuktu access to your personal machine at home from a specific machine (IP address) at work.
  • Specify parameters which define a Denial of Service (DoS) attack for your specific Internet connection.

When you build a IPNetSentry Config file from this page, a new file will be generated and automatically downloaded to your machine. This file will replace your existing Net Sentry configuration file and restart Net Sentry.

Note: You can also manually edit your IPNetSentry Config file. This file is a text file which can be edited with almost any type of Text editor (even SimpleText). Please see our IPNetSentry Command Syntax document for specific details of IPNetSentry commands.

Directions

(IMPORTANT: you should have JavaScript enabled in your browser to use this configuration page).

Make desired selections from each of the sections listed below. When you are finished, click the "Build IPNetSentry Configuration" button. This will generate your Net Sentry Configuration file. Copy it, paste it into SimpleText, and save it in your Preferences Folder as "IPNetSentry Config".

Default Filter Time

Description: When IPNetSentry is triggered, it installs a filter which completely prohibits the remote machine from accessing your Macintosh. You can specify the time a filter should time out and automatically be removed from the IPNetSentry Aged Filters file. This will free up room in the Aged Filter table.

Default Setting: 7200 seconds (2 hours).

Your Setting (seconds): or

choose from this popup:

Notification Method

Description: When IPNetSentry is triggered, a filter is automatically installed which completely prohibits the remote machine from accessing your Macintosh. You have several ways to be notified of such action (if you wish to be notified at all).

Default Setting: Alert notification box. (an alert appears telling you the triggering IP address, the protocol, the port, and the service (HTTP, FTP, SMTP, etc.).

Note: Starting with IPNetSentry v1.0c3 you can use multiple notification methods.

Options:

  1. No Notification (a log of the trigger event is still recorded in the IPNetSentry.log file)
  2. Alert Notification Box (factory setting)
  3. Browser Notification. Your running web browser is automatically taken to a page on the Sustworks site which provides you with more detailed information about the domain of the triggering party. This information can be very useful if you wish to contact an administrator at the remote party's ISP (informing them of the unauthorized intrusion).
  4. Alert & OPTIONAL Browser Notification. An alert appears telling you the triggering IP address, the protocol, the port, and the service (HTTP, FTP, SMTP, etc.). If you want more information about this trigger, you then hold down the Shift key on your keyboard and click the OK button in the notifcation alert box. This action will take your browser to a page on our site which will give you more information about this trigger. If you do not hold down the shift key while dismissing the alert, nothing more will happen.
  5. AppleScript Notification. You can direct IPNetSentry to launch an AppleScript when a trigger is hit. You MUST compile the AppleScript as a Run Only Application and place this compiled script in your System Preferences folder. You must also provide the name of this AppleScript in the edit box below. You should take a look at our example AppleScripts to see how the AppleScript can extract trigger information from IPNetSentry.
  6. Syslog Notification. A log message of the intrusion attempt is sent to a designated Syslog server via UDP port 514. You must supply either a Syslog server IP address or domain name.


Notification(s) Selected:

No Notification

(no notification will overwrite any additional notifications selected)

Alert Notification

Browser Notification

Alert & OPTIONAL Browser Notification

AppleScript Notification

AppleScript Name:
(only required if AppleScript notification is selected)

Syslog Notification

SysLog Server IP Address or Domain Name:

(only required if Syslog notification is selected)

Logging Mode

Description: A log file of every trigger event is kept in the file "IPNetSentry.log" which resides in your Preferences Folder. Standard Trigger Logging only logs trigger events. Detailed logging records several internal events which occur when IPNetSentry starts up and runs (such as showing when triggers are set and reset, etc.). Detailed logging with reset causes the log to start fresh each time IPNetSentry is restarted.

Default Setting: Detailed Logging w/reset

Options:

  1. Standard Trigger Logging
  2. Detailed Logging
  3. Detailed Logging w/reset - resets the log each time IPNetSentry is restarted

Your Setting:

Maximum Log Size

Description: When IPNetSentry starts, it checks the size of the IPNetSentry.log file and IPNetSentry_FA.log file (if the latter is present). If either file size is greater than the specified maximum (in KBytes), a notification alert is given.

Default Setting: 1000 KBytes

Your Setting (KBytes):

Matching Filter Logging

Description: When an intruder hits a trigger, a 32 bit filter is immediately invoked which prevents the intruder from any access to your Macintosh. If you enable "Filter Logging", any subsequent datagrams received from the intruder will be logged. (IPNetRouter users note: any datagrams which match any other filters you have placed on an interface will also be logged).

Default Setting: Off

Options:

  1. Off
  2. On
  3. On - No Broadcast (don't log datagrams if destination address is 255.255.255.255)

Your Setting:

Who's There Firewall Advisor Log

Description: Open Door Networks offers an intrusion analysis application called "Who's There" Firewall Advisor. Activating this option within IPNetSentry creates an additional log file called "IPNetSentry_FA.log". This file resides in your System Preferences file and provides intrusion entries which are compatible with the "Who's There" Firewall Advisor. You just need to specify that "Who's There" uses the IPNetSentry_FA.log file (under the Preferences menu item of Who's There).

Default Setting: Off

Options:

  1. Off - no IPNetSentry_FA.log file is created (nor updated).
  2. Normal - IPNetSentry_FA.log file is created (if not present) and continually updated. The file is persistant.
  3. Reset - resets the IPNetSentry_FA.log file each time IPNetSentry is restarted

Your Setting:

Worm Protection

(requires IPNetSentry v1.3 or later)

Description: IPNetSentry supports data inspection of incoming packets. This capability is mainly used for worm and virus detection. Sustainable Softworks will add new worm and virus detection options as required.

Check the detection option(s) you wish to enable and the time you wish to have blocked IP addresses remain in the Aged Filter table (in seconds). Default time is 3600 seconds. This keeps the Aged Filter table efficient.
Aged Filter Time (seconds)

Code Red Worm Protection

Nimda Worm Protection

Note: you can also manually add data inspection commands to your IPNetSentry config file for other purposes. Please see the "IPNetSentry Command Syntax" document for additional details.

IPNetSentry Triggers

Description: Net Sentry works by setting triggers (or trip wires) for unsuspecting intruders. When an intruder attempts to make a connection to or sends a packet to one of these triggers, a filter is immediately invoked which completely prohibits the intruder from any access to your Macintosh.

You can specify any set of triggers (protocols and ports) you want t(up to 64 individual triggers). Good triggers include services which intruders typically scan to see if they are operating; for example: a SMTP (email) server (TCP Protocol - Port 25), a FTP server (TCP Protocol - Port 21) , a SNMP server (remote network management TCP Protocol - Port 161) , a Telnet server. (TCP Protocol - Port 23) or a DNS server (UDP Protocol - Port 53).

Default Settings:

  1. SMTP (TCP - 25)
  2. SNMP (TCP - 161)
  3. Telnet (TCP - 23)
  4. DNS (UDP - 53)
  5. POP3 (TCP - 110)

Your Settings:

Configure:

You can manually add to or delete from the above list.

You can also add a trigger by either:

  1. selecting a service from this popup menu and clicking the Add Trigger button OR
  2. by specifically entering a protocol, port and service name and clicking the Add Trigger button.
Select Service

Or Enter

Protocol
(tcp, udp, icmp)
Port /Type Number
(1 - 65535)
Service Name

 

Important: You must NOT add triggers which conflict with servers running on your Macintosh. For example, if you are running Personal Web Sharing, then you would not add a trigger for HTTP (web sharing) nor for FTP (web sharing). Doing so will cause a conflict.

You MAY, however, want to limit access to these servers to specific remote machines. You limit such access by adding specific access filters. These access filters are configured in the next section.

IPNetRouter users: IF you are sharing a cable modem connection which assigns your IP address via DHCP AND you have manually addressed your client machines, then a good trigger to add is DHCP (UDP Port 67). This will enable IPNetSentry to automatically add a filter any time one of your cable modem neighbors renegotiates a DHCP lease, thereby blocking them from accessing your machine.

Access Filters

Description: When you run an IP based server on your Macintosh (e.g. apple TCP file sharing, personal web sharing, a ftp server, Timbuktu, etc.) you are potentially giving access to your machine to anyone on the Internet. Adding access filters will permit you to limit which remote machine(s) have access to these servers running on your Macintosh.

Default Setting: No access filters are configured.

Your Settings:

Configure:

You can manually add to or delete from the above list. (if you manually add a filter, please make sure it has the correct syntax).

Choose a server service you are running on your Macintosh (or enter a specific protocol and port). Then enter an IP address of the remote machine for which you wish to grant access. Click the Add Access Filter button to complete this entry.

IF you wish to grant more than one remote machine access to this server, select the number of remote machines from the popup menu.

Server Service
Or Enter
Protocol
(tcp or udp)
Port Number
(1 - 65535)

IP Address of Remote Machine
How Many Remote Machines

 

Each access filter is actually composed of two IPNetSentry filters: the bottom most entry blocks ALL remote access to this server while the top most entry grants access to remote machines which fall within the IP address range specified.

Do not be concerned about duplicate BLOCKing filter entries in your settings list. These duplicates will be removed when we build your IPNetSentry configuration file (which is the next, and final, step).

There is one special access filter which you can add to the above list which will make your Macintosh invisible to PING and Trace Route type queries. This is an ICMP (Internet Control Message Protocol) filter. Adding this filter will prohibit any remote machine from Pinging your machine. In most cases adding such a filter is OK, but there may be some instances where your ISP may require a response from your machine in order to keep your Internet connection alive. (note: if you add this ICMP filter, then you will not be able to receive PING type responses during IPNetSentry testing).

Denial of Service (DoS) Attack Detection

Description: A Denial of Service (DoS) type attack occurs when a remote machine (or machines) bombard your Macintosh with so many incoming datagrams that no other valid traffic can pass.

How IPNetSentry detects a DoS attack: Once a filter is invoked by a trigger (or manually configured), IPNetSentry will receive a message when an incoming datagram matches a filter. As an intruder continues to hit your machine with datagrams, even though they are prevented from accessing your machine, IPNetSentry silently counts the number of packets received. If the number of incoming packets from a remote IP address exceeds the specified denial of service events in the specified interval (denial of service interval) then you are notified of a possible Denial of Service attack. Further logging of these filter events is also prevented (for this single remote IP address). This prevents a DoS attacker from filling your log file with filter entries.

Specifying the parameters of a DoS attack depend upon your Internet connection. It takes more datagrams (events) per second (interval) to flood a cable modem connection than it does to block a slower analog modem connection. For this reason we recommend that you simply choose your type of Internet connection when specifying the parameters to be used for DoS attack detection. Advanced users, however, might wish to calculate their own parameters.

If no parameters are set, DoS attack detection is off.

Default Setting: Off

Your Internet Connection:

DoS Measurement Interval (secs):

Number of Matching Filter Events:

Set PPP as Primary Interface
(ONLY applicable to IPNetRouter users who are sharing a PPP type connection)

Description: IF you are running IPNetSentry on a Macintosh running IPNetRouter AND your Internet connection is made through Apple's Remote Access or PPP control panel, then you need to enable this option. This option will tell IPNetSentry to use your PPP connection as the primary interface (and not the setting in the active TCP/IP control panel).

Default Setting: Off

Set PPP as Primary Interface:

Special Commands

Description: These are special commands which you may have manually entered within the IPNetSentry Config file or special commands which are not covered in one of the above listed sections. Please consult the online IPNetSentry Command Syntax document for additional details.

Special "#set..." commands:

Other special commands:

Build the IPNetSentry Configuration File

You are now ready to build your complete IPNetSentry Configuration file. Just click the "Build IPNetSentry Configuration File" button to continue.

IMPORTANT: Building a new IPNetSentry will overwrite your existing IPNetSentry Config file (in your Preferences folder). For this reason you may wish to make a copy of your existing IPNetSentry Config file before building a new IPNetSentry Config file.

Top

 

 


© 2000-2003 Sustworks Privacy Policy Contact Us