在tcpdump抓包时发现有一些美国的IP一直扫面我一台云主机的端口,这些人没事干天天扫描抓肉鸡,网上找了一些软件,发现PortSentry还是挺不错的,PortSentry是一款配置简单、效果直接的防入侵检测工具,被cisco收购后不再开发,但是当下软件还是非常强大的,
一旦发现可疑的行为,PortSentry可以采取如下一些特定措施来加强防范:
给出虚假的路由信息,把所有的信息流都重定向到一个不存在的主机
主动将对服务器进行端口扫描的主机加到TCP-Wrappers的/etc/hosts.deny文件中去,因为线上有硬件防火墙,所有一般服务器防火墙没开,担心集群通信间的问题。
下面把笔记发出来吧,先下载PortSentry,可以到官网下载http://sourceforge.net/projects/sentrytools/,也可以到我服务器上下载,http://fm.linzhennan.cn/portsentry-1.2.tar.gz
一、下载,解压,安装PortSentry,值得注意的是,解压安装非常简单,cd 进去软件目录,make ,make install即可,但是会报错,报错如下,我也贴出来了,make linux那边
解决方法是打开portsentry.c文件,在
1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
1585 sourceforget dot net>\n");
一句话它给换行了,删除换行即可,重新安装
[root@localhost ~]# cd /usr/local/
[root@localhost local]# wget http://fm.linzhennan.cn/portsentry-1.2.tar.gz
[root@localhost local]# tar -xf portsentry-1.2.tar.gz
[root@localhost local]# cd portsentry_beta/
[root@localhost portsentry_beta]# make
Usage: make <systype>
<systype> is one of: linux, debian-linux, bsd, solaris, hpux, hpux-gcc,
freebsd, osx, openbsd, netbsd, bsdi, aix, osf, irix, generic
This code requires snprintf()/vsnprintf() system calls
to work. If you run a modern OS it should work on
your system with 'make generic'. If you get it to
work on an unlisted OS please write us with the
changes.
Install: make install
NOTE: This will install the package in this
directory: /usr/local/psionic
Edit the makefile if you wish to change these paths.
Any existing files will be overwritten.
[root@localhost portsentry_beta]# make install
Creating psionic directory /usr/local/psionic
Setting directory permissions
Creating portsentry directory /usr/local/psionic/portsentry
Setting directory permissions
chmod 700 /usr/local/psionic/portsentry
Copying files
cp ./portsentry.conf /usr/local/psionic/portsentry
cp ./portsentry.ignore /usr/local/psionic/portsentry
cp ./portsentry /usr/local/psionic/portsentry
cp: cannot stat `./portsentry': No such file or directory
make: *** [install] Error 1
[root@localhost portsentry_beta]# make linux
SYSTYPE=linux
Making
cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function ‘PortSentryModeTCP’:
./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness
./portsentry.c: In function ‘PortSentryModeUDP’:
./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness
./portsentry.c: In function ‘Usage’:
./portsentry.c:1584: error: missing terminating " character
./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ‘)’ before ‘dot’
./portsentry.c:1585: error: stray ‘\’ in program
./portsentry.c:1585: error: missing terminating " character
./portsentry.c:1595: error: expected ‘;’ before ‘}’ token
make: *** [linux] Error 1
报错修改如下:
[root@localhost portsentry_beta]# vim portsentry.c
1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
1585 sourceforget dot net>\n");
1586 printf ("Licensing restrictions apply. Please see documentation\n");
1587 printf ("Version: %s\n\n", VERSION);
1588 #ifdef SUPPORT_STEALTH
1589 printf ("usage: portsentry [-tcp -udp -stcp -atcp -sudp -audp]\n\n");
1590 #else
1591 printf ("Stealth scan detection not supported on this platform\n");
1592 printf ("usage: portsentry [-tcp -udp]\n\n");
1593 #endif
1594 printf ("*** PLEASE READ THE DOCS BEFORE USING *** \n\n");
1595 }
1596
1597
1598
1599 /* our cheesy state engine to monitor who has connected here before */
1600 int
1601 CheckStateEngine (char *target)
1602 {
1603 int count = 0, scanDetectTrigger = TRUE;
1604 int gotOne = 0;
1605
"portsentry.c" 1778L, 54341C written
修改完继续 make linux
[root@localhost portsentry_beta]# make linux
SYSTYPE=linux
Making
cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function ‘PortSentryModeTCP’:
./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness
./portsentry.c: In function ‘PortSentryModeUDP’:
./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness
[root@localhost portsentry_beta]# make install
Creating psionic directory /usr/local/psionic
Setting directory permissions
Creating portsentry directory /usr/local/psionic/portsentry
Setting directory permissions
chmod 700 /usr/local/psionic/portsentry
Copying files
cp ./portsentry.conf /usr/local/psionic/portsentry
cp ./portsentry.ignore /usr/local/psionic/portsentry
cp ./portsentry /usr/local/psionic/portsentry
Setting permissions
chmod 600 /usr/local/psionic/portsentry/portsentry.ignore
chmod 600 /usr/local/psionic/portsentry/portsentry.conf
chmod 700 /usr/local/psionic/portsentry/portsentry
Edit /usr/local/psionic/portsentry/portsentry.conf and change
your settings if you haven't already. (route, etc)
WARNING: This version and above now use a new
directory structure for storing the program
and config files (/usr/local/psionic/portsentry).
Please make sure you delete the old files when
the testing of this install is complete.
二、配置文件位置、里面有写明端口的信息、看服务器主要做什么服务、可以自己写一个端口清单。
[root@localhost portsentry_beta]# vim portsentry.conf
三、启动程序、写入开机自启动、查看系统最后日志
[root@localhost portsentry_beta]# /usr/local/psionic/portsentry/portsentry -atcp [root@localhost portsentry_beta]# echo /usr/local/psionic/portsentry/portsentry -atcp >> /etc/rc.local [root@localhost portsentry_beta]# tail /var/log/messages
打开发现已经找到扫描的机器,并且加入hosts.deny里面
[root@localhost portsentry_beta]# vim /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd:124.232.161.173 vsftpd:124.232.161.173 ALL:208.115.113.82 ALL: 192.200.121.152 ALL: 42.96.128.204 "/etc/hosts.deny" 9L, 249C written
[root@localhost portsentry_beta]# ll /usr/local/psionic/portsentry/
total 60
-rwx------ 1 root root 35927 Nov 28 12:51 portsentry
-rw-r--r-- 1 root root 207 Nov 28 12:51 portsentry.blocked.atcp
-rw------- 1 root root 11198 Nov 28 12:51 portsentry.conf
-rw------- 1 root root 207 Nov 28 12:51 portsentry.history
-rw------- 1 root root 578 Nov 28 12:51 portsentry.ignore
portsentry.conf中自动配置了许多文件,它们的用途如下:
#此文件记录允许合法扫描服务器的主机地址
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
#此文件中保留了以往所有入侵主机的IP历史记录
HISTROY_FILE="/usr/lcal/psionic/portsentry/portsentry.history"
#此文件中是已经被阻止连接的主机IP记录
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
(3)设置路由重定向
通过配置portsentry.conf文件,可以设置一条虚拟路由记录,把数据包重定向到一个未知的主机.使之无法获取信息。相应配置代码如下:
#Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
#Generic Linux
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666
针对不同的平台有不同的路由命令,在配置文件中选择适台自己平台的命令即可,以上语法适合Linux平台的机器;PortSentry非常人性化,下面都有系统对应的配置文件,我们只需要依样操作即可。
(4)我们还可以利用Linux中的iptables命令,可以切断攻击主机的连接:
KILL_ROUTE="/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
也可以直接把攻击者的IP记录到/etc/hosts.deny文件中,利用TCP_Wrappers保护机制来防止攻击:
KILL_HOSTS_DENY="ALL:$TARGET$ # Portsentry blocked"
系统默认是利用TCP_Wrappers来切断与主机之间的连接
(5)定制警告信息
我们也可以定制一条警告信息,警告攻击者。不过,手册上建议不要使用该选项,因为这样做可能会暴露主机的IDS系统。
PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
修改完毕后,改变文件的权限.以保证其安全性:
chmod 600 /usr/local/psionic/portsentry/portsentry.conf
2.配置portsentry.ignore文件
/usr/psionic/portsentry/portsentry.ignore文件中设置了希望PortSentry忽略的主机IP,即允许合法扫描的主机地址下面是配置情况:
#Put hosts in here you never want blocked,This includes the IP addresses
#of all local interfaces on the protected host(i.e virtual host,mult-home)
#keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
127.0.0.1/32
0.0.0.0
#Exclude all local interfaces
192.168.1.103
192.168.1.102
127.0.0.1
记得带上本机地址,以防万一。
修改完成后同样需要改变文件默认的权限:
chmod 600 /usr/local/psionic/portsentry/portsentry.ignore
三、启动检测模式
最后介绍一下PortSentry的启动检测模式。对应TCP和UDF两种协议方式.分别有三种启动模式,即基本、秘密和高级秘密扫描检测模式。
◆ portsentry-tcp,TCP的基本端口绑定模式;
◆ portsentry-udp,UDP的基本端口绑定模式;
◆ portsentry-stcp,TCP的秘密扫描检测模式;
◆ portsentry-sudp,UDP的秘密扫描检测模式;
◆ portsentry-atcp,TCP的高级秘密扫描检测模式;
◆ portsentry-audp,UDP的高级秘密扫描检测模式。
一般情况下,建议使用秘密扫描检测模式或高级秘密扫描检测模式。
使用高级秘密扫描检测模式(Advanced Stealth Scan Detection Mode),PortSentry会自动检查服务器上正在运行的端口, 然后把这些端口从配置文件中移去, 只监控其它的端口。这样会加快对端口扫描的反应速度,并且只占用很少的CPU时间,这种模式非常智能,我比较喜欢用
启动PortSentry的命令如下:
#/usr/psionic/portsentry/portsentry -atcp
可以把启动命令加到“/etc/rc.d/rc.local”脚本文件中,果想让它和其它后台进程一样可以随时启动、停止并查看进程状态, 可以去这样当重新启动计算机的时候PortSentry就会自动运行。
四、测试
扫描命令nmap -sS 192.168.1.90,会发现/etc/hosts.deny里会出现ALL:192.168.1.70的字样,证明此软件配置都是生效的。
为了证明其有效性,拿线上的一台机器布署了portsentry1.2,查看日志发现
[root@localhost ~]# tail /var/log/messages Nov 28 13:19:54 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: 98.158.157.228.uscolo.com/98.158.157.228 to TCP port: 445 Nov 28 13:19:54 localhost portsentry[6568]: attackalert: Host 98.158.157.228 has been blocked via wrappers with string: "ALL: 98.158.157.228" Nov 28 13:19:54 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: 98.158.157.228.uscolo.com/98.158.157.228 to TCP port: 445 Nov 28 13:19:54 localhost portsentry[6568]: attackalert: Host 98.158.157.228 has been blocked via wrappers with string: "ALL: 98.158.157.228" Nov 28 13:19:56 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: 192-69-220-78.static.webnx.com/192.69.220.78 to TCP port: 135 Nov 28 13:19:56 localhost portsentry[6568]: attackalert: Host 192.69.220.78 has been blocked via wrappers with string: "ALL: 192.69.220.78" Nov 28 13:19:59 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: h88-150-211-232.host.redstation.co.uk/88.150.211.232 to TCP port: 445 Nov 28 13:19:59 localhost portsentry[6568]: attackalert: Host 88.150.211.232 has been blocked via wrappers with string: "ALL: 88.150.211.232" Nov 28 13:19:59 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: h88-150-211-232.host.redstation.co.uk/88.150.211.232 to TCP port: 445 Nov 28 13:19:59 localhost portsentry[6568]: attackalert: Host: h88-150-211-232.host.redstation.co.uk/88.150.211.232 is already blocked Ignoring Nov 28 13:19:59 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: h88-150-211-232.host.redstation.co.uk/88.150.211.232 to TCP port: 445 Nov 28 13:19:59 localhost portsentry[6568]: attackalert: Host: h88-150-211-232.host.redstation.co.uk/88.150.211.232 is already blocked Ignoring Nov 28 13:20:02 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: hosted-by.netdirekt.com.tr/195.244.39.94 to TCP port: 445 Nov 28 13:20:02 localhost portsentry[6568]: attackalert: Host 195.244.39.94 has been blocked via wrappers with string: "ALL: 195.244.39.94" Nov 28 13:20:02 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: hosted-by.netdirekt.com.tr/195.244.39.94 to TCP port: 445 Nov 28 13:20:02 localhost portsentry[6568]: attackalert: Host: hosted-by.netdirekt.com.tr/195.244.39.94 is already blocked Ignoring Nov 28 13:20:02 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: hosted-by.netdirekt.com.tr/195.244.39.94 to TCP port: 445 Nov 28 13:20:02 localhost portsentry[6568]: attackalert: Host: hosted-by.netdirekt.com.tr/195.244.39.94 is already blocked Ignoring Nov 28 13:20:14 localhost portsentry[6568]: attackalert: TCP SYN/Normal scan from host: 192.168.105.100/192.168.105.100 to TCP port: 445 Nov 28 13:20:14 localhost portsentry[6568]: attackalert: Host 192.168.105.100 has been blocked via wrappers with string: "ALL: 192.168.105.100"
[root@localhost ~]# tail -n 10 /etc/hosts.deny ALL: 192.200.125.214 ALL: 203.156.217.145 ALL: 115.236.24.74 ALL: 98.158.157.228 ALL: 98.158.157.228 ALL: 98.158.157.228 ALL: 192.69.220.78 ALL: 88.150.211.232 ALL: 195.244.39.94 ALL: 192.168.105.100
还没有评论,快来抢沙发!