https://sourceforge.net/projects/sentrytools/
[root@localhost ~]# tar -xzvf portsentry-1.2.tar.gz [root@localhost ~]# cd portsentry_beta/ [root@localhost portsentry_beta]# ls CHANGES portsentry.c portsentry_io.c README.COMPAT CREDITS portsentry.conf portsentry_io.h README.install ignore.csh portsentry_config.h portsentry_tcpip.h README.methods LICENSE portsentry.h portsentry_util.c README.stealth Makefile portsentry.ignore portsentry_util.h [root@localhost portsentry_beta]# make Usage: make <systype> <systype> is one of: linux, debian-linux, bsd, solaris, hpux, hpux-gcc, freebsd, osx, openbsd, netbsd, bsdi, aix, osf, irix, generic This code requires snprintf()/vsnprintf() system calls to work. If you run a modern OS it should work on your system with 'make generic'. If you get it to work on an unlisted OS please write us with the changes. Install: make install NOTE: This will install the package in this directory: /usr/local/psionic Edit the makefile if you wish to change these paths. Any existing files will be overwritten. [root@localhost portsentry_beta]# make install Creating psionic directory /usr/local/psionic Setting directory permissions Creating portsentry directory /usr/local/psionic/portsentry Setting directory permissions chmod 700 /usr/local/psionic/portsentry Copying files cp ./portsentry.conf /usr/local/psionic/portsentry cp ./portsentry.ignore /usr/local/psionic/portsentry cp ./portsentry /usr/local/psionic/portsentry cp: cannot stat `./portsentry': No such file or directory make: *** [install] Error 1 [root@localhost portsentry_beta]# make linux SYSTYPE=linux Making cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c ./portsentry_io.c ./portsentry_util.c ./portsentry.c: In function ‘PortSentryModeTCP’: ./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness /usr/include/sys/socket.h:214: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’ ./portsentry.c: In function ‘PortSentryModeUDP’: ./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness /usr/include/sys/socket.h:166: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’ ./portsentry.c:1584:11: warning: missing terminating " character ./portsentry.c: In function ‘Usage’: ./portsentry.c:1584: error: missing terminating " character ./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function) ./portsentry.c:1585: error: (Each undeclared identifier is reported only once ./portsentry.c:1585: error: for each function it appears in.) ./portsentry.c:1585: error: expected ‘)’ before ‘dot’ ./portsentry.c:1585: error: stray ‘’ in program ./portsentry.c:1585:24: warning: missing terminating " character ./portsentry.c:1585: error: missing terminating " character ./portsentry.c:1595: error: expected ‘;’ before ‘}’ token ./portsentry_io.c: In function ‘ConfigTokenRetrieve’: ./portsentry_io.c:321: warning: cast from pointer to integer of different size ./portsentry_io.c:324: warning: cast from pointer to integer of different size ./portsentry_io.c: In function ‘IsBlocked’: ./portsentry_io.c:670: warning: cast from pointer to integer of different size ./portsentry_io.c: In function ‘SubstString’: ./portsentry_io.c:727: warning: cast from pointer to integer of different size make: *** [linux] Error 1
解决方法 把portsentry.c中代“将带有Copyright 1997-2003字样的那行调整为一行即可”:
调整后如下:
[root@localhost portsentry_beta]# make linux SYSTYPE=linux Making cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c ./portsentry_io.c ./portsentry_util.c ./portsentry.c: In function ‘PortSentryModeTCP’: ./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness /usr/include/sys/socket.h:214: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’ ./portsentry.c: In function ‘PortSentryModeUDP’: ./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness /usr/include/sys/socket.h:166: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’ ./portsentry_io.c: In function ‘ConfigTokenRetrieve’: ./portsentry_io.c:321: warning: cast from pointer to integer of different size ./portsentry_io.c:324: warning: cast from pointer to integer of different size ./portsentry_io.c: In function ‘IsBlocked’: ./portsentry_io.c:670: warning: cast from pointer to integer of different size ./portsentry_io.c: In function ‘SubstString’: ./portsentry_io.c:727: warning: cast from pointer to integer of different size
[root@localhost portsentry_beta]# make install Creating psionic directory /usr/local/psionic Setting directory permissions Creating portsentry directory /usr/local/psionic/portsentry Setting directory permissions chmod 700 /usr/local/psionic/portsentry Copying files cp ./portsentry.conf /usr/local/psionic/portsentry cp ./portsentry.ignore /usr/local/psionic/portsentry cp ./portsentry /usr/local/psionic/portsentry Setting permissions chmod 600 /usr/local/psionic/portsentry/portsentry.ignore chmod 600 /usr/local/psionic/portsentry/portsentry.conf chmod 700 /usr/local/psionic/portsentry/portsentry Edit /usr/local/psionic/portsentry/portsentry.conf and change your settings if you haven't already. (route, etc) WARNING: This version and above now use a new directory structure for storing the program and config files (/usr/local/psionic/portsentry). Please make sure you delete the old files when the testing of this install is complete.
安装路径为:
[root@localhost portsentry_beta]# tree /usr/local/psionic/
/usr/local/psionic/
└── portsentry
├── portsentry
├── portsentry.conf
└── portsentry.ignore
1 directory, 3 files
PortSentry的配置:
1:通过PortSentry.conf
# Un-comment these if you are really anal: #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321" # # Use these if you just want to be aware: TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320" UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321" # # Use these for just bare-bones #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
通过portSentry进行入侵检,首先制定要监视的端口清单和相应的阻止对策。然后启动后台进程对这些端口进行检测,一旦发现有人扫描这些端口,以及相应的对策进行阻拦。
通过portentry.conf中关于端口默认配置情况:
一般有意开放的端口是不需要监控的,如果web服务器的80端口!!!!!
在portsentry.conf中自动配置了许多文件如下:
########################################### # Advanced Stealth Scan Detection Options # ########################################### # # This is the number of ports you want PortSentry to monitor in Advanced mode. # Any port *below* this number will be monitored. Right now it watches # everything below 1024. # # On many Linux systems you cannot bind above port 61000. This is because # these ports are used as part of IP masquerading. I don't recommend you # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been # warned! Don't write me if you have have a problem because I'll only tell # you to RTFM and don't run above the first 1024 ports. # # ADVANCED_PORTS_TCP="1024" ADVANCED_PORTS_UDP="1024" #这表明,1~1024的所有端口将被监视 # This field tells PortSentry what ports (besides listening daemons) to # ignore. This is helpful for services like ident that services such # as FTP, SMTP, and wrappers look for but you may not run (and probably # *shouldn't* IMHO). # # By specifying ports here PortSentry will simply not respond to # incoming requests, in effect PortSentry treats them as if they are # actual bound daemons. The default ports are ones reported as # problematic false alarms and should probably be left alone for # all but the most isolated systems/networks. #但监视高端口号会引起更多的误报,可以通下面参数排除出错的端口 # Default TCP ident and NetBIOS service ADVANCED_EXCLUDE_TCP="111,113,139" #默认请况,使用tcp(111,113,139)的ident和NetBIOS服务以及UDP(520,138,137,67)route,NetBIOS和Bootp服务将被排除在高级扫描之外。 # Default UDP route (RIP), NetBIOS, bootp broadcasts. ADVANCED_EXCLUDE_UDP="520,138,137,67" ######################
###################### # Configuration Files# ###################### # # Hosts to ignore#记录允许合法扫描服务器的主机地址 IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" # Hosts that have been denied (running history)#入侵主机的IP历史记录 HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history" # Hosts that have been denied this session only (temporary until next restart)#被阻止连接主机的ip记录 BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
设置路由重定向:
# Generic #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # Generic Linux KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666" # Newer versions of Linux support the reject flag now. This # is cleaner than the above option. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" #把数据包重定向到一个未知的主机,使这无法获取信息
我们还可以利用linux中的iptables命令,可以切断攻主机的连接:
# iptables support for Linux KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP" # # For those of you running FreeBSD (and compatible) you can
可以直热门把攻击者的ip记录到/etc/hosts.deny文件中,利用TCP_Wrappers保护机制来防止攻击
############### # TCP Wrappers# ############### # This text will be dropped into the hosts.deny file for wrappers # to use. There are two formats for TCP wrappers: # # Format One: Old Style - The default when extended host processing # options are not enabled. # KILL_HOSTS_DENY="ALL: $TARGET$" # Format Two: New Style - The format used when extended option # processing is enabled. You can drop in extended processing # options, but be sure you escape all '%' symbols with a backslash # to prevent problems writing out (i.e. \%c \%h ) # #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
系统默认是利用TCP_Wrappers来切断与主机之间的连接
改变完毕后,改变文件的权限,以保证其安全。
/usr/psionic/portentry/portsentry.ignore文件中设置portsentry忽略主机ip,限允许合法扫描的主机地址一面是配置情况:
[root@localhost portsentry]# cat portsentry.ignore # Put hosts in here you never want blocked. This includes the IP addresses # of all local interfaces on the protected host (i.e virtual host, mult-home) # Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games. # # PortSentry can support full netmasks for networks as well. Format is: # # <IP Address>/<Netmask> # # Example: # # 192.168.2.0/24 # 192.168.0.0/16 # 192.168.2.1/32 # Etc. # # If you don't supply a netmask it is assumed to be 32 bits. # # 127.0.0.1/32 0.0.0.0 #Exclude all local interfaces 127.0.0.1
记得带上本机地址
portsentry启动检测模试。对应tcp和udp两种协议方式,portsentry分别有三种启动模式,即基本 秘密和高级秘密扫描检测模式,合计6种模式。
[root@localhost portsentry]# ls portsentry portsentry.conf portsentry.ignore [root@localhost portsentry]# pwd /usr/local/psionic/portsentry [root@localhost portsentry]# ./portsentry -h PortSentry - Port Scan Detector. Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net> Licensing restrictions apply. Please see documentation Version: 1.2 usage: portsentry [-tcp -udp -stcp -atcp -sudp -audp] *** PLEASE READ THE DOCS BEFORE USING *** [root@localhost portsentry]# ./portsentry -stcp
portsentry -tcp ---->TCP的基本端口绑定模式
portsentry -udp --->UDP的基本端口绑定模式
portsentry -stcp --->TCP的秘密扫描模式
portsentry -sudp --->UDP的秘密扫描检测模式
portsentry -atcp ---->TCP的高级秘密扫描检测模式
portsentry audp ----->UDP的高级秘密扫描检测
使用高级秘密扫描检测模式(Advanced Stealth Scan Detection Mode),PortSentry会自动检查服务器上正在运行的端口,然后把这些端口,从配置文件中移去,只监控其它的端口。
启动portSentry的命令:
[root@localhost portsentry]# /usr/local/psionic/portsentry/portsentry -atcp
[root@localhost portsentry]# cat /etc/rc.d/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. # touch /var/lock/subsys/local /usr/local/psionic/portsentry/portsentry -atcp
[root@localhost portsentry]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:b3:81:05 brd ff:ff:ff:ff:ff:ff inet 10.100.2.119/24 brd 10.100.2.255 scope global eth0 inet6 fe80::5054:ff:feb3:8105/64 scope link valid_lft forever preferred_lft forever
[root@localhost portsentry]# netstat -lnutp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1378/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1457/master tcp 0 0 :::22 :::* LISTEN 1378/sshd tcp 0 0 ::1:25 :::* LISTEN 1457/master udp 0 0 0.0.0.0:68 0.0.0.0:* 22477/dhclient
进行扫描:
[root@ok Safety]# nmap -sS 10.100.2.119 Starting Nmap 5.51 ( http://nmap.org ) at 2016-10-21 21:35 CST Nmap scan report for 10.100.2.119 Host is up (0.00060s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp closed http 8080/tcp closed http-proxy MAC Address: 52:54:00:B3:81:05 (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.19 seconds
查看系统日志:
[root@localhost portsentry]# tail -f /var/log/messages Oct 20 08:43:07 localhost portsentry[22712]: adminalert: Advanced mode will manually exclude port: 113 Oct 20 08:43:07 localhost portsentry[22712]: adminalert: Advanced mode will manually exclude port: 139 Oct 20 08:43:07 localhost portsentry[22712]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22 Oct 20 08:43:07 localhost portsentry[22712]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25 Oct 20 08:43:07 localhost portsentry[22712]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113 Oct 20 08:43:07 localhost portsentry[22712]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139 Oct 20 08:43:07 localhost portsentry[22712]: adminalert: PortSentry is now active and listening. Oct 20 08:54:56 localhost portsentry[22712]: attackalert: TCP SYN/Normal scan from host: 10.100.2.14/10.100.2.14 to TCP port: 80 Oct 20 08:54:56 localhost portsentry[22712]: attackalert: Host 10.100.2.14 has been blocked via wrappers with string: "ALL: 10.100.2.14" Oct 20 08:54:56 localhost portsentry[22712]: attackalert: Host 10.100.2.14 has been blocked via dropped route using command: "/sbin/route add -host 10.100.2.14 gw 333.444.555.666"
看到ip记录在文件中了
[root@localhost portsentry]# cat portsentry.blocked.atcp 1476924896 - 10/20/2016 08:54:56 Host: 10.100.2.14/10.100.2.14 Port: 80 TCP Blocked [root@localhost portsentry]# cat portsentry.blocked.stcp [root@localhost portsentry]# cat portsentry.history 1476924896 - 10/20/2016 08:54:56 Host: 10.100.2.14/10.100.2.14 Port: 80 TCP Blocked [root@localhost portsentry]# pwd /usr/local/psionic/portsentry [root@localhost portsentry]# ls portsentry portsentry.blocked.atcp portsentry.blocked.stcp portsentry.conf portsentry.history portsentry.ignore
查看一下/etc/hoosts.deny,发现如下恶意ip:
[root@localhost portsentry]# cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # ALL: 10.100.2.14 [root@localhost portsentry]#
再次ssh 不能连接成功!!!!
[root@ok ok]# ssh 10.100.2.119 -v OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 10.100.2.119 [10.100.2.119] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/identity-cert type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 ssh_exchange_identification: Connection closed by remote host
删除/etc/hosts.deny中的ip
[root@ok ok]# ssh 10.100.2.119 -v OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 10.100.2.119 [10.100.2.119] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/identity-cert type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 ssh_exchange_identification: Connection closed by remote host [root@ok ok]# ssh 10.100.2.119 -v OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 10.100.2.119 [10.100.2.119] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/identity-cert type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 ssh_exchange_identification: Connection closed by remote host [root@ok ok]# ssh 10.100.2.119 -v OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 10.100.2.119 [10.100.2.119] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/identity-cert type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '10.100.2.119' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:11 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/identity debug1: Trying private key: /root/.ssh/id_rsa debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env XMODIFIERS = @im=ibus debug1: Sending env LANG = en_US.UTF-8 Last login: Thu Oct 20 01:16:32 2016 from 10.100.2.14