美文网首页
PortSentry 保护云主机禁止被恶意扫描

PortSentry 保护云主机禁止被恶意扫描

作者: Tecooler | 来源:发表于2016-11-22 11:27 被阅读0次

    注:本文采用的操作系统为 ubuntu14.04

    简介PortSentry is part of SentryTools. This daemon will watch unused ports for activity and depending on how it is configured take action upon excessive access to watched ports.wiki

    portsentry 采取的措施:

    • 将流量引到一个虚假的路由,一个不存在的主机

    • 自动对服务器端口扫描的主机加到 /etc/hosts.deny 文件中去

    • 利用 Netfiliter 机制,用包过滤的机制,例如 iptables 和 ipchain 等,把非法的数据包(来自对主机进行端口扫描的主机)都过滤掉;

    • 通过 syslog() 函数给出一个日志消息,或者一段警告信息

    portsentry 安装下载地址

    
http://sourceforge.net/projects/sentrytools/

    解压

    
tar zxvf portsentry-1.2.tar.gz```不能直接编译,这里有点特殊,解压完的包中,`portsentry.c`这个文件中在`1584`行有一处错误,将其改成一行```printf ("Copyright 1997-2003 Craig H. Rowland\n");
    portsentryportsentry

    然后进行编译

    
make linux& make install

    成功安装,安装的路劲为/usr/local/psionic/portsentry

    portsentry 配置

    修改配置文件 portsentry.conf

    通过 portsentry 进行入侵检测,如下段落为需要监视的端口清单,和相应的阻止措施。启动之后,后开进程开启监控这些端口,发现有人扫描,就启动相应的对策进行阻拦。

    NO.1 Port Configurations

    这一端列出了默认的监视的端口,可以通过去掉#号来执行默认的配置,可以自行修改

    
# Port Configurations

# Un-comment these if you are really anal:

#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"

#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"

#

# Use these if you just want to be aware:

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320,51010"

UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"

#

# Use these for just bare-bones

#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"

#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"

    NO.2 Advanced Stealth Scan Detection Options

    
# Advanced Stealth Scan Detection Options

ADVANCED_PORTS_TCP="1024"

ADVANCED_PORTS_UDP="1024"

# Default TCP ident and NetBIOS service

ADVANCED_EXCLUDE_TCP="113,139"

# Default UDP route (RIP), NetBIOS, bootp broadcasts.

ADVANCED_EXCLUDE_UDP="520,138,137,67"

    NO.3 Configuration Files;portsentry.conf 相关的配置文件

    
# Configuration Files

# Hosts to ignore

#( 此文件记录允许合法扫描服务的主机地址 )

IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"

# Hosts that have been denied (running history)

#( 此文件中保留入侵主机的 IP 地址 )

HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"

# Hosts that have been denied this session only (temporary until next restart)

# ( 此文件中是已经被阻止连接的主机 IP 记录 )

BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"

    NO.4 Dropping Routes

    丢弃规则,也就是路由重定向,设置一条虚拟的路由记录,把数据包重定向到一个不存在的主机

    根据不同的操作系统,选择不同的命令

    
# Dropping Routes

# Generic

#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Linux

KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Newer versions of Linux support the reject flag now. This

# is cleaner than the above option.

#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)

#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Sun

#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

# NEXTSTEP

#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"

# FreeBSD

#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"

# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)

#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"

# Generic HP-UX

#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"

    NO.5 根据配置文件记录下的 IP,使用 iptables 阻塞掉,切断与其连接

    
##

# Using a packet filter is the PREFERRED. The below lines

# work well on many OS's. Remember, you can only uncomment *one*

# KILL_ROUTE option.

# ipfwadm support for Linux

#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"

#

# ipfwadm support for Linux (no logging of denied packets)

#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"

#

# ipchain support for Linux

#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"

#

# ipchain support for Linux (no logging of denied packets)

#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"

#

# iptables support for Linux

#KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"

#

# For those of you running FreeBSD (and compatible) you can

# use their built in firewalling as well.

#

#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"

#

# For those running ipfilt (OpenBSD, etc.)

# NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!

#

#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"

    NO.6 也可以把攻击者的 IP 记录到 /etc/hosts.deny 中,利用 TCP_Wrappers 机制防止被攻击

    TCP_Wrappers :Transmission Control Protocol (TCP) Wrappers 为由 inetd 生成的服务提供了增强的安全性。TCP Wrappers 是一种对使用 /etc/inetd.sec 的替换方法。TCP Wrappers 提供防止主机名和主机地址欺骗的保护。欺骗是一种伪装成有效用户或主机以获得对系统进行未经授权的访问的方法。

    
# TCP Wrappers

#

KILL_HOSTS_DENY="ALL: $TARGET$"

    NO.7 定制警告信息,警告攻击者

    
# Port Banner Section

#

#

# Enter text in here you want displayed to a person tripping the PortSentry.

# I *don't* recommend taunting the person as this will aggravate them.

# Leave this commented out to disable the feature

#

# Stealth scan detection modes don't use this feature

#

PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."

    修改 portsentry.ignore 的配置文件

    文件 /usr/local/psionic/portsentry/portsentry.ignore 配置上本地的 IP 和 常建立连接的主机,允许合法扫描

    配置好之后最好修改一下 /usr/local/psionic/portsentry/portsentry.conf/usr/local/psionic/portsentry/portsentry.ignore 的权限

    
chmod 600 /usr/local/psionic/portsentry/portsentry.conf

chmod 600 /usr/local/psionic/portsentry/portsentry.ignore

    开启监测模式

    PortSentry的启动检测模式。对应TCP和UDF两种协议方式,PortSentry分别有三种启动模式,即基本、秘密和高级秘密扫描检测模式,合计6个模式。

    • portsentry-tcp,TCP的基本端口绑定模式;

    • portsentry-udp,UDP的基本端口绑定模式;

    • portsentry-stcp,TCP的秘密扫描检测模式;

    • portsentry-sudp,UDP的秘密扫描检测模式;

    • portsentry-atcp,TCP的高级秘密扫描检测模式;

    • portsentry-audp,UDP的高级秘密扫描检测模式。

    一般情况下,建议使用秘密扫描检测模式或高级秘密扫描检测模式。

    使用高级秘密扫描检测模式(Advanced Stealth Scan Detection Mode),PortSentry会自动检查服务器上正在运行的端口, 然后把这些端口从配置文件中移去, 只监控其它的端口。这样会加快对端口扫描的反应速度,并且只占用很少的CPU时间,这种模式非常智能

    启动命令:

    
/usr/local/psionic/portsentry/portsentry -atcp

    建议将这条命令写入 /etc/rc.local 中,这样开机就自启动了

    测试

    我的云主机 A IP 假设为 XXX.XXX.XXX.XXX,云主机 A 上配置并开启了 portsentry

    开启一台云主机 BIP 地址为 115.231.183.78

    ipip

    使用 云主机 B 扫描 云主机 A 的端口

    nmapnmap

    云主机 A 监测到了恶意扫描,会将其加入 /etc/hosts.deny,并且在 /usr/local/psionic/portsentry/portsentry.blocked.atcp 会记录 block 掉了

    blockdblockd

    简单处理一下,发现还有不是自己扫的,无聊的人也是多- -!

    相关文章

      网友评论

          本文标题:PortSentry 保护云主机禁止被恶意扫描

          本文链接:https://www.haomeiwen.com/subject/pbpppttx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|PortSentry 保护云主机禁止被恶意扫描|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!