PortSentry是入侵检测工具中配置最简单、效果最直接的工具之一

https://sourceforge.net/projects/sentrytools/

[[email protected] ~]# tar -xzvf portsentry-1.2.tar.gz
[[email protected] ~]# cd portsentry_beta/
[[email protected] portsentry_beta]# ls
CHANGES     portsentry.c         portsentry_io.c     README.COMPAT
CREDITS     portsentry.conf      portsentry_io.h     README.install
ignore.csh  portsentry_config.h  portsentry_tcpip.h  README.methods
LICENSE     portsentry.h         portsentry_util.c   README.stealth
Makefile    portsentry.ignore    portsentry_util.h
[[email protected] portsentry_beta]# make
Usage: make <systype>
<systype> is one of: linux, debian-linux, bsd, solaris, hpux, hpux-gcc,
freebsd, osx, openbsd, netbsd, bsdi, aix, osf, irix, generic

This code requires snprintf()/vsnprintf() system calls
to work. If you run a modern OS it should work on
your system with ‘make generic‘. If you get it to
work on an unlisted OS please write us with the
changes.

Install: make install

NOTE: This will install the package in this
      directory: /usr/local/psionic

Edit the makefile if you wish to change these paths.
Any existing files will be overwritten.
[[email protected] portsentry_beta]# make install
Creating psionic directory /usr/local/psionic
Setting directory permissions
Creating portsentry directory /usr/local/psionic/portsentry
Setting directory permissions
chmod 700 /usr/local/psionic/portsentry
Copying files
cp ./portsentry.conf /usr/local/psionic/portsentry
cp ./portsentry.ignore /usr/local/psionic/portsentry
cp ./portsentry /usr/local/psionic/portsentry
cp: cannot stat `./portsentry‘: No such file or directory
make: *** [install] Error 1

[[email protected] portsentry_beta]# make linux
SYSTYPE=linux
Making
cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c         ./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function ‘PortSentryModeTCP’:
./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness
/usr/include/sys/socket.h:214: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’
./portsentry.c: In function ‘PortSentryModeUDP’:
./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness
/usr/include/sys/socket.h:166: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’
./portsentry.c:1584:11: warning: missing terminating " character
./portsentry.c: In function ‘Usage’:
./portsentry.c:1584: error: missing terminating " character
./portsentry.c:1585: error: ‘sourceforget’ undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ‘)’ before ‘dot’
./portsentry.c:1585: error: stray ‘\’ in program
./portsentry.c:1585:24: warning: missing terminating " character
./portsentry.c:1585: error: missing terminating " character
./portsentry.c:1595: error: expected ‘;’ before ‘}’ token
./portsentry_io.c: In function ‘ConfigTokenRetrieve’:
./portsentry_io.c:321: warning: cast from pointer to integer of different size
./portsentry_io.c:324: warning: cast from pointer to integer of different size
./portsentry_io.c: In function ‘IsBlocked’:
./portsentry_io.c:670: warning: cast from pointer to integer of different size
./portsentry_io.c: In function ‘SubstString’:
./portsentry_io.c:727: warning: cast from pointer to integer of different size
make: *** [linux] Error 1

解决方法 把portsentry.c中代“将带有Copyright 1997-2003字样的那行调整为一行即可”:

调整后如下:

[[email protected] portsentry_beta]# make linux
SYSTYPE=linux
Making
cc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c         ./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function ‘PortSentryModeTCP’:
./portsentry.c:1187: warning: pointer targets in passing argument 3 of ‘accept’ differ in signedness
/usr/include/sys/socket.h:214: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’
./portsentry.c: In function ‘PortSentryModeUDP’:
./portsentry.c:1384: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness
/usr/include/sys/socket.h:166: note: expected ‘socklen_t * __restrict__’ but argument is of type ‘int *’
./portsentry_io.c: In function ‘ConfigTokenRetrieve’:
./portsentry_io.c:321: warning: cast from pointer to integer of different size
./portsentry_io.c:324: warning: cast from pointer to integer of different size
./portsentry_io.c: In function ‘IsBlocked’:
./portsentry_io.c:670: warning: cast from pointer to integer of different size
./portsentry_io.c: In function ‘SubstString’:
./portsentry_io.c:727: warning: cast from pointer to integer of different size
[[email protected] portsentry_beta]# make install
Creating psionic directory /usr/local/psionic
Setting directory permissions
Creating portsentry directory /usr/local/psionic/portsentry
Setting directory permissions
chmod 700 /usr/local/psionic/portsentry
Copying files
cp ./portsentry.conf /usr/local/psionic/portsentry
cp ./portsentry.ignore /usr/local/psionic/portsentry
cp ./portsentry /usr/local/psionic/portsentry
Setting permissions
chmod 600 /usr/local/psionic/portsentry/portsentry.ignore
chmod 600 /usr/local/psionic/portsentry/portsentry.conf
chmod 700 /usr/local/psionic/portsentry/portsentry

Edit /usr/local/psionic/portsentry/portsentry.conf and change
your settings if you haven‘t already. (route, etc)

WARNING: This version and above now use a new
directory structure for storing the program
and config files (/usr/local/psionic/portsentry).
Please make sure you delete the old files when
the testing of this install is complete.

安装路径为:

[[email protected] portsentry_beta]# tree  /usr/local/psionic/
/usr/local/psionic/
└── portsentry
    ├── portsentry
    ├── portsentry.conf
    └── portsentry.ignore

1 directory, 3 files

PortSentry的配置

1:通过PortSentry.conf

# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"

通过portSentry进行入侵检,首先制定要监视的端口清单和相应的阻止对策。然后启动后台进程对这些端口进行检测,一旦发现有人扫描这些端口,以及相应的对策进行阻拦。

通过portentry.conf中关于端口默认配置情况:

一般有意开放的端口是不需要监控的,如果web服务器的80端口!!!!!

在portsentry.conf中自动配置了许多文件如下:

###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1024.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don‘t recommend you
# bind over this number of ports. Realistically: I DON‘T RECOMMEND YOU MONITOR
# OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You‘ve been
# warned! Don‘t write me if you have have a problem because I‘ll only tell
# you to RTFM and don‘t run above the first 1024 ports.
#
#
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
#这表明,1~1024的所有端口将被监视
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldn‘t* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#但监视高端口号会引起更多的误报,可以通下面参数排除出错的端口
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="111,113,139" #默认请况,使用tcp(111,113,139)的ident和NetBIOS服务以及UDP(520,138,137,67)route,NetBIOS和Bootp服务将被排除在高级扫描之外。
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"

######################
######################
# Configuration Files#
######################
#
# Hosts to ignore#记录允许合法扫描服务器的主机地址
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)#入侵主机的IP历史记录
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)#被阻止连接主机的ip记录
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"

设置路由重定向:

# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Linux
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
#把数据包重定向到一个未知的主机,使这无法获取信息

我们还可以利用linux中的iptables命令,可以切断攻主机的连接:

# iptables support for Linux
KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
#
# For those of you running FreeBSD (and compatible) you can

可以直热门把攻击者的ip记录到/etc/hosts.deny文件中,利用TCP_Wrappers保护机制来防止攻击

###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"

# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all ‘%‘ symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"

系统默认是利用TCP_Wrappers来切断与主机之间的连接

改变完毕后,改变文件的权限,以保证其安全。

/usr/psionic/portentry/portsentry.ignore文件中设置portsentry忽略主机ip,限允许合法扫描的主机地址一面是配置情况:

[[email protected] portsentry]# cat portsentry.ignore
# Put hosts in here you never want blocked. This includes the IP addresses
# of all local interfaces on the protected host (i.e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
#
# PortSentry can support full netmasks for networks as well. Format is:
#
# <IP Address>/<Netmask>
#
# Example:
#
# 192.168.2.0/24
# 192.168.0.0/16
# 192.168.2.1/32
# Etc.
#
# If you don‘t supply a netmask it is assumed to be 32 bits.
#
#

127.0.0.1/32
0.0.0.0
#Exclude all local interfaces
127.0.0.1

记得带上本机地址

portsentry启动检测模试。对应tcp和udp两种协议方式,portsentry分别有三种启动模式,即基本 秘密和高级秘密扫描检测模式,合计6种模式。

时间: 2024-12-25 06:02:01

PortSentry是入侵检测工具中配置最简单、效果最直接的工具之一的相关文章

NC中配置Servlet 调用NC服务

1.新建Servlet类(这个类中有实现调用接口的方法以及设置Token)路径没有要求,应该新建Servlet本来就不是规范. package nc.impl.ca.cuma.account.ma;   import java.io.BufferedReader; import java.io.IOException; import java.io.PrintWriter; import java.util.List; import java.util.Map;   import javax.s

imagesLoaded – 检测网页中的图片是否加载

imagesLoaded 是一个用于来检测网页中的图片是否载入完成的 JavaScript 工具库.支持回调的获取图片加载的进度,还可以绑定自定义事件.可以结合 jQuery.RequireJS 使用. 插件下载     效果演示 使用示例: // element imagesLoaded( document.querySelector('#container'), function( instance ) { console.log('all images are loaded'); });

[Android Studio 权威教程]AS 中配置强大的版本号管理系统(Git、SVN、等)

在Eclipse中加入Git等版本号管理工具须要自己加入插件.并且个人认为不咋好用,在AS中已经给我们集成好了,我们仅仅须要配置一下就OK了.今天就和大家聊聊怎么配置以及使用的要点. 1. 安装Git/CVS 第一步首先你须要安装Git/CVS等版本号管理工具.这个请自行百度 2. 新建一个本地空仓库 新建一个仓库叫GitTest 仓库如今是空的什么都没有 找到路径,然后复制路径(这步非常重要) 3. 新建AS项目 项目创建完毕.这个时候我们能够看到AS提示我们配置仓库的提示,我们接下来配置一下

十一、入侵检测系统

简介 入侵检测系统(intrusion detection system,简称IDS) 是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备.它与其他网络安全设备的不同之处便在于,IDS是一种积极主动的安全防护技术. 依照一定的安全策略,通过软.硬件,对网络.系统的运行状况进行监视,尽可能发现各种攻击企图.攻击行为或者攻击结果,以保证网络系统资源的机密性.完整性和可用性. IDS组成 一个入侵检测系统分为四个组件. 事件产生器(Event generators

Windows自带强大的入侵检测工具——Netstat 命令 查询是否中木马

Netstat命令可以帮助我们了解网络的整体使用情况.根据Netstat后面参数的不同,它可以显示不同的网络连接信息.Netstat的参数如图,下面对其中一些参数进行说明.如何检测本机是否有被中木马,电脑系统后台是否已被秘密操控,是否被监听.今天跟大家讲下如何查询可疑连接,调用任务管理器Ctrl+Shift+ESC组合键,找到对应的PID数值,右击结束进程. 一.netstat命令详解 1.netstat -a -a显示所有连接和侦听端口,包括本地和远程系统连接时使用的TCP端口或者UDP端口,

Linux后门入侵检测工具,附bash漏洞解决方法[转载]

转自:http://blog.jobbole.com/77663/ 官网 ClamAV杀毒软件介绍 ClamAV是一个在命令行下查毒软件,因为它不将杀毒作为主要功能,默认只能查出您计算机内的病毒,但是无法清除,至多删除文件.ClamAV可以工作很多的平台上,但是有少数无法支持,这就要取决您所使用的平台的流行程度了.另外它主要是来防护一些WINDOWS病毒和木马程序.另外,这是一个面向服务端的软件. 下载ClamAV安装包 ClamAV的官方下载地址为http://www.clamav.net/d

Linux后门入侵检测工具,附bash漏洞解决方法

一.rootkit简介 rootkit是Linux平台下最常见的一种木马后门工具,它主要通过替换系统文件来达到入侵和和隐蔽的目的,这种木马比普通木马后门更加危险和隐蔽,普通的检测工具和检查手段很难发现这种木马.rootkit攻击能力极强,对系统的危害很大,它通过一套工具来建立后门和隐藏行迹,从而让攻击者保住权限,以使它在任何时候都可以使用root权限登录到系统. rootkit主要有两种类型:文件级别和内核级别,下面分别进行简单介绍. 1.文件级别rootkit 文件级别的rootkit一般是通

安全运维之:Linux后门入侵检测工具,附最新bash漏洞解决方法

一.rootkit简介 rootkit是Linux平台下最常见的一种木马后门工具,它主要通过替换系统文件来达到入侵和和隐蔽的目的,这种木马比普通木马后门更加危险和隐蔽,普通的检测工具和检查手段很难发现这种木马.rootkit攻击能力极强,对系统的危害很大,它通过一套工具来建立后门和隐藏行迹,从而让攻击者保住权限,以使它在任何时候都可以使用root权限登录到系统. rootkit主要有两种类型:文件级别和内核级别,下面分别进行简单介绍. 1.文件级别rootkit 文件级别的rootkit一般是通

Tiger –UNIX:一款开源安全审计 入侵检测工具

Tiger 是一个完全由shell脚本编写的UNIX的免费.开源安全工具,适用于安全审计和入侵检测. Tiger的特性: 1)模块化设计,使得它扩展性比较强, 2)多用途,可用于主机审计和入侵检测. Tiger的优点: 从目前来说,在网络上有很多免费的入侵检测工具,检测方面也囊括了多个层面,目前主要的检测方面如下, 1)网络层面的入侵检测 2)Linux内核补丁入侵检测,例如像LIDS(作为内核补丁和系统管理员工具)或者是linux事件日志查看器等) 3)文件完整性检查工具(如aide,inte