述
防火牆可以保護我們的網絡免受***。我們可以選擇打開哪些端口,關閉哪些端口。但是有些***者可以用端口掃描程序掃描服務器的所有端口來收集有用的信息(哪些端口打開,哪些關閉)。
下面是對PortSentry的介紹:
l 服務器被端口掃描是***的前兆。PortSentry被設計成實時地發現端口掃描並對端口掃描作出反應。一旦發現端口掃描,PortSentry做出的反應有:
l 通過syslog()函數給出一個日誌消息
l 自動地把對服務器進行端口掃描的主機加到TCP-Wrappers的“/etc/hosts.deny”文件中
l 本地主機會自動把所有的信息流都從定向到一個不存在的主機
l 本地主機用包過濾程序把所有的數據包(來自對其進行端口掃描的主機)都過濾掉。
注意事項
下面所有的命令都是Unix兼容的命令。
源路徑都爲“/var/tmp”(當然在實際情況中也可以用其它路徑)。
安裝在RedHat Linux 6.1和6.2下測試通過。
要用“root”用戶進行安裝。
PortSentry的版本是1.0。
軟件包的來源
PortSentry的主頁:http://www.psionic.com/abacus/portsentry/。
下載:portsentry-1.0.tar.gz。
安裝軟件包需要注意的問題
最好在編譯前和編譯後都做一張系統中所有文件的列表,然後用“diff”命令去比較它們,找出其中的差別並知道到底把軟件安裝在哪裏。只要簡單地在編譯之前運行一下命令“find /* >PortSentry1”,在編譯和安裝完軟件之後運行命令“find /* > PortSentry2”,最後用命令“diff PortSentry1 PortSentry2 > PortSentry-Installed”找出變化。
解壓軟件包
把軟件包(tar.gz)解壓:
[root@deep /]# cp portsentry-version.tar.gz /var/tmp/
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf portsentry-version.tar.gz
編譯和優化
必須修改“Makefile”文件,設置PortSentry的安裝路徑、編譯標記,還要根據你的系統進行優化。必須根據RedHat的文件系統結構來修改“Makefile”文件。
第一步
轉到新的PortSentry目錄。
編輯“Makefile”文件(vi Makefile)並改變下面這幾行:
CC = cc
改爲:
CC = egcs
CFLAGS = -O -Wall
改爲:
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit -frame-pointer -fno-exceptions –Wall
INSTALLDIR = /usr/local/psionic
改爲:
INSTALLDIR = /usr/psionic
上面這些修改是爲了把“Makefile”配置爲使用“egcs”編譯器,使用適應於我們系統的編譯優化標記,並且把PortSentry安裝到我們選擇的目錄。
第二步
因爲我們不用“/usr/local/psionic”目錄,我們必須“portsentry_config.h”頭文件中PortSentry的配置。
編輯“portsentry_config.h”文件(vi portsentry_config.h)並改變下面這一行:
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
改爲:
#define CONFIG_FILE "/usr/psionic/portsentry/portsentry.conf"
第三步
在系統中安裝PortSentry。
[root@deep portsentry-1.0]# make linux
[root@deep portsentry-1.0]# make install
第三步
上面的命令配置軟件,編譯軟件,最後把它安裝到合適的目錄中。
清除不必要的文件
用下面的命令刪除不必要的文件:
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf portsentry-version/ portsentry-version_tar.gz
“rm”命令刪除所有編譯和安裝PortSentry所需要的源程序,並且把PortSentry軟件的壓縮包刪除掉。
配置“/usr/psionic/portsentry/portsentry.conf”文件
“/usr/psionic/portsentry/portsentry.conf”是PortSentry的主要配置文件。你可設置需要監聽的端口,需要禁止、監控的IP地址,等等。可以看PortSentry得“README.install”文件以獲取更多的信息。
編輯“portsentry.conf”文件(vi /usr/psionic/portsentry.conf)並且根據需要做出改變:
# PortSentry Configuration
#
# $Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2
000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,4
0421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,3277
0,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32
771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,327
74,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1023.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I dont recommend you
# bind over this number of ports. Realistically: I DONT RECOMMEND YOU MON99vOR
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. Youve been
# warned! Dont write me if you have have a problem because Ill only tell
# you to RTFM and dont run above the first 1023 ports.
#
#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldnt* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/psionic/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/psionic/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/psionic/portsentry/portsentry.blocked"
###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you dont want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. The variable $PORT$ will be substituted
# with the port that was scanned.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but dont want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really arent doing this.
# The third option allows you to run just the external command
# in case of a scan to have a pager script or such execute
# but not drop the route. This may be useful for some admins
# who want to block TCP, but only want pager/e-mail warnings
# on UDP, etc.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. NOTE THAT
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE 99v!!
#
# All KILL ROUTE OPTIONS ARE COMMENTED OUT IN99vIALLY. Make sure you
# uncomment the correct line for your OS. If you OS is not listed
# here and you have a route drop command that works then please
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# CAN BE USED AT A TIME SO DONT UNCOMMENT MULTIPLE LINES.
#
# NOTE: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.
#
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
##
# Using a packet filter is the preferred method. The below lines
# work well on many OSs. Remember, you can only uncomment *one*
# KILL_ROUTE option.
##
###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
#
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all % symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
# and people can make scans appear out of thin air. The only time it
# is reasonably safe (and I *never* think it is reasonable) to run
# reverse probe scripts is when using the "classic" -tcp mode. This
# mode requires a full connect and is very hard to spoof.
#
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified, but
# generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you dont make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really
# break things. (i.e someone innocently tries to connect to you via
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#
SCAN_TRIGGER="0"
######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the PortSentry.
# I *dont* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes dont use this feature
#
PORT_BANNER="** UNAUTHORIZED Access PROHIB99vED *** YOUR CONNECTION ATTEMPT HAS
BEEN LOGGED. GO AWAY."
# EOF
現在,因爲安全方面的原因,我們必須檢查和改變文件的權限:
[root@deep /]# chmod 600 /usr/psionic/portsentry/portsentry.conf
配置“/usr/psionic/portsentry/portsentry.ignore”文件
在“/usr/psionic/portsentry/portsentry.ignore”文件中設置希望PortSentry忽略的主機。這個文件中至少要包括localhost(127.0.0.1)和本地界面(lo)的IP。最後不要把網絡中所有文件的IP都放在這個文件中。
編輯“portsentry.ignore”文件(vi /usr/psionic/portsentry.ignore)加入任何呢你想讓PortSentry忽略的主機。
# Put hosts in here you never want blocked. This includes the IP addresses
# of all local interfaces on the protected host (i.e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
127.0.0.1
0.0.0.0
現在,我們改變文件默認的權限:
[root@deep /]# chmod 600 /usr/psionic/portsentry/portsentry.ignore
啓動PortSentry
PortSentry程序可以配置成在6個不同的模式下運行,但是每次啓動的時候只能在一種模式下運行。這些不同的模式是:
l portsentry -tcp (基本的端口綁定TCP模式)
l portsentry -udp (基本的端口綁定UDP 模式)
l portsentry -stcp (祕密的TCP掃描檢測)
l portsentry -atcp (高級TCP祕密掃描檢測)
l portsentry -sudp (祕密的UDP掃描檢測)
l portsentry -audp (高級的祕密UDP掃描檢測)
我比較喜歡用“高級TCP祕密掃描檢測”和“高級的祕密UDP掃描檢測”這兩種模式。請參考“README.install”和“README.stealth”文件以獲得更詳細的信息。
TCP模式我選擇:
-atcp - Advanced TCP stealth scan detection mode
用“-atcp”(高級TCP祕密掃描檢測),PortSentry會先檢查服務器上有哪些端口在運行,然後把這些端口移去,只監控剩下的端口。這樣對端口掃描的反應速度很快而且使用的CPU時間也很少。
UDP模式我選擇:
-sudp - "Stealth" UDP scan detection mode
用“-sudp”(高級的祕密UDP掃描檢測),UDP端口將被列出來並監控。
用下面的命令在兩模式下啓動PortSentry:
[root@deep /]# /usr/psionic/portsentry/portsentry –atcp
[root@deep /]# /usr/psionic/portsentry/portsentry -sudp
注意:你可以把上面這些行加到“/etc/rc.d/rc.local”腳本文件中,當重新啓動計算機的時候PortSentry就會自動運行。
安裝到系統中的文件
> /usr/psionic
> /usr/psionic/portsentry
> /usr/psionic/portsentry/portsentry.conf
> /usr/psionic/portsentry/portsentry.ignore
> /usr/psionic/portsentry/portsentry
版權說明
這篇文章翻譯和改編自Gerhard Mourani的《Securing and Optimizing Linux: RedHat Edition》,原文及其版權協議請參考:www.openna.com。