概述
防火墙可以保护我们的网络免受攻击。我们可以选择打开哪些端口,关闭哪些端口。但是有些攻击者可以用端口扫描程序扫描服务器的所有端口来收集有用的信息(哪些端口打开,哪些关闭)。
下面是对PortSentry的介绍:
l 服务器被端口扫描是入侵的前兆。PortSentry被设计成实时地发现端口扫描并对端口扫描作出反应。一旦发现端口扫描,PortSentry做出的反应有:
l 通过syslog()函数给出一个日志消息
l 自动地把对服务器进行端口扫描的主机加到TCP-Wrappers的“/etc/hosts.deny”文件中
l 本地主机会自动把所有的信息流都从定向到一个不存在的主机
l 本地主机用包过滤程序把所有的数据包(来自对其进行端口扫描的主机)都过滤掉。
注意事项
下面所有的命令都是Unix兼容的命令。
源路径都为“/var/tmp”(当然在实际情况中也可以用其它路径)。
安装在RedHat Linux 6.1和6.2下测试通过。
要用“root”用户进行安装。
PortSentry的版本是1.0。
软件包的来源
PortSentry的主页:http://www.psionic.com/abacus/portsentry/。
下载:portsentry-1.0.tar.gz。
安装软件包需要注意的问题
最好在编译前和编译后都做一张系统中所有文件的列表,然后用“diff”命令去比较它们,找出其中的差别并知道到底把软件安装在哪里。只要简单地在编译之前运行一下命令“find /* >PortSentry1”,在编译和安装完软件之后运行命令“find /* > PortSentry2”,最后用命令“diff PortSentry1 PortSentry2 > PortSentry-Installed”找出变化。
解压软件包
把软件包(tar.gz)解压:
[root@deep /]# cp portsentry-version.tar.gz /var/tmp/
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf portsentry-version.tar.gz
编译和优化
必须修改“Makefile”文件,设置PortSentry的安装路径、编译标记,还要根据你的系统进行优化。必须根据RedHat的文件系统结构来修改“Makefile”文件。
第一步
转到新的PortSentry目录。
编辑“Makefile”文件(vi Makefile)并改变下面这几行:
CC = cc
改为:
CC = egcs
CFLAGS = -O -Wall
改为:
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit -frame-pointer -fno-exceptions –Wall
INSTALLDIR = /usr/local/psionic
改为:
INSTALLDIR = /usr/psionic
上面这些修改是为了把“Makefile”配置为使用“egcs”编译器,使用适应于我们系统的编译优化标记,并且把PortSentry安装到我们选择的目录。
第二步
因为我们不用“/usr/local/psionic”目录,我们必须“portsentry_config.h”头文件中PortSentry的配置。
编辑“portsentry_config.h”文件(vi portsentry_config.h)并改变下面这一行:
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
改为:
#define CONFIG_FILE "/usr/psionic/portsentry/portsentry.conf"
第三步
在系统中安装PortSentry。
[root@deep portsentry-1.0]# make linux
[root@deep portsentry-1.0]# make install
第三步
清除不必要的文件
用下面的命令删除不必要的文件:
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf portsentry-version/ portsentry-version_tar.gz
“rm”命令删除所有编译和安装PortSentry所需要的源程序,并且把PortSentry软件的压缩包删除掉。
配置“/usr/psionic/portsentry/portsentry.conf”文件
“/usr/psionic/portsentry/portsentry.conf”是PortSentry的主要配置文件。你可设置需要监听的端口,需要禁止、监控的IP地址,等等。可以看PortSentry得“README.install”文件以获取更多的信息。
编辑“portsentry.conf”文件(vi /usr/psionic/portsentry.conf)并且根据需要做出改变:
# PortSentry Configuration
#
# $Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2
000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,4
0421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,3277
0,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32
771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,327
74,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1023.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I dont recommend you
# bind over this number of ports. Realistically: I DONT RECOMMEND YOU MONITOR
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. Youve been
# warned! Dont write me if you have have a problem because Ill only tell
# you to RTFM and dont run above the first 1023 ports.
#
#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldnt* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/psionic/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/psionic/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/psionic/portsentry/portsentry.blocked"
###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you dont want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. The variable $PORT$ will be substituted
# with the port that was scanned.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but dont want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really arent doing this.
# The third option allows you to run just the external command
# in case of a scan to have a pager script or such execute
# but not drop the route. This may be useful for some admins
# who want to block TCP, but only want pager/e-mail warnings
# on UDP, etc.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* su[1] [url=http://www.chinamx.com.cn/Article/os/Linux/200605/20060530125926_28700_2.html][2] 下一页
