When I checked the security environment of a Centos5.5 server, I found that many IP addresses were maliciously scanning the port on this server. I originally wanted to deploy the snort anti-intrusion environment. Later I found that the snort environment was very complicated to deploy, the above malicious scans can be fully implemented using PortSentry. PortSentry is one of the simplest and most effective tools in intrusion detection tools. PortSentry is an integral part of the Abacus project. The goal of the Abacus project is to establish a host-based network intrusion detection system that can be more detailed information about the Abacus project from the http://www.psonic.com. Although PortSentry is no longer developed after it is acquired by cisco, it does not affect the powerful functions of the software. PortSentry can detect almost all types of network scans in real time and respond to the scans. If suspicious behaviors are discovered, PortSentry can take the following specific measures to strengthen prevention:
Provides false routing information and redirects all information flows to a non-existent host;
The host that performs port scanning on the server is automatically added to the/etc/hosts of TCP-Wrappers. I personally prefer this method in the deny file, because iptables is not enabled in many online environments. This option is also the default function of PortSentry;
Use the Netfilter mechanism to filter out all illegal data packets (from the host that performs port scanning on the server) by using a packet filtering program, such as iptables and ipchain;
The syslog () function provides a log message and can even return a warning message to the scanner.
I. Installation of PortSentry
The following describes how to install and configure the PortSentry tool.
1. Slave:
# Tar zxvf portsentry-1.2.tar.gz
# Cd portsentry-1.2_beta
# Make
# Make install
When this step is performed, an error is reported, and the system cannot generate the protsentry execution file. When we view the Makefile file, we find that make has many options based on the operating system.
So we re-execute this step to delete the Directory and decompress it again.
Then we run make linux and find that the system still reports the following error:
Cmdype = linux
Making
Cc-O-Wall-DLINUX-DSUPPORT_STEALTH-o./portsentry./portsentry. c \
./Portsentry_io.c./portsentry_util.c
./Portsentry. c: In function ?. OrtSentryModeTCP ?.
./Portsentry. c: 1187: warning: pointer targets in passing argument 3 ?. Ccept ?. Differ in signedness
./Portsentry. c: In function ?. OrtSentryModeUDP ?.
./Portsentry. c: 1384: warning: pointer targets in passing argument 6 ?. Ecvfrom ?. Differ in signedness
./Portsentry. c: In function ?. Sage ?.
./Portsentry. c: 1584: error: missing terminating "character
./Portsentry. c: 1585: error :?. Ourceforget ?. Undeclared (first use in this function)
./Portsentry. c: 1585: error: (Each undeclared identifier is reported only once
./Portsentry. c: 1585: error: for each function it appears in .)
./Portsentry. c: 1585: error: expected ?.?. Before ?. Ot?
./Portsentry. c: 1585: error: stray ?.?. In program
./Portsentry. c: 1585: error: missing terminating "character
./Portsentry. c: 1595: error: expected ?.?. Before ?.?. Token
Make: *** [linux] Error 1
Solution:
Open the portsentry. c file, and adjust the line with the Copyright 1997-2003 character to one line around 1590 lines, as shown in
Figure 1-1 the line of code marked with white lines should be adjusted to one line
After the adjustment, run make linux & make install. The installation path of PortSentry is/usr/local/psionic/portsentry, which indicates that the software is successfully installed:
Edit/usr/local/psionic/portsentry. conf and change
Your settings if you haven't already. (route, etc)
WARNING: This version and above now use a new
Directory structure for storing the program
And config files (/usr/local/psionic/portsentry ).
Please make sure you delete the old files when
The testing of this install is complete.
2. Configure PortSentry
1. modify the configuration file portsentry. conf.
To use PortSentry for intrusion detection, you must first customize a list of ports to be monitored and corresponding prevention measures. Then start the background process to detect these ports. Once these ports are detected, the corresponding countermeasures will be started to block them.
(1) set the port list
The following describes the default port configuration in portsentry. conf:
# Un-comment these if you are really anal;
# TCP_PORTS = "109,110,111,119,138,139,143,512,513,514,515,540,636,108, [..]
# UDP_PORTS = "69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,204, 9,66, 67,68, 9,31335, 27444,34555, [..]
# Use these if you just want to be aware:
TCP_PORTS = "111,119,143,540,635,108, [..]
UDP_PORTS = "161,162,513,635,640,641,700,374, 9,69, 44,34555, 31335,32770, 32771,32772, 32773,32774, 31337,54321"
# Use these for juse bare-bones
# TCP_PORTS = "15,110,111,143,540,635,180,152, 54320"
# UDP_PORTS = "161,162,513,640,700,327, 54321"
You can selectively remove the preceding annotations to enable the default configuration, or customize a new list based on your actual situation. The format is the same as the original one. The port list depends on the specific situation. If the server is a Web server, the Web port does not need to be monitored. On the contrary, if it is an FTP server, it is also necessary to monitor the Web port.
(2) Related Files in portsentry. conf
Many files are automatically configured in portsentry. conf. Let's take a look at their usage:
# This file record allows valid server scan host addresses
IGNORE_FILE = "/usr/local/psionic/portsentry. ignore"
# This file retains the IP history of all previous intrusions to the host
HISTROY_FILE = "/usr/lcal/psionic/portsentry. history"
# This file contains Host IP records that have been blocked from connection
BLOCKED_FILE = "/usr/local/psionic/portsentry. blocked"
(3) set route redirection
By configuring the portsentry. conf file, you can set a virtual route record to redirect data packets to an unknown host. The configuration code is as follows:
# Generic
# KILL_ROUTE = "/sbin/route add $ TARGET $333.444.555.666"
# Generic Linux
KILL_ROUTE = "/sbin/route add-host $ TARGET $ gw 333.444.555.666
There are different routing commands for different platforms. In the configuration file, select the command for your own platform. My server is Centos5.5 x86_64. The above syntax is suitable for Linux machines. PortSentry is very user-friendly. there are corresponding configuration files in the following system. We only need to perform the following operations.
(4) we can also use the iptables command in Linux to cut off the connection to the attacked Host:
KILL_ROUTE = "/usr/local/sbin/iptables-I INPUT-s $ TARGET $-j DROP"
You can also directly record the attacker's IP address to the/etc/hosts. deny file and use the TCP_Wrappers protection mechanism to prevent attacks:
KILL_HOSTS_DENY = "ALL: $ TARGET $ # Portsentry blocked"
By default, the system uses TCP_Wrappers to disconnect from the host.
(5) custom warning information
We can also customize a warning message to warn attackers. However, this option is not recommended in the manual because it may expose the IDS system of the host.
PORT_BANNER = "** unauthorized access prohibited *** your connection attempt has been logged. go away ."
After modification, change the File Permission to ensure its security:
Chmod 600/usr/local/psionic/portsentry. conf
2. Configure the portsentry. ignore File
The/usr/psionic/portsentry. ignore file sets the Host IP address to be ignored by PortSentry. That is, the following configurations are allowed for valid scan of the host address:
# Put hosts in here you never want blocked, This includes des the IP addresses
# Of all local interfaces on the protected host (I. e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
127.0.0.1/32
0.0.0.0
# Exclude all local interfaces
192.168.1.103
192.168.1.102
127.0.0.1
Remember to bring the local address, just in case.
After modification, you also need to change the default permissions of the file:
Chmod 600/usr/local/psionic/portsentry. ignore
Iii. Start Detection Mode
Finally, we will introduce the startup Detection Mode of PortSentry. There are three startup modes corresponding to TCP and UDF, namely basic, secret, and advanced security scan detection modes.
◆ Portsentry-tcp: the basic port binding mode of TCP;
◆ Portsentry-udp: Basic port binding mode of UDP;
◆ Portsentry-stcp, TCP's Secret scan detection mode;
◆ Portsentry-sudp, UDP's private scan detection mode;
◆ Portsentry-atcp, TCP's Advanced Security Scan detection mode;
◆ Portsentry-audp: Advanced Security Scan Detection Mode of UDP.
Generally, we recommend that you use the scan mode or advanced scan mode.
When Advanced Stealth Scan Detection Mode is used, PortSentry automatically checks the running ports on the server and removes these ports from the configuration file, only monitor other ports. This will speed up the response to port scanning and only occupy a small amount of CPU time. This mode is very intelligent and I prefer to use
The command to start PortSentry is as follows:
#/Usr/psionic/portsentry-atcp
You can add the startup command to "/etc/rc. d/rc. in the local script file, if you want it to start, stop, and view the process status at any time like other background processes, PortSentry will automatically run when the computer is restarted.
Iv. Test
After we start PortSentry on 192.168.1.102, We will temporarily clear portsentry. in the ignore file, we start the scanning command nmap-sS 192.168.1.102 on another machine with 192.168.1.104. Wait a moment and we will find/etc/hosts. "ALL: 192.168.1.104" appears in deny, proving that the software configuration is effective.
To prove its effectiveness, I deployed portsentry1.2 on an online LVS machine and checked the log to find out
[Root @ localhost portsentry_beta] # tail/var/log/messages
Jun6 13:11:07 localhost portsentry [2555]: attackalert: tcp syn/Normal scan from host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89 to TCP port: 80
Jun6 13:11:07 localhost portsentry [2555]: attackalert: Host 65.9.251.89 has been blocked via wrappers with string: "ALL: 65.9.251.89"
Jun6 13:11:07 localhost portsentry [2555]: attackalert: tcp syn/Normal scan from host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89 to TCP port: 80
Jun6 13:11:07 localhost portsentry [2555]: attackalert: Host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89 is already blocked Ignoring
Jun6 13:11:08 localhost portsentry [2555]: attackalert: tcp syn/Normal scan from host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89 to TCP port: 80
Jun6 13:11:08 localhost portsentry [2555]: attackalert: Host: adsl-65-9-251-89.mia.bellsouth.net/65.9.251.89 is already blocked Ignoring
Jun6 13:19:57 localhost portsentry [2555]: attackalert: tcp syn/Normal scan from host: ns000034.ovh.net/91.121.14.153 to TCP port: 80
Jun6 13:19:57 localhost portsentry [2555]: attackalert: Host 91.121.14.153 has been blocked via wrappers with string: "ALL: 91.121.14.153"
Jun6 13:35:44 localhost portsentry [1, 2555]: attackalert: tcp syn/Normal scan from host: 61.156.31.43/61.156.31.43 to TCP port: 80
Jun6 13:35:44 localhost portsentry [2555]: attackalert: Host 61.156.31.43 has been blocked via wrappers with string: "ALL: 61.156.31.43"
Check/etc/hosts. deny and find the following malicious IP:
ALL: 113.57.224.3
ALL: 124.238.249.246
ALL: 65.9.251.89
ALL: 91.121.14.153
ALL: 61.156.31.43
I feel that there are a lot of boring people now. I drive a scanner on the Internet one day to night. Do I want to catch bots?