Use portsentry-Intrusion Detection in CentOS

Use portsentry-Intrusion Detection in CentOS

Portsentry is a good choice to block the overwhelming network scanning behavior. This software is a free tool written by Rowland for detecting and blocking network scanning. The current version can be used in most mainstream unix operating systems, such as Solaris, HPUNIX, Freebsd, AIX, SCO, and Linux. After the system is installed, the host can listen to one or more specified tcp/udp ports. When these ports are attempted to connect or scan, portsentry can capture and immediately block such connections or scan attempts. In addition, portsentry has the following special features:

• A detailed log record can be generated for external scanning actions, including the host name, scan time, and tcp/udp port used to initiate the scan.
• In linux, many stealth scan modes such as SYN/half-open, FIN, NULL and X-MAS can be captured.
• This effectively captures non-consecutive random scans. We know that many anti-Scan software cannot identify random port scans. portsentry is not the case. Even if the scan is random, portsentry can also be identified immediately and quickly blocked.
• It can be combined with the classic firewall software tcp_wrapper to write the host initiating the scan to the hosts. deny file of tcp_wrapper.
• You can automatically refer to the host that initiates the scan on the route according to the settings, shielding the subsequent connection function. Cause the host and system that initiate the scan to lose normal connection.

1. Installation

[Root @ ipython ~] # Wget requests ~] # Tar zxf portsentry-1.2.tar.gz [root @ ipython ~] # Cd portsentry_beta/[root @ ipython portsentry_beta] # sed-I '/Craig H. rowland/N; s/\ n // 'portsentry. c [root @ ipython portsentry_beta] # make linux [root @ ipython portsentry_beta] # make install [root @ ipython portsentry_beta] # ln-s/usr/local/psionic/portsentry/ usr/local/sbin/

2. Check the configuration file.

TCP_PORTS = "111,119,143,540,635,108, 54320 "#### TCP mode listening port #### UDP_PORTS =" 161,162,513,635,640,641,700,374, 31337,54321 "#### UDP-mode listening port ##### ADVANCED_PORTS_TCP =" 1024 "### adjust the TCP listening range #### ADVANCED_PORTS_UDP =" 1024 "## # adjust the UDP listening range #### ADVANCED_EXCLUDE_TCP = "113,139" #### TCP port exclusion scope ### ADVANCED_EXCLUDE_UDP = "520,138,137, 67 "#### UDP port exclusion scope ### IGNORE_FILE ="/usr/local/psionic/portsentry. ignore "### a trusted IP address list #### HISTORY_FILE ="/usr/local/psionic/portsentry. history "### scanned intrusion host history ### BLOCKED_FILE ="/usr/local/psionic/portsentry. blocked "### IP Address Record of the blocked connection ### RESOLVE_HOST =" 1 "### configure whether to parse, 0 indicates no resolution, 0 ### BLOCK_UDP = "1" ### 0 indicates no action. 1. Send the firewall, 2. Execute the script, default Value: 1 ### BLOCK_TCP = "1" ### 0 indicates no action. 1. Send the firewall, 2. Execute the script. Default Value: 1 ### KILL_HOSTS_DENY = "ALL: $ TARGET $ "### adjust the write method blocked by TCP warppers ### SCAN_TRIGGER =" 0 "### scan trigger several times to trigger the operation ###

3. Various startup Modes

[Root @ ipython portsentry] # portsentry-tcp # bind the TCP basic port. Refer to [root @ ipython portsentry] # portsentry-udp # bind the UDP basic port, take the configuration file port as the standard [root @ ipython portsentry] # portsentry-stcp # TCP private detection, record only [root @ ipython portsentry] # portsentry-sudp # UDP private detection not responding to port opening, only records that do not respond to port opening [root @ ipython portsentry] # portsentry-atcp # TDP advanced secret detection, automatically select the listening port [root @ ipython portsentry] # portsentry-audp # UDP advanced secret detection, and automatically select the listening port

4. Start in basic TCP detection mode and use nmap for scanning and testing:

[Root @ ipython portsentry] # portsentry-atcp [root @ ipython portsentry] # ps aux | grep portsentryroot 209790.70.0 4088 500? Ss portsentry-atcp

Book...

[Root @ ipython portsentry] # awk '/ALL/'/etc/hosts. deny | wc-l456