LINUX下防惡意掃描軟體PortSentry

標籤：portsentry

最近我們公司總是被惡意攻擊。後面查看了LINUX下有免費的防惡意掃描軟體PortSentry去解決了

 

1.安裝portSentry

下裁portsentry-1.2.tar.gz

[[email protected] ~]# tar zxvf portsentry-1.2.tar.gz

[[email protected] ~]# cd portsentry_beta/

開啟portsentry.c在1590行左右Copyright 1997-2003那行內容調整為一行，不然安裝警示

  1584   printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot

   1585 sourceforget dot net>\n");

 

修改成

1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");

 

[[email protected] portsentry_beta]# make && make install

 

發現cp: 無法 stat “./portsentry”: 沒有那個檔案或目錄

make: *** [install] 錯誤 1這問題，我們在一次make&& make install&& make linux

[[email protected] portsentry_beta]# make linux

 

port Sentry的配置

[[email protected] portsentry_beta]# vi /usr/local/psionic/portsentry/portsentry.conf

找到

# Use these if you just want to be aware:

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"

UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"

 

可以把你所要監視的連接埠增加進去

 

啟動portsentry的命令如下

[[email protected] portsentry_beta]# /usr/local/psionic/portsentry/portsentry -atcp

 

查看日誌

[[email protected] portsentry_beta]# tail /var/log/messages

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced mode will manually exclude port: 139

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 80

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 111

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 631

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 637

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: PortSentry is now active and listening.

 

如果被攻擊的我們可以查看

[[email protected] portsentry_beta]# cat /etc/hosts.deny

#

# hosts.deny    This file contains access rules which are used to

#                deny connections to network services that either use

#                the tcp_wrappers library or that have been

#                started through a tcp_wrappers-enabled xinetd.

#

#                The rules in this file can also be set up in

#                /etc/hosts.allow with a ‘deny‘ option instead.

#

#                See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘

#                for information on rule syntax.

#                See ‘man tcpd‘ for information on tcp_wrappers

#

ALL: 216.99.158.196

ALL: 116.10.191.184

ALL: 65.111.161.35

ALL: 58.52.149.161

ALL: 137.175.69.43

ALL: 14.108.157.240

ALL: 198.13.104.182

ALL: 137.175.70.226

ALL: 119.36.79.10

ALL: 27.16.231.69

ALL: 137.175.9.239

ALL: 142.4.126.35

ALL: 112.125.18.175

ALL: 119.122.9.152

ALL: 218.77.79.43

ALL: 204.93.154.216

ALL: 42.120.145.6

ALL: 23.105.86.26

 

 

說明這些IP是惡意掃描的，被這軟體自動增加到這裡面去。

本文出自 “飛鴻遝膤” 部落格，請務必保留此出處http://jxzhfei.blog.51cto.com/1382161/1444740

LINUX下防惡意掃描軟體PortSentry