Jusene's Blog

PortSentry 防止恶意端口扫描

security
字数统计: 2.7k阅读时长: 14 min
2017/10/27 Share

PortSentry

在互联网上总有许多恶意的扫描,为了获得服务器上的服务,外部暴露的端口就可以得知,而一些服务需要通过改变端口的服务,虽然我们依旧可以通过协议测试知道该端口后的服务,但这也是无疑增加了入侵的成本,大部分的入侵都是会通过端口扫描器来测试服务器端口,所以我们可以依据这一点来更加增加入侵的成本。PortSentry就是这么一款用来检测恶意扫描的工具,PortSentry可以实现检测几乎所有类型的网络扫描,并做出了反应。一旦发现可疑行为,PortSentry可以采用如下的措施来加强防范:

  • 给出虚假的路由信息,把所有的信息流量都定向到一台不存在或者靶机上。
  • 自动将进行端口扫描的主机加入tcp-wrapper的/etc/hosts.deny文件中。
  • 利用netfilter机制,进行包过滤机制,如iptables。
  • 通过syslog()函数给出一个日志消息,甚至可以返回给扫描者一段警告信息。

PortSentry 的安装

PortSentry被Cisco收购后不再开发,但这并不影响这个软件的强大的功能。

PortSentry的下载链接: https://sourceforge.net/projects/sentrytools/

1
~]# tar xf portsentry-1.2.tar.gz
2
~]# cd portsentry_beta/
3
~]# make linux
4
~]# make install

这里会报错,解决方法:

1
~]# vim +1584 portsentry.c
2
...
3
4
1583   printf ("PortSentry - Port Scan Detector.\n");
5
1584   printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");
6
1585   printf ("Licensing restrictions apply. Please see documentation\n");
7
1586   printf ("Version: %s\n\n", VERSION);
8
...

PortSentry 的配置文件

  • 设置端口清单

设置端口清单,端口65535个,我们可以挑选出一些常常被扫描到的而本机却不提供服务的端口:

1
...
2
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
3
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
4
...

在高级秘密扫描检测模式下,在这端口下面的端口都会被监控:

1
...
2
3
ADVANCED_PORTS_TCP="1024"
4
ADVANCED_PORTS_UDP="1024"
5
ADVANCED_EXCLUDE_TCP="113,139"        排除的端口
6
ADVANCED_EXCLUDE_UDP="520,138,137,67" 排除的端口
7
...
  • 配置里的相关文件
1
#此文件记录允许合法扫描服务器的主机地址
2
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
3
#此文件中保留了以往所有入侵主机的IP历史记录
4
HISTROY_FILE="/usr/lcal/psionic/portsentry/portsentry.history"
5
#此文件中是已经被阻止连接的主机IP记录
6
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
1
RESOLVE_HOST = "1"  1为开启dns解析,0表示关闭

0 不阻断udp/tcp扫描
1 阻断udp/tcp扫描
2 仅运行额外的命令,在KILL_RUN_CMD上设置

1
BLOCK_UDP="1"
2
BLOCK_TCP="1"
  • 设置响应方法

路由重定向

1
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

包过滤

1
KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"

tcp_wrapper

1
KILL_HOSTS_DENY="ALL: $TARGET$"
  • 额外的命令
1
KILL_RUN_CMD_FIRST = "0"  0表示在阻断之后运行额外的命令,1在阻断发生之前
2
KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
1
SCAN_TRIGGER="0"  允许连接的次数,0表示立即做出反应,值更高可能误报率低
  • 定制警告信息
1
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."

建议不要使用该选项,因为这样做可能会暴露主机的IDS系统。

  • 设置忽略ip,这里面的ip将是可信的
1
~]# vim /usr/local/psionic/portsentry/portsentry.ignore
2
127.0.0.1/32
3
0.0.0.0
4
10.211.55.6

PortSentry 检测模式

  • portsentry -tcp,TCP的基本端口绑定模式;
  • portsentry -udp,UDP的基本端口绑定模式;
  • portsentry -stcp,TCP的秘密扫描检测模式;
  • portsentry -sudp,UDP的秘密扫描检测模式;
  • portsentry -atcp,TCP的高级秘密扫描检测模式;
  • portsentry -audp,UDP的高级秘密扫描检测模式

一般情况下,建议使用秘密扫描检测模式或高级秘密扫描检测模式。

TCP的基本端口绑定模式;

1
~]# tail -f /var/log/messages
2
May 28 02:06:24 node2 portsentry[16970]: adminalert: PortSentry 1.2 is starting.
3
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 1
4
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 11
5
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 15
6
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 79
7
....
8
9
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 40421
10
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 49724
11
May 28 02:06:24 node2 portsentry[16971]: adminalert: Going into listen mode on TCP port: 54320
12
May 28 02:06:24 node2 portsentry[16971]: adminalert: PortSentry is now active and listening.
13
~]# [root@node2 ~]# netstat -ntlp
14
Active Internet connections (only servers)
15
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
16
tcp        0      0 0.0.0.0:55999               0.0.0.0:*                   LISTEN      1434/rpc.statd      
17
tcp        0      0 0.0.0.0:1                   0.0.0.0:*                   LISTEN      16971/./portsentry  
18
tcp        0      0 0.0.0.0:20034               0.0.0.0:*                   LISTEN      16971/./portsentry  
19
tcp        0      0 0.0.0.0:32771               0.0.0.0:*                   LISTEN      16971/./portsentry  
20
tcp        0      0 0.0.0.0:32772               0.0.0.0:*                   LISTEN      16971/./portsentry  
21
tcp        0      0 0.0.0.0:40421               0.0.0.0:*                   LISTEN      16971/./portsentry  
22
tcp        0      0 0.0.0.0:32773               0.0.0.0:*                   LISTEN      16971/./portsentry  
23
tcp        0      0 0.0.0.0:32774               0.0.0.0:*                   LISTEN      16971/./portsentry  
24
tcp        0      0 0.0.0.0:31337               0.0.0.0:*                   LISTEN      16971/./portsentry  
25
tcp        0      0 0.0.0.0:6667                0.0.0.0:*                   LISTEN      16971/./portsentry  
26
tcp        0      0 0.0.0.0:11                  0.0.0.0:*                   LISTEN      16971/./portsentry  
27
tcp        0      0 0.0.0.0:5742                0.0.0.0:*                   LISTEN      16971/./portsentry  
28
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      16971/./portsentry  
29
tcp        0      0 0.0.0.0:79                  0.0.0.0:*                   LISTEN      16971/./portsentry  
30
tcp        0      0 0.0.0.0:15                  0.0.0.0:*                   LISTEN      16971/./portsentry 
31
...

可以伪装许多服务器端口,就是一台很好的靶机,然而这个模式并不会采取任何响应措施,起到了伪装端口正式服务的效果,UDP也是相同的效果。

TCP的秘密扫描检测模式

1
~]# tail -f /var/log/messages
2
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 32771
3
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 32772
4
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 32773
5
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 32774
6
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 31337
7
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 40421
8
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 40425
9
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 49724
10
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: Going into stealth listen mode on TCP port: 54320
11
Oct 24 02:10:14 INIT portsentry[6848]: adminalert: PortSentry is now active and listening.
12
Oct 24 02:11:01 INIT systemd: Started Session 8788 of user root.
13
Oct 24 02:11:01 INIT systemd: Starting Session 8788 of user root.
14
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 143
15
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: Host 10.211.55.10 has been blocked via wrappers with string: "ALL: 10.211.55.10"
16
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: Host 10.211.55.10 has been blocked via dropped route using command: "/usr/sbin/iptables -I INPUT -s 10.211.55.10 -j DROP"
17
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 80
18
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: Host: 10.211.55.10/10.211.55.10 is already blocked Ignoring
19
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 139
20
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: Host: 10.211.55.10/10.211.55.10 is already blocked Ignoring
21
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 110
22
Oct 24 02:11:02 INIT portsentry[6848]: attackalert: Host: 10.211.55.10/10.211.55.10 is already blocked Ignoring
23
Oct 24 02:11:03 INIT portsentry[6848]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 111
24
~]# iptables -L -n
25
Chain INPUT (policy ACCEPT)
26
target     prot opt source               destination         
27
DROP       all  --  10.211.55.10         0.0.0.0/0          
28
....

端口清单中的端口被扫描,采取了相应的动作。

TCP的高级秘密扫描检测模式

高级模式占有的资源小,受ADVANCED开头的几个参数影响,它可以监控一个端口范围下的全部端口,自动检查服务器上正在运行的端口, 然后把这些端口从配置文件中移去, 只监控其它的端口。这样会加快对端口扫描的反应速度,并且只占用很少的CPU时间。

1
~]# tail -f /var/log/messages
2
Oct 24 02:17:13 INIT portsentry[7413]: adminalert: PortSentry 1.2 is starting.
3
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced mode will monitor first 1024 ports
4
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced mode will manually exclude port: 113
5
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced mode will manually exclude port: 139
6
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22
7
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25
8
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113
9
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139
10
Oct 24 02:17:13 INIT portsentry[7414]: adminalert: PortSentry is now active and listening.
11
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 80
12
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: Host 10.211.55.10 has been blocked via wrappers with string: "ALL: 10.211.55.10"
13
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: Host 10.211.55.10 has been blocked via dropped route using command: "/usr/sbin/iptables -I INPUT -s 10.211.55.10 -j DROP"
14
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 993
15
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: Host: 10.211.55.10/10.211.55.10 is already blocked Ignoring
16
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 110
17
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: Host: 10.211.55.10/10.211.55.10 is already blocked Ignoring
18
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 21
19
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: Host: 10.211.55.10/10.211.55.10 is already blocked Ignoring
20
Oct 24 02:20:11 INIT portsentry[7414]: attackalert: TCP SYN/Normal scan from host: 10.211.55.10/10.211.55.10 to TCP port: 256
21
~]# iptables -L -n
22
Chain INPUT (policy ACCEPT)
23
target     prot opt source               destination         
24
DROP       all  --  10.211.55.10         0.0.0.0/0

原文作者:Zhang Jusene

原文链接:http://jusene.github.io/2017/10/27/portsentry/

发表日期:October 27th 2017, 6:49:40 pm

更新日期:November 30th 2019, 2:11:44 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. PortSentry
  2. 2. PortSentry 的安装
  3. 3. PortSentry 的配置文件
  4. 4. PortSentry 检测模式
    1. 4.1. TCP的基本端口绑定模式;
    2. 4.2. TCP的秘密扫描检测模式
    3. 4.3. TCP的高级秘密扫描检测模式
Total : 190
2020
2019
2018
2017
python boot troubshooting docker drbd ssh web ELK kubernetes Kubernetes git ansible tools dns corosync consul Django etcd security ftp Go bash bigdata grub heartbeat Java kickstart kvm lvs mongodb mysql mesh nc nfs mogilefs openresty upgrade puppet rabbitmq saltstack rsync screen socat svn tcpdump fastdfs haproxy iscsi keepalived cache openssl vpn optimization prometheus redis RPM cncf supervisord kernel JAVA
python Linux troubshooting Docker docker storage nginx Nosql kubernetes Flask Kubernetes ansible Shell cluster Django Go bigdata boot Java hypervisor mysql mesh tools openresty puppet rabbitmq saltstack optimization cncf varnish tomcat JAVA