一、說明
針對主機被掃Port的動作,自動發警告通知信以判斷來源及作後續處置
二、安裝 Portsentry
1. 下載 http://sourceforge.net/projects/sentrytools/
2. 安裝
(1) ##### vi portsentry.c#####
將 1584 和 1585 行合併為一行, 如下:
printf ("Copyright 1997-2003 Craig H. Rowland
(2) 編譯及安裝
# make linux
# make install
預設安裝於 /usr/local/psionic/portsentry
3. 設定
##### portsentry.conf #####
TCP_PORTS="1" # 以 ADVANCED Mode 啟動時會忽略的 TCP Port
UDP_PORTS="1" # 以 ADVANCED Mode 啟動時會忽略的 UDP Port
ADVANCED_EXCLUDE_TCP=” 123” # 排除 NTP
ADVANCED_EXCLUDE_UDP=” 123,137,138” # 排除 NTP,Samba
IGNORE_FILE=" /usr/local/psionic/portsentry/portsentry.ignore" # 不 Block 的來源位置
HISTORY_FILE=" /usr/local/psionic/portsentry/portsentry.history" # Block 紀錄
BLOCKED_FILE=" /usr/local/psionic/portsentry/portsentry.blocked" # Block 暫存檔
RESOLVE_HOST = "0" # 不將 Block 的來源做 DNS 反解析
BLOCK_UDP="2" # TCP Block為執行 KILL_RUN_CMD
BLOCK_TCP="2" # UDP Block為執行 KILL_RUN_CMD
KILL_RUN_CMD="/script/portsentry.sh mail $TARGET$" # 呼叫外部Script發Alert Mail
4. KILL_RUN_CMD 呼叫的 Script
##### /script/portsentry.sh #####
#!/bin/sh
HOSTNAME=`hostname -s`
TIME=`date '+%Y%m%d'`
case $ 1 in
start)
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -audp
;;
stop)
killall -9 portsentry
;;
mail)
echo $TIME | /bin/mail -s "$HOSTNAME Had Detect Port Scan From $2" $MAILTO
;;
init)
rm -f /usr/local/psionic/portsentry/portsentry.blocked*
;;
*)
echo "Please Usage start|stop|mail|init"
;;
Esac
5. 排程刪除 Block 暫存檔,避免已列入檔案的來源不會再執行Alert
##### /etc/crontab #####
* * * * * root /script/portsentry.sh init
6. 開機啟動
##### /etc/rc.local #####
留言列表