close
Portsentry is free software: 有興趣的人可以玩玩看

一、說明

        針對主機被掃Port的動作,自動發警告通知信以判斷來源及作後續處置

二、安裝 Portsentry

 

1. 下載   http://sourceforge.net/projects/sentrytools/

2. 安裝

        (1)  ##### vi portsentry.c#####

 

1584 1585 行合併為一行, 如下:

 

printf ("Copyright 1997-2003 Craig H. Rowland \n");        

        (2)  編譯及安裝

# make linux

 

# make install

 

預設安裝於 /usr/local/psionic/portsentry

 

3. 設定

                  ##### portsentry.conf #####

 

                  TCP_PORTS="1"                                         # ADVANCED Mode 啟動時會忽略的 TCP Port

                  UDP_PORTS="1"                                                # ADVANCED Mode 啟動時會忽略的 UDP Port

ADVANCED_EXCLUDE_TCP=” 123”     # 排除 NTP

ADVANCED_EXCLUDE_UDP=” 123,137,138”      # 排除 NTP,Samba

                  IGNORE_FILE=" /usr/local/psionic/portsentry/portsentry.ignore"              # Block 的來源位置

                  HISTORY_FILE=" /usr/local/psionic/portsentry/portsentry.history"           # Block 紀錄

                  BLOCKED_FILE=" /usr/local/psionic/portsentry/portsentry.blocked"       # Block 暫存檔

                  RESOLVE_HOST = "0"                                                      # 不將 Block 的來源做 DNS 反解析

                  BLOCK_UDP="2"                                                               # TCP Block為執行 KILL_RUN_CMD

                  BLOCK_TCP="2"                                                                # UDP Block為執行 KILL_RUN_CMD

                  KILL_RUN_CMD="/script/portsentry.sh mail $TARGET$"      # 呼叫外部ScriptAlert Mail

4. KILL_RUN_CMD 呼叫的 Script

##### /script/portsentry.sh #####

 

#!/bin/sh

 

HOSTNAME=`hostname -s`

TIME=`date '+%Y%m%d'`

MAILTO="xxxx@abc.com"

 

case $ 1 in

 

start)

        /usr/local/psionic/portsentry/portsentry -atcp

        /usr/local/psionic/portsentry/portsentry -audp

;;

stop)

        killall -9 portsentry

;;

mail)

        echo $TIME | /bin/mail -s "$HOSTNAME Had Detect Port Scan From $2" $MAILTO

;;

init)

        rm -f /usr/local/psionic/portsentry/portsentry.blocked*

;;

*)

        echo "Please Usage start|stop|mail|init"

;;

 

Esac

 

5. 排程刪除 Block 暫存檔,避免已列入檔案的來源不會再執行Alert

##### /etc/crontab #####

 

* * * * * root /script/portsentry.sh init

6. 開機啟動

##### /etc/rc.local #####

 

              /script/portsentry.sh start
arrow
arrow
    全站熱搜
    創作者介紹
    創作者 hillhuang 的頭像
    hillhuang

    hillhuang

    hillhuang 發表在 痞客邦 留言(0) 人氣()