Linux系統中PortSentry的安裝和配置

　　概述
　　防火牆可以保護我們的網路免受攻擊。我們可以選擇打開哪些埠，關閉哪些埠。但是有些攻擊者可以用埠掃描程序掃描伺服器的所有埠來收集有用的信息（哪些埠打開，哪些關閉）。

下面是對PortSentry的介紹：

l 伺服器被埠掃描是入侵的前兆。PortSentry被設計成實時地發現埠掃描並對埠掃描作出反應。一旦發現埠掃描，PortSentry做出的反應有：

l 通過syslog()函數給出一個日誌消息

l 自動地把對伺服器進行埠掃描的主機加到TCP-Wrappers的「/etc/hosts.deny」文件中

l 本地主機會自動把所有的信息流都從定向到一個不存在的主機

l 本地主機用包過濾程序把所有的數據包（來自對其進行埠掃描的主機）都過濾掉。

注意事項
　　下面所有的命令都是Unix兼容的命令。

源路徑都為「/var/tmp」（當然在實際情況中也可以用其它路徑）。

安裝在RedHat Linux 6.1和6.2下測試通過。

要用「root」用戶進行安裝。

PortSentry的版本是1.0。

軟體包的來源
　　PortSentry的主頁：http://www.psionic.com/abacus/portsentry/。

下載：portsentry-1.0.tar.gz。

安裝軟體包需要注意的問題
　　最好在編譯前和編譯后都做一張系統中所有文件的列表，然後用「diff」命令去比較它們，找出其中的差別並知道到底把軟體安裝在哪裡。只要簡單地在編譯之前運行一下命令「find /* >PortSentry1」，在編譯和安裝完軟體之後運行命令「find /* > PortSentry2」，最後用命令「diff PortSentry1 PortSentry2 > PortSentry-Installed」找出變化。

解壓軟體包
　　把軟體包（tar.gz）解壓：

[root@deep /]# cp portsentry-version.tar.gz /var/tmp/
　　[root@deep /]# cd /var/tmp
　　[root@deep tmp]# tar xzpf portsentry-version.tar.gz

編譯和優化
　　必須修改「Makefile」文件，設置PortSentry的安裝路徑、編譯標記，還要根據你的系統進行優化。必須根據RedHat的文件系統結構來修改「Makefile」文件。

第一步

轉到新的PortSentry目錄。

編輯「Makefile」文件（vi Makefile）並改變下面這幾行：

CC = cc

改為：

CC = egcs

CFLAGS = -O -Wall

改為：

CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit -frame-pointer -fno-exceptions ?Wall

INSTALLDIR = /usr/local/psionic

改為：

INSTALLDIR = /usr/psionic

上面這些修改是為了把「Makefile」配置為使用「egcs」編譯器，使用適應於我們系統的編譯優化標記，並且把PortSentry安裝到我們選擇的目錄。

第二步

因為我們不用「/usr/local/psionic」目錄，我們必須「portsentry_config.h」頭文件中PortSentry的配置。

編輯「portsentry_config.h」文件（vi portsentry_config.h）並改變下面這一行：

#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"

改為：

#define CONFIG_FILE "/usr/psionic/portsentry/portsentry.conf"

第三步

在系統中安裝PortSentry。

[root@deep portsentry-1.0]# make linux
　　[root@deep portsentry-1.0]# make install

第三步

上面的命令配置軟體，編譯軟體，最後把它安裝到合適的目錄中。

清除不必要的文件
　　用下面的命令刪除不必要的文件：

[root@deep /]# cd /var/tmp
　　[root@deep tmp]# rm -rf portsentry-version/ portsentry-version_tar.gz

「rm」命令刪除所有編譯和安裝PortSentry所需要的源程序，並且把PortSentry軟體的壓縮包刪除掉。

配置「/usr/psionic/portsentry/portsentry.conf」文件
　　「/usr/psionic/portsentry/portsentry.conf」是PortSentry的主要配置文件。你可設置需要監聽的埠，需要禁止、監控的IP地址，等等。可以看PortSentry得「README.install」文件以獲取更多的信息。

編輯「portsentry.conf」文件（vi /usr/psionic/portsentry.conf）並且根據需要做出改變：

# PortSentry Configuration
　　#
　　# $Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
　　#
　　# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
　　#
　　# The default ports will catch a large number of common probes
　　#
　　# All entries must be in quotes.
　　#######################
　　# Port Configurations #
　　#######################
　　#
　　#
　　# Some example port configs for classic and basic Stealth modes
　　#
　　# I like to always keep some ports at the "low" end of the spectrum.
　　# This will detect a sequential port sweep really quickly and usually
　　# these ports are not in use (i.e. tcpmux port 1)
　　#
　　# ** X-Windows Users **: If you are running X on your box, you need to be sure
　　# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
　　# Doing so will prevent the X-client from starting properly.
　　#
　　# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
　　#
　　# Un-comment these if you are really anal:
　　#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2
　　000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,4
　　0421,40425,49724,54320"
　　#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,3277
　　0,32771,32772,32773,32774,31337,54321"
　　#
　　# Use these if you just want to be aware:
　　TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32
　　771,32772,32773,32774,40421,49724,54320"
　　UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
　　#
　　# Use these for just bare-bones
　　#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,327
　　74,49724,54320"
　　#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
　　###########################################
　　# Advanced Stealth Scan Detection Options #
　　###########################################
　　#
　　# This is the number of ports you want PortSentry to monitor in Advanced mode.
　　# Any port *below* this number will be monitored. Right now it watches
　　# everything below 1023.
　　#
　　# On many Linux systems you cannot bind above port 61000. This is because
　　# these ports are used as part of IP masquerading. I dont recommend you
　　# bind over this number of ports. Realistically: I DONT RECOMMEND YOU MONITOR
　　# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. Youve been
　　# warned! Dont write me if you have have a problem because Ill only tell
　　# you to RTFM and dont run above the first 1023 ports.
　　#
　　#
　　ADVANCED_PORTS_TCP="1023"
　　ADVANCED_PORTS_UDP="1023"
　　#
　　# This field tells PortSentry what ports (besides listening daemons) to
　　# ignore. This is helpful for services like ident that services such
　　# as FTP, SMTP, and wrappers look for but you may not run (and probably
　　# *shouldnt* IMHO).
　　#
　　# By specifying ports here PortSentry will simply not respond to
　　# incoming requests, in effect PortSentry treats them as if they are
　　# actual bound daemons. The default ports are ones reported as
　　# problematic false alarms and should probably be left alone for
　　# all but the most isolated systems/networks.
　　#
　　# Default TCP ident and NetBIOS service
　　ADVANCED_EXCLUDE_TCP="113,139"
　　# Default UDP route (RIP), NetBIOS, bootp broadcasts.
　　ADVANCED_EXCLUDE_UDP="520,138,137,67"
　　######################
　　# Configuration Files#
　　######################
　　#
　　# Hosts to ignore
　　IGNORE_FILE="/usr/psionic/portsentry/portsentry.ignore"
　　# Hosts that have been denied (running history)
　　HISTORY_FILE="/usr/psionic/portsentry/portsentry.history"
　　# Hosts that have been denied this session only (temporary until next restart)
　　BLOCKED_FILE="/usr/psionic/portsentry/portsentry.blocked"
　　###################
　　# Response Options#
　　###################
　　# Options to dispose of attacker. Each is an action that will
　　# be run if an attack is detected. If you dont want a particular
　　# option then comment it out and it will be skipped.
　　#
　　# The variable $TARGET$ will be substituted with the target attacking
　　# host when an attack is detected. The variable $PORT$ will be substituted
　　# with the port that was scanned.
　　#
　　##################
　　# Ignore Options #
　　##################
　　# These options allow you to enable automatic response
　　# options for UDP/TCP. This is useful if you just want
　　# warnings for connections, but dont want to react for
　　# a particular protocol (i.e. you want to block TCP, but
　　# not UDP). To prevent a possible Denial of service attack
　　# against UDP and stealth scan detection for TCP, you may
　　# want to disable blocking, but leave the warning enabled.
　　# I personally would wait for this to become a problem before
　　# doing though as most attackers really arent doing this.
　　# The third option allows you to run just the external command
　　# in case of a scan to have a pager script or such execute
　　# but not drop the route. This may be useful for some admins
　　# who want to block TCP, but only want pager/e-mail warnings
　　# on UDP, etc.
　　#
　　#
　　# 0 = Do not block UDP/TCP scans.
　　# 1 = Block UDP/TCP scans.
　　# 2 = Run external command only (KILL_RUN_CMD)
　　BLOCK_UDP="1"
　　BLOCK_TCP="1"
　　###################
　　# Dropping Routes:#
　　###################
　　# This command is used to drop the route or add the host into
　　# a local filter table.
　　#
　　# The gateway (333.444.555.666) should ideally be a dead host on
　　# the *local* subnet. On some hosts you can also point this at
　　# localhost (127.0.0.1) and get the same effect. NOTE THAT
　　# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
　　#
　　# All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
　　# uncomment the correct line for your OS. If you OS is not listed
　　# here and you have a route drop command that works then please
　　# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
　　# CAN BE USED AT A TIME SO DONT UNCOMMENT MULTIPLE LINES.
　　#
　　# NOTE: The route commands are the least optimal way of blocking
　　# and do not provide complete protection against UDP attacks and
　　# will still generate alarms for both UDP and stealth scans. I
　　# always recommend you use a packet filter because they are made
　　# for this purpose.
　　#
　　# Generic
　　#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
　　# Generic Linux
　　#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
　　# Newer versions of Linux support the reject flag now. This
　　# is cleaner than the above option.
　　KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
　　# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
　　#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
　　# Generic Sun
　　#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
　　# NEXTSTEP
　　#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
　　# FreeBSD (Not well tested.)
　　#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
　　# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
　　#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
　　# Generic HP-UX
　　#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
　　##
　　# Using a packet filter is the preferred method. The below lines
　　# work well on many OSs. Remember, you can only uncomment *one*
　　# KILL_ROUTE option.
　　##
　　###############
　　# TCP Wrappers#
　　###############
　　# This text will be dropped into the hosts.deny file for wrappers
　　# to use. There are two formats for TCP wrappers:
　　#
　　# Format One: Old Style - The default when extended host processing
　　# options are not enabled.
　　#
　　KILL_HOSTS_DENY="ALL: $TARGET$"
　　#
　　# Format Two: New Style - The format used when extended option
　　# processing is enabled. You can drop in extended processing
　　# options, but be sure you escape all % symbols with a backslash
　　# to prevent problems writing out (i.e. \%c \%h )
　　#
　　#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
　　###################
　　# External Command#
　　###################
　　# This is a command that is run when a host connects, it can be whatever
　　# you want it to be (pager, etc.). This command is executed before the
　　# route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
　　# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
　　# and people can make scans appear out of thin air. The only time it
　　# is reasonably safe (and I *never* think it is reasonable) to run
　　# reverse probe scripts is when using the "classic" -tcp mode. This
　　# mode requires a full connect and is very hard to spoof.
　　#
　　#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
　　#####################
　　# Scan trigger value#
　　#####################
　　# Enter in the number of port connects you will allow before an
　　# alarm is given. The default is 0 which will react immediately.
　　# A value of 1 or 2 will reduce false alarms. Anything higher is
　　# probably not necessary. This value must always be specified, but
　　# generally can be left at 0.
　　#
　　# NOTE: If you are using the advanced detection option you need to
　　# be careful that you dont make a hair trigger situation. Because
　　# Advanced mode will react for *any* host connecting to a non-used
　　# below your specified range, you have the opportunity to really
　　# break things. (i.e someone innocently tries to connect to you via
　　# SSL [TCP port 443] and you immediately block them). Some of you
　　# may even want this though. Just be careful.
　　#
　　SCAN_TRIGGER="0"
　　######################
　　# Port Banner Section#
　　######################
　　#
　　# Enter text in here you want displayed to a person tripping the PortSentry.
　　# I *dont* recommend taunting the person as this will aggravate them.
　　# Leave this commented out to disable the feature
　　#
　　# Stealth scan detection modes dont use this feature
　　#
　　PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS
　　BEEN LOGGED. GO AWAY."
　　# EOF

現在，因為安全方面的原因，我們必須檢查和改變文件的許可權：

[root@deep /]# chmod 600 /usr/psionic/portsentry/portsentry.conf

配置「/usr/psionic/portsentry/portsentry.ignore」文件
　　在「/usr/psionic/portsentry/portsentry.ignore」文件中設置希望PortSentry忽略的主機。這個文件中至少要包括localhost（127.0.0.1）和本地界面（lo）的IP。最後不要把網路中所有文件的IP都放在這個文件中。

編輯「portsentry.ignore」文件（vi /usr/psionic/portsentry.ignore）加入任何呢你想讓PortSentry忽略的主機。

# Put hosts in here you never want blocked. This includes the IP addresses
　　# of all local interfaces on the protected host (i.e virtual host, mult-home)
　　# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
　　127.0.0.1
　　0.0.0.0

現在，我們改變文件默認的許可權：

[root@deep /]# chmod 600 /usr/psionic/portsentry/portsentry.ignore

啟動PortSentry
　　PortSentry程序可以配置成在6個不同的模式下運行，但是每次啟動的時候只能在一種模式下運行。這些不同的模式是：

l portsentry -tcp （基本的埠綁定TCP模式）

l portsentry -udp （基本的埠綁定UDP 模式）

l portsentry -stcp （秘密的TCP掃描檢測）

l portsentry -atcp （高級TCP秘密掃描檢測）

l portsentry -sudp （秘密的UDP掃描檢測）

l portsentry -audp （高級的秘密UDP掃描檢測）

我比較喜歡用「高級TCP秘密掃描檢測」和「高級的秘密UDP掃描檢測」這兩種模式。請參考「README.install」和「README.stealth」文件以獲得更詳細的信息。

TCP模式我選擇：

-atcp - Advanced TCP stealth scan detection mode

用「-atcp」（高級TCP秘密掃描檢測），PortSentry會先檢查伺服器上有哪些埠在運行，然後把這些埠移去，只監控剩下的埠。這樣對埠掃描的反應速度很快而且使用的CPU時間也很少。

UDP模式我選擇：

-sudp - "Stealth" UDP scan detection mode

用「-sudp」（高級的秘密UDP掃描檢測），UDP埠將被列出來並監控。

用下面的命令在兩模式下啟動PortSentry：

[root@deep /]# /usr/psionic/portsentry/portsentry ?atcp
　　[root@deep /]# /usr/psionic/portsentry/portsentry -sudp

注意：你可以把上面這些行加到「/etc/rc.d/rc.local」腳本文件中，當重新啟動計算機的時候PortSentry就會自動運行。

安裝到系統中的文件
　　> /usr/psionic
　　> /usr/psionic/portsentry
　　> /usr/psionic/portsentry/portsentry.conf
　　> /usr/psionic/portsentry/portsentry.ignore
　　> /usr/psionic/portsentry/portsentry

版權說明
　　這篇文章翻譯和改編自Gerhard Mourani的《Securing and Optimizing Linux: RedHat Edition》，原文及其版權協議請參考：www.openna.com。

中文版的版權屬於作者brimmer和www.linuxaid.com.cn。

Tags: