1、下载安装
cd /usr/local/src/
wget 'https://jaist.dl.sourceforge.net/project/sentrytools/portsentry%201.x/portsentry-1.2/portsentry-1.2.tar.gz'
tar zxvf portsentry-1.2.tar.gz
cd portsentry_beta/
vim portsentry.c
# 将1584行的折行处变为一行
make linux
make install
2、配置
vim /usr/local/psionic/portsentry/portsentry.conf
# 自定义TCP和UDP模式监听的端口
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
# 监听TCP和UDP端口的范围
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
# 排除的TCP和UDP端口
ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"
# 白名单IP
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
# 拒绝IP的历史记录
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
# 被阻止连接的IP记录
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
# 配置是否解析,0表示不解析
RESOLVE_HOST = "0"
#对扫描IP的操作,0为无动作,1防火墙阻止,2执行脚本
BLOCK_UDP="1"
BLOCK_TCP="1"
# 扫描触发几次触发执行操作
SCAN_TRIGGER="0"
# 动作:iptables阻断扫描
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
# 动作:路由重定向到其他主机
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# 动作:利用TCP_Wrappers保护机制,把扫描者的IP记录到/etc/hosts.deny文件中
KILL_HOSTS_DENY="ALL: $TARGET$"
# 动作:执行脚本
KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
3、启动
# TCP基本端口绑定,以配置文件端口为准
/usr/local/psionic/portsentry/portsentry -tcp
# UDP基本端口绑定,以配置文件端口为准
/usr/local/psionic/portsentry/portsentry -udp
# TCP私密检测,只记录不回应端口开放
/usr/local/psionic/portsentry/portsentry -stcp
# UDP私密检测,只记录不回应端口开放
/usr/local/psionic/portsentry/portsentry -sudp
# 建议:
# UDP高级秘密检测,自动选择监听端口
/usr/local/psionic/portsentry/portsentry -atcp
# UDP高级秘密检测,自动选择监听端口
/usr/local/psionic/portsentry/portsentry -audp
使用高级秘密扫描检测模式(Advanced Stealth Scan Detection Mode),PortSentry会自动检查服务器上正在运行的端口, 然后把这些端口从配置文件中移去, 只监控其它的端口。这个时候 portsentry 将监视1024以下,本机没有开放的端口。如果有人访问未开放的端口的话,执行相应的动作。
