Portsentry
Portsentry - Daemon zum Erkennen von Portscans
Beschreibung
PortSentry kann Port-Scans (einschließlich verdeckter Scans) auf die Netzwerkschnittstellen Ihrer Maschine erkennen. Bei einem Alarm kann er den Angreifer über hosts.deny, entferntem Route-Eintrag oder per Firewall-Regel blockieren. Er ist Teil der Programmsuite Abacus.
- Hinweis
- Wenn Sie keine Ahnung haben, was ein (verdeckter) Portscan ist, wird ein Blick auf http://sf.net/projects/sentrytools/ empfohlen, bevor Sie dieses Paket installieren. Andernfalls könnten Sie Rechner blockieren, die Sie besser nicht blockieren sollten (z.B. Ihren NFS-Server, Nameserver, usw.).
- PortSentry blockt standardmäßig nichts
- Bitte beachten Sie, dass PortSentry standardmäßig keine Aktionen gegen potenzielle Angreifer durchführt.
- Er schreibt nur Informationen nach /var/log/syslog.
- Um dies zu ändern, passen Sie bitte die Datei /etc/portsentry/portsentry.conf entsprechend an.
- Beachten Sie folgende Dateien
- /etc/default/portsentry (Daemon Start-Optionen)
- /etc/portsentry/portsentry.ignore.static (zu ignorierende Rechner/Schnittstellen)
Für weitere Informationen lesen Sie bitte die portsentry(8)- und portsentry.conf(5)-Handbuchseiten.
This manual page documents briefly the portsentry command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.
portsentry is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see hosts_access(5), firewall rule (see ipfwadm(8), ipchains(8) and iptables(8)) or dropped route (see route(8)).
Installation
# apt install portsentry
Files
/etc/default /etc/init.d/portsentry /etc/portsentry/portsentry.conf /etc/portsentry/portsentry.ignore.static /etc/ppp/ip-down.d /etc/ppp/ip-down.d/portsentry /etc/ppp/ip-up.d /etc/ppp/ip-up.d/portsentry /usr/lib/portsentry/portsentry-add-ip /usr/lib/portsentry/portsentry-build-ignore-file /usr/lib/portsentry/portsentry-rm-ip /usr/sbin/portsentry /usr/share/doc/portsentry /usr/share/doc/portsentry/CREDITS.gz /usr/share/doc/portsentry/README.COMPAT /usr/share/doc/portsentry/README.Debian /usr/share/doc/portsentry/README.install.gz /usr/share/doc/portsentry/README.methods.gz /usr/share/doc/portsentry/README.stealth.gz /usr/share/doc/portsentry/TODO.Debian /usr/share/doc/portsentry/changelog.Debian.amd64.gz /usr/share/doc/portsentry/changelog.Debian.gz /usr/share/doc/portsentry/changelog.gz /usr/share/doc/portsentry/copyright /usr/share/doc/portsentry/examples/ignore.csh /usr/share/doc/portsentry/examples/kill_cmd /usr/share/doc/portsentry/examples/scan-detect /usr/share/man/man5/portsentry.conf.5.gz /usr/share/man/man8/portsentry.8.gz /var /var/lib /var/lib/portsentry
Syntax
portsentry [ -tcp | -stcp | -atcp ] portsentry [ -udp | -sudp | -audp ]
Optionen
| Option | Beschreibung |
|---|---|
| -tcp | tcp portscan detection on ports specified under TCP_PORTS in the config file /etc/portsentry/portsentry.conf. |
| -stcp | As above but additionally detect stealth scans. |
| -atcp | Advanced tcp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_TCP given in the config file /etc/portsentry/portsentry.conf. |
| -udp | udp portscan detection on ports specified under UDP_PORTS in the config file /etc/portsentry/portsentry.conf. |
| -sudp | As above but additionally detect "stealth" scans. |
| -audp | Advanced udp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_UDP given in the config file /etc/portsentry/portsentry.conf. |
For details on the various modes see /usr/share/doc/portsentry/README.install
Parameter
Umgebungsvariablen
Exit-Status
Anwendung
Dienstverwaltung
# systemctl status portsentry.service
● portsentry.service - LSB: # start and stop portsentry
Loaded: loaded (/etc/init.d/portsentry; generated)
Active: active (running) since Fri 2023-06-30 10:58:34 CEST; 1h 45min ago
Docs: man:systemd-sysv-generator(8)
Process: 14255 ExecStart=/etc/init.d/portsentry start (code=exited, status=0/SUCCESS)
Tasks: 2 (limit: 76987)
Memory: 1.1M
CPU: 71ms
CGroup: /system.slice/portsentry.service
├─14266 /usr/sbin/portsentry -tcp
└─14270 /usr/sbin/portsentry -udp
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 34555
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 31335
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32770
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32771
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32772
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32773
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32774
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 31337
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 54321
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: PortSentry is now active and listening.
Fehlerbehebung
Konfiguration
portsentry keeps all its configuration files in /etc/portsentry. portsentry.conf is portsentry's main configuration file. See portsentry.conf(5) for details.
The file portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.
If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via ifconfig.
/etc/default/portsentry specifies in which protocol modes portsentry should be startet from /etc/init.d/portsentry There are currently two options:
TCP_MODE= either tcp, stcp or atcp (see OPTIONS above). UDP_MODE= either udp, sudp or audp (see OPTIONS above).
The options above correspond to portsentry's commandline arguments. For example TCP_MODE="atcp" has the same effect as to start portsentry using portsentry -atcp. Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).
Dateien
| Option | Beschreibung |
|---|---|
| /etc/portsentry/portsentry.conf | main configuration file |
| /etc/portsentry/portsentry.ignore | IP addresses to ignore |
| /etc/portsentry/portsentry.ignore.static | static IP addresses to ignore |
| /etc/default/portsentry | startup options |
| /etc/init.d/portsentry | script responsible for starting and stopping the daemon |
| /var/lib/portsentry/portsentry.blocked.* | blocked hosts(cleared upon reload) |
| /var/lib/portsentry/portsentry.history | history file |
Anhang
Siehe auch
Dokumentation
- /usr/share/doc/portsentry/README.install
RFC
Man-Pages
- portsentry.conf(5)
- hosts_access(5)
- hosts_options(5)
- route(8)
- ipfwadm(8)
- ipchains(8)
- iptables(8)
- ifconfig(8)
Info-Pages
Links
Projekt
Weblinks
- https://www.computersecuritystudent.com/UNIX/UBUNTU/1204/lesson14/index.html
- https://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+III+Administering+Red+Hat+Linux/Chapter+14+Computer+Security+Issues/Guarding+Your+Computer+with+PortSentry/
- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04-de