Portsentry: Unterschied zwischen den Versionen
K Textersetzung - „= Fehlerbehebung =“ durch „= Bekannte Probleme =“ |
K Textersetzung - „== Syntax ==“ durch „== Aufruf ==“ |
||
(2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 58: | Zeile 58: | ||
/var/lib/portsentry | /var/lib/portsentry | ||
== | == Aufruf == | ||
portsentry [ -tcp | -stcp | -atcp ] | portsentry [ -tcp | -stcp | -atcp ] | ||
portsentry [ -udp | -sudp | -audp ] | portsentry [ -udp | -sudp | -audp ] | ||
Zeile 112: | Zeile 112: | ||
=== | === Problembehebung === | ||
== Konfiguration == | == Konfiguration == | ||
Zeile 156: | Zeile 156: | ||
# /usr/share/doc/portsentry/README.install | # /usr/share/doc/portsentry/README.install | ||
===== RFC ===== | ===== RFC ===== | ||
===== Man- | ===== Man-Page ===== | ||
# portsentry.conf(5) | # portsentry.conf(5) | ||
# hosts_access(5) | # hosts_access(5) |
Aktuelle Version vom 12. November 2024, 18:40 Uhr
Portsentry - Daemon zum Erkennen von Portscans
Beschreibung
PortSentry kann Port-Scans (einschließlich verdeckter Scans) auf die Netzwerkschnittstellen Ihrer Maschine erkennen. Bei einem Alarm kann er den Angreifer über hosts.deny, entferntem Route-Eintrag oder per Firewall-Regel blockieren. Er ist Teil der Programmsuite Abacus.
- Hinweis
- Wenn Sie keine Ahnung haben, was ein (verdeckter) Portscan ist, wird ein Blick auf http://sf.net/projects/sentrytools/ empfohlen, bevor Sie dieses Paket installieren. Andernfalls könnten Sie Rechner blockieren, die Sie besser nicht blockieren sollten (z.B. Ihren NFS-Server, Nameserver, usw.).
- PortSentry blockt standardmäßig nichts
- Bitte beachten Sie, dass PortSentry standardmäßig keine Aktionen gegen potenzielle Angreifer durchführt.
- Er schreibt nur Informationen nach /var/log/syslog.
- Um dies zu ändern, passen Sie bitte die Datei /etc/portsentry/portsentry.conf entsprechend an.
- Beachten Sie folgende Dateien
- /etc/default/portsentry (Daemon Start-Optionen)
- /etc/portsentry/portsentry.ignore.static (zu ignorierende Rechner/Schnittstellen)
Für weitere Informationen lesen Sie bitte die portsentry(8)- und portsentry.conf(5)-Handbuchseiten.
This manual page documents briefly the portsentry command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.
portsentry is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see hosts_access(5), firewall rule (see ipfwadm(8), ipchains(8) and iptables(8)) or dropped route (see route(8)).
Installation
# apt install portsentry
Files
/etc/default /etc/init.d/portsentry /etc/portsentry/portsentry.conf /etc/portsentry/portsentry.ignore.static /etc/ppp/ip-down.d /etc/ppp/ip-down.d/portsentry /etc/ppp/ip-up.d /etc/ppp/ip-up.d/portsentry /usr/lib/portsentry/portsentry-add-ip /usr/lib/portsentry/portsentry-build-ignore-file /usr/lib/portsentry/portsentry-rm-ip /usr/sbin/portsentry /usr/share/doc/portsentry /usr/share/doc/portsentry/CREDITS.gz /usr/share/doc/portsentry/README.COMPAT /usr/share/doc/portsentry/README.Debian /usr/share/doc/portsentry/README.install.gz /usr/share/doc/portsentry/README.methods.gz /usr/share/doc/portsentry/README.stealth.gz /usr/share/doc/portsentry/TODO.Debian /usr/share/doc/portsentry/changelog.Debian.amd64.gz /usr/share/doc/portsentry/changelog.Debian.gz /usr/share/doc/portsentry/changelog.gz /usr/share/doc/portsentry/copyright /usr/share/doc/portsentry/examples/ignore.csh /usr/share/doc/portsentry/examples/kill_cmd /usr/share/doc/portsentry/examples/scan-detect /usr/share/man/man5/portsentry.conf.5.gz /usr/share/man/man8/portsentry.8.gz /var /var/lib /var/lib/portsentry
Aufruf
portsentry [ -tcp | -stcp | -atcp ] portsentry [ -udp | -sudp | -audp ]
Optionen
Option | Beschreibung |
---|---|
-tcp | tcp portscan detection on ports specified under TCP_PORTS in the config file /etc/portsentry/portsentry.conf. |
-stcp | As above but additionally detect stealth scans. |
-atcp | Advanced tcp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_TCP given in the config file /etc/portsentry/portsentry.conf. |
-udp | udp portscan detection on ports specified under UDP_PORTS in the config file /etc/portsentry/portsentry.conf. |
-sudp | As above but additionally detect "stealth" scans. |
-audp | Advanced udp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_UDP given in the config file /etc/portsentry/portsentry.conf. |
For details on the various modes see /usr/share/doc/portsentry/README.install
Parameter
Umgebung
Rückgabewert
Anwendung
Dienstverwaltung
# systemctl status portsentry.service ● portsentry.service - LSB: # start and stop portsentry Loaded: loaded (/etc/init.d/portsentry; generated) Active: active (running) since Fri 2023-06-30 10:58:34 CEST; 1h 45min ago Docs: man:systemd-sysv-generator(8) Process: 14255 ExecStart=/etc/init.d/portsentry start (code=exited, status=0/SUCCESS) Tasks: 2 (limit: 76987) Memory: 1.1M CPU: 71ms CGroup: /system.slice/portsentry.service ├─14266 /usr/sbin/portsentry -tcp └─14270 /usr/sbin/portsentry -udp Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 34555 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 31335 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32770 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32771 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32772 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32773 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32774 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 31337 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 54321 Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: PortSentry is now active and listening.
Problembehebung
Konfiguration
portsentry keeps all its configuration files in /etc/portsentry. portsentry.conf is portsentry's main configuration file. See portsentry.conf(5) for details.
The file portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.
If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via ifconfig.
/etc/default/portsentry specifies in which protocol modes portsentry should be startet from /etc/init.d/portsentry There are currently two options:
TCP_MODE= either tcp, stcp or atcp (see OPTIONS above). UDP_MODE= either udp, sudp or audp (see OPTIONS above).
The options above correspond to portsentry's commandline arguments. For example TCP_MODE="atcp" has the same effect as to start portsentry using portsentry -atcp. Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).
Dateien
Option | Beschreibung |
---|---|
/etc/portsentry/portsentry.conf | main configuration file |
/etc/portsentry/portsentry.ignore | IP addresses to ignore |
/etc/portsentry/portsentry.ignore.static | static IP addresses to ignore |
/etc/default/portsentry | startup options |
/etc/init.d/portsentry | script responsible for starting and stopping the daemon |
/var/lib/portsentry/portsentry.blocked.* | blocked hosts(cleared upon reload) |
/var/lib/portsentry/portsentry.history | history file |
Anhang
Siehe auch
Dokumentation
- /usr/share/doc/portsentry/README.install
RFC
Man-Page
- portsentry.conf(5)
- hosts_access(5)
- hosts_options(5)
- route(8)
- ipfwadm(8)
- ipchains(8)
- iptables(8)
- ifconfig(8)
Info-Pages
Links
Projekt
Weblinks
- https://www.computersecuritystudent.com/UNIX/UBUNTU/1204/lesson14/index.html
- https://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+III+Administering+Red+Hat+Linux/Chapter+14+Computer+Security+Issues/Guarding+Your+Computer+with+PortSentry/
- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04-de