Portsentry

Aus Foxwiki
Version vom 12. November 2024, 18:40 Uhr von Dirkwagner (Diskussion | Beiträge) (Textersetzung - „== Syntax ==“ durch „== Aufruf ==“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Subpages:

Portsentry - Daemon zum Erkennen von Portscans

Beschreibung

PortSentry kann Port-Scans (einschließlich verdeckter Scans) auf die Netzwerkschnittstellen Ihrer Maschine erkennen. Bei einem Alarm kann er den Angreifer über hosts.deny, entferntem Route-Eintrag oder per Firewall-Regel blockieren. Er ist Teil der Programmsuite Abacus.

Hinweis
Wenn Sie keine Ahnung haben, was ein (verdeckter) Portscan ist, wird ein Blick auf http://sf.net/projects/sentrytools/ empfohlen, bevor Sie dieses Paket installieren. Andernfalls könnten Sie Rechner blockieren, die Sie besser nicht blockieren sollten (z.B. Ihren NFS-Server, Nameserver, usw.).
PortSentry blockt standardmäßig nichts
  • Bitte beachten Sie, dass PortSentry standardmäßig keine Aktionen gegen potenzielle Angreifer durchführt.
  • Er schreibt nur Informationen nach /var/log/syslog.
  • Um dies zu ändern, passen Sie bitte die Datei /etc/portsentry/portsentry.conf entsprechend an.
Beachten Sie folgende Dateien
  • /etc/default/portsentry (Daemon Start-Optionen)
  • /etc/portsentry/portsentry.ignore.static (zu ignorierende Rechner/Schnittstellen)

Für weitere Informationen lesen Sie bitte die portsentry(8)- und portsentry.conf(5)-Handbuchseiten.

This manual page documents briefly the portsentry command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.

portsentry is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see hosts_access(5), firewall rule (see ipfwadm(8), ipchains(8) and iptables(8)) or dropped route (see route(8)).

Installation

# apt install portsentry

Files

/etc/default
/etc/init.d/portsentry
/etc/portsentry/portsentry.conf
/etc/portsentry/portsentry.ignore.static
/etc/ppp/ip-down.d
/etc/ppp/ip-down.d/portsentry
/etc/ppp/ip-up.d
/etc/ppp/ip-up.d/portsentry
/usr/lib/portsentry/portsentry-add-ip
/usr/lib/portsentry/portsentry-build-ignore-file
/usr/lib/portsentry/portsentry-rm-ip
/usr/sbin/portsentry
/usr/share/doc/portsentry
/usr/share/doc/portsentry/CREDITS.gz
/usr/share/doc/portsentry/README.COMPAT
/usr/share/doc/portsentry/README.Debian
/usr/share/doc/portsentry/README.install.gz
/usr/share/doc/portsentry/README.methods.gz
/usr/share/doc/portsentry/README.stealth.gz
/usr/share/doc/portsentry/TODO.Debian
/usr/share/doc/portsentry/changelog.Debian.amd64.gz
/usr/share/doc/portsentry/changelog.Debian.gz
/usr/share/doc/portsentry/changelog.gz
/usr/share/doc/portsentry/copyright
/usr/share/doc/portsentry/examples/ignore.csh
/usr/share/doc/portsentry/examples/kill_cmd
/usr/share/doc/portsentry/examples/scan-detect
/usr/share/man/man5/portsentry.conf.5.gz
/usr/share/man/man8/portsentry.8.gz
/var
/var/lib
/var/lib/portsentry

Aufruf

portsentry [ -tcp | -stcp | -atcp ]
portsentry [ -udp | -sudp | -audp ]

Optionen

Option Beschreibung
-tcp tcp portscan detection on ports specified under TCP_PORTS in the config file /etc/portsentry/portsentry.conf.
-stcp As above but additionally detect stealth scans.
-atcp Advanced tcp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_TCP given in the config file /etc/portsentry/portsentry.conf.
-udp udp portscan detection on ports specified under UDP_PORTS in the config file /etc/portsentry/portsentry.conf.
-sudp As above but additionally detect "stealth" scans.
-audp Advanced udp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_UDP given in the config file /etc/portsentry/portsentry.conf.

For details on the various modes see /usr/share/doc/portsentry/README.install

Parameter

Umgebung

Rückgabewert

Anwendung

Dienstverwaltung

# systemctl status portsentry.service
● portsentry.service - LSB: # start and stop portsentry
     Loaded: loaded (/etc/init.d/portsentry; generated)
     Active: active (running) since Fri 2023-06-30 10:58:34 CEST; 1h 45min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 14255 ExecStart=/etc/init.d/portsentry start (code=exited, status=0/SUCCESS)
      Tasks: 2 (limit: 76987)
     Memory: 1.1M
        CPU: 71ms
     CGroup: /system.slice/portsentry.service
             ├─14266 /usr/sbin/portsentry -tcp
             └─14270 /usr/sbin/portsentry -udp

Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 34555
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 31335
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32770
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32771
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32772
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32773
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 32774
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 31337
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: Going into listen mode on UDP port: 54321
Jun 30 10:58:34 lincln02 portsentry[14270]: adminalert: PortSentry is now active and listening.


Problembehebung

Konfiguration

portsentry keeps all its configuration files in /etc/portsentry. portsentry.conf is portsentry's main configuration file. See portsentry.conf(5) for details.

The file portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.

If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via ifconfig.

/etc/default/portsentry specifies in which protocol modes portsentry should be startet from /etc/init.d/portsentry There are currently two options:

TCP_MODE= either tcp, stcp or atcp (see OPTIONS above).
UDP_MODE= either udp, sudp or audp (see OPTIONS above).

The options above correspond to portsentry's commandline arguments. For example TCP_MODE="atcp" has the same effect as to start portsentry using portsentry -atcp. Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).


Dateien

Option Beschreibung
/etc/portsentry/portsentry.conf main configuration file
/etc/portsentry/portsentry.ignore IP addresses to ignore
/etc/portsentry/portsentry.ignore.static static IP addresses to ignore
/etc/default/portsentry startup options
/etc/init.d/portsentry script responsible for starting and stopping the daemon
/var/lib/portsentry/portsentry.blocked.* blocked hosts(cleared upon reload)
/var/lib/portsentry/portsentry.history history file


Anhang

Siehe auch

Dokumentation

  1. /usr/share/doc/portsentry/README.install
RFC
Man-Page
  1. portsentry.conf(5)
  2. hosts_access(5)
  3. hosts_options(5)
  4. route(8)
  5. ipfwadm(8)
  6. ipchains(8)
  7. iptables(8)
  8. ifconfig(8)
Info-Pages

Links

Projekt
Weblinks
  1. https://www.computersecuritystudent.com/UNIX/UBUNTU/1204/lesson14/index.html
  2. https://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+III+Administering+Red+Hat+Linux/Chapter+14+Computer+Security+Issues/Guarding+Your+Computer+with+PortSentry/
  3. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04-de