调整后我们再执行make linux&& make install后,PortSentry顺利安装成功,其安装路径为/usr/local/psionic/portsentry,如下所示表示成功安装此软件:
Edit /usr/local/psionic/portsentry/portsentry.conf and change your settings if you haven't already. (route, etc) WARNING: This version and above now use a new directory structure for storing the program and config files (/usr/local/psionic/portsentry). Please make sure you delete the old files when the testing of this install is complete. |
二、PortSentry的配置
1.修改配置文件portsentry.conf
通过PortSentry进行入侵检测,首先需要为它定制一份需要监视的端口清单,以及相应的阻止对策。然后启动后台进程对这些端口进行检测,一旦发现有人扫描这些端口,就启动相应的对策进行阻拦。
(1)设置端口清单
下面给出portsentry.conf中关于端口的默认配置情况:
#Un-comment these if you are really anal; #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,636,1080,1424,2000,2001,[..] #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,[..] #Use these if you just want to be aware: TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,[..] UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321" #Use these for juse bare-bones #TCP_PORTS="1,11,15,110,111,143,540,635,180,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321" |
可以有选择地去掉前面的注释来启用默认配置,也可以根据自己的实际情况定制一份新的清单,格式和原来的一样即可。端口列表要根据具体情况而定,假如服务器为Web服务器,那么Web端口就不需要监视。反之,如果是FTP服务器,那么监视Web端口也是有必要的。
(2)portsentry.conf里的相关文件
在portsentry.conf中自动配置了许多文件,我们看下它们有哪些用途:
#此文件记录允许合法扫描服务器的主机地址 IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" #此文件中保留了以往所有入侵主机的IP历史记录 HISTROY_FILE="/usr/lcal/psionic/portsentry/portsentry.history" #此文件中是已经被阻止连接的主机IP记录 BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked" |
(3)设置路由重定向
通过配置portsentry.conf文件,可以设置一条虚拟路由记录,把数据包重定向到一个未知的主机.使之无法获取信息。相应配置代码如下:
Generic #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" #Generic Linux KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666 |
针对不同的平台有不同的路由命令,在配置文件中选择适台自己平台的命令即可。我的服务器是CentOS 5.5 x86_64,以上语法适合Linux平台的机器;PortSentry非常人性化,下面都有系统对应的配置文件,我们只需要依样操作即可。