Portsentry

[herkule8]

Witam! Zainstalowalem paczke portsentry-1.2-1.te.i386.rpm

Zostawilem konfiguracje domyslna, czyli sredni zakres portow a typ ochrony to atcp i audp. Typ ochrony wybieram hashujac odpowiednie wpisy w pliku portsentry.modes Jesli chodzi o autostart portsentry to nie ma problemy. Demon sie "zrobil" automatycznie, widocznie dlatego ze instalowalem z paczki RPM. Program jest zainstalowany w /etc/portsentry.

W konfiguracji /etc/portsentry/portsentry.conf mam takie wpisy odnosnie blokowania wzgledem ktorych mam zastrzezenia:

 

KILL_ROUTE="iptables -I INPUT -s $TARGET$ -j DROP"
KILL_HOSTS_DENY="ALL: $TARGET$"

 

Natomiast czysty log z podgladem jak uruchamia sie port sentry wyglada tak:

 

Jan 15 10:23:01 herkules portsentry[1703]: securityalert: PortSentry is shutting down 
Jan 15 10:23:01 herkules portsentry[1703]: adminalert: PortSentry is shutting down 
Jan 15 10:23:01 herkules portsentry[1701]: securityalert: PortSentry is shutting down 
Jan 15 10:23:01 herkules portsentry[1701]: adminalert: PortSentry is shutting down 
Jan 15 10:23:02 herkules kernel: audit(1168852982.301:4): avc:  denied  { read } for  pid=1734 comm="ifconfig" name="[10767]" dev=pipefs ino=10767 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Jan 15 10:23:02 herkules kernel: audit(1168852982.305:5): avc:  denied  { write } for  pid=1734 comm="ifconfig" name="[10768]" dev=pipefs ino=10768 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Jan 15 10:23:02 herkules portsentry[1749]: adminalert: PortSentry 1.2 is starting. 
Jan 15 10:23:02 herkules portsentry[1750]: adminalert: Advanced mode will monitor first 1024 ports
Jan 15 10:23:02 herkules portsentry[1751]: adminalert: PortSentry 1.2 is starting. 
Jan 15 10:23:02 herkules portsentry[1752]: adminalert: Advanced mode will monitor first 1024 ports
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 21 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 22 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 25 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 53 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 80 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 110 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 113 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 135 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 137 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 138 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 139 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced mode will manually exclude port: 443 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 21 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 53 
Jan 15 10:23:03 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 520 
Jan 15 10:23:03 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 517 
Jan 15 10:23:03 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 518 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 80 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 110 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113 
Jan 15 10:23:03 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 513 
Jan 15 10:23:03 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 135 
Jan 15 10:23:03 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 138 
Jan 15 10:23:04 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 137 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 137 
Jan 15 10:23:04 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 138 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 123 
Jan 15 10:23:04 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 68 
Jan 15 10:23:04 herkules portsentry[1750]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 443 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 67 
Jan 15 10:23:04 herkules portsentry[1750]: adminalert: PortSentry is now active and listening. 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced mode will manually exclude port: 53 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 68 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 520 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 517 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 518 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 513 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 138 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 137 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 123 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 68 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 67 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: Advanced Stealth scan detection mode activated. Ignored UDP port: 53 
Jan 15 10:23:04 herkules portsentry[1752]: adminalert: PortSentry is now active and listening. 
Jan 15 10:23:05 herkules kernel: Removing netfilter NETLINK layer.
Jan 15 10:23:06 herkules kernel: ip_tables: Š 2000-2006 Netfilter Core Team
Jan 15 10:23:07 herkules kernel: Netfilter messages via NETLINK v0.30.
Jan 15 10:23:07 herkules kernel: ip_conntrack version 2.4 (1536 buckets, 12288 max) - 228 bytes per conntrack

 

Powyzszy log po restarcie portsentry (service portsentry restart)

 

Dodam ze moj firewall ma otwarte tylko 2 porty (torrent), reszta jest zamknieta. Administruje zdalnie z zaufanej sieci.

 

Testuje to tak ze kumpel skanuje mnie programem PortScan. Moje pytanie: Czemu to nie dziala? Ten moj kumpel nie jest na zadnej bialej liscie! Port sentry w ogole nie wykrywa skanowanie. Jeszcze wczoraj mi wykrywal ale otrzymywalem komunikat w stylu "port scan detected, but can't block the host".

 

Oprocz tego martwi mnie taki komunikat ktory pojawia sie w logach oraz w miejscu gdzie sie logujemy. Podlaczylem monitor do serwera patrze, a coz to ..... . Ctrl+C przerywa to i dopiero mozna sie zalogowac.

 

Jan 15 10:23:02 herkules kernel: audit(1168852982.301:4): avc:  denied  { read } for  pid=1734 comm="ifconfig" name="[10767]" dev=pipefs ino=10767 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Jan 15 10:23:02 herkules kernel: audit(1168852982.305:5): avc:  denied  { write } for  pid=1734 comm="ifconfig" name="[10768]" dev=pipefs ino=10768 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

 

Ma ktos jakies pomysly bo siedze nad tym juz pare godzin...

 

Pozdrawiam

 

PS Kutfa, czemu wstawia takie wielkie CODEBOXY?

 

PS2: System na ktorym postawilem serwer to Fedora Core 6, z jajkiem nie ruszanym.

Edytowane Styczeń 15, 2007 przez WalDo

[@WalDo]

PS Kutfa, czemu wstawia takie wielkie CODEBOXY?

[Off Topic]

Jak kod jest taki do 10-12 linijek to wstawiaj znacznik 'code', dopiero przy dłuższych 'codebox' .