由 lin_lin13 在 06-25-2004 11:42 发表:
自动预防攻击的方法
各位朋友,我的网站经常被别人扫描,我想实现这样一种功能:在access_log中记录了一些地址,编写一个程序,分析出扫描我的地址,然后将其添加到一个文件,最后禁止这些ip地址再访问我的网站。不知能否实现?有着方面经验的朋友可以和我交流。或者您有什末高招将那些扫描你的IP禁止掉!知道她扫描咱,肯定没有好意,咱们可不能袖手旁观!!! 发贴 吧!朋友们共同出谋划策!!!
由 smile787 在 06-25-2004 11:46 发表:
建议兄弟开个防火墙,扫描有什么,这都是家常了。
没有做的话,给别人扫描到漏洞就不太妙!
由 lin_lin13 在 06-25-2004 11:56 发表:
我想他们经常用类似流光的黑客软件扫描我机器的漏洞,或者扫描我的端口,兄弟说说这个防火墙怎莫做,用iptables吗 ? 还是用别的??? 兄弟指点一下!
由 faint 在 06-25-2004 14:58 发表:
用iptables,然后再检测日志。然后给其ip DROP掉。
由 lin_lin13 在 06-25-2004 15:04 发表:
有没有自动的方法,我可不想手动来做!
由 faint 在 06-25-2004 15:16 发表:
自动的方法,用脚本吧。iptables本身就有一些防恶性扫描的规则。
由 faint 在 06-25-2004 15:22 发表:
以前看到一篇文章,好像叫“动态 iptables 防火墙".自己google找下吧。
由 lin_lin13 在 06-25-2004 15:42 发表:
谢谢这位仁兄!我一定把他搞定!!!
由 Snoopy 在 06-25-2004 22:25 发表:
用用portsentry看看
And then in the evening light, when the bars of freedom fall
I watch the two of you in the shadows on the wall
How in the darkness steals some of the choices from my hand
Then will I begin to under
由 lin_lin13 在 06-26-2004 05:56 发表:
能否提供这方面的资料!谢谢!
由 Snoopy 在 06-26-2004 17:38 发表:
Linux系统中PortSentry的安装和配置
概述
防火墙可以保护我们的网络免受攻击。我们可以选择打开哪些端口,关闭哪些端口。但是有些攻击者可以用端口扫描程序扫描服务器的所有端口来收集有用的信息(哪些端口打开,哪些关闭)。
下面是对PortSentry的介绍:
l 服务器被端口扫描是入侵的前兆。PortSentry被设计成实时地发现端口扫描并对端口扫描作出反应。一旦发现端口扫描,PortSentry做出的反应有:
l 通过syslog()函数给出一个日志消息
l 自动地把对服务器进行端口扫描的主机加到TCP-Wrappers的“/etc/hosts.deny”文件中
l 本地主机会自动把所有的信息流都从定向到一个不存在的主机
l 本地主机用包过滤程序把所有的数据包(来自对其进行端口扫描的主机)都过滤掉。
注意事项
下面所有的命令都是Unix兼容的命令。
源路径都为“/var/tmp”(当然在实际情况中也可以用其它路径)。
安装在RedHat Linux 6.1和6.2下测试通过。
要用“root”用户进行安装。
PortSentry的版本是1.0。
软件包的来源
PortSentry的主页: http://www.psionic.com/abacus/portsentry/。
下载:portsentry-1.0.tar.gz。
安装软件包需要注意的问题
最好在编译前和编译后都做一张系统中所有文件的列表,然后用“diff”命令去比较它们,找出其中的差别并知道到底把软件安装在哪里。只要简单地在编译之前运行一下命令“find /* >PortSentry1”,在编译和安装完软件之后运行命令“find /* > PortSentry2”,最后用命令“diff PortSentry1 PortSentry2 > PortSentry-Installed”找出变化。
解压软件包
把软件包(tar.gz)解压:
[root@deep /]# cp portsentry-version.tar.gz /var/tmp/
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf portsentry-version.tar.gz
编译和优化
必须修改“Makefile”文件,设置PortSentry的安装路径、编译标记,还要根据你的系统进行优化。必须根据RedHat的文件系统结构来修改“Makefile”文件。
第一步
转到新的PortSentry目录。
编辑“Makefile”文件(vi Makefile)并改变下面这几行:
CC = cc
改为:
CC = egcs
CFLAGS = -O -Wall
改为:
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit -frame-pointer -fno-exceptions ?Wall
INSTALLDIR = /usr/local/psionic
改为:
INSTALLDIR = /usr/psionic
上面这些修改是为了把“Makefile”配置为使用“egcs”编译器,使用适应于我们系统的编译优化标记,并且把PortSentry安装到我们选择的目录。
第二步
因为我们不用“/usr/local/psionic”目录,我们必须“portsentry_config.h”头文件中PortSentry的配置。
编辑“portsentry_config.h”文件(vi portsentry_config.h)并改变下面这一行:
#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf"
改为:
#define CONFIG_FILE "/usr/psionic/portsentry/portsentry.conf"
第三步
在系统中安装PortSentry。
[root@deep portsentry-1.0]# make linux
[root@deep portsentry-1.0]# make install
第三步
上面的命令配置软件,编译软件,最后把它安装到合适的目录中。
清除不必要的文件
用下面的命令删除不必要的文件:
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf portsentry-version/ portsentry-version_tar.gz
“rm”命令删除所有编译和安装PortSentry所需要的源程序,并且把PortSentry软件的压缩包删除掉。
配置“/usr/psionic/portsentry/portsentry.conf”文件
“/usr/psionic/portsentry/portsentry.conf”是PortSentry的主要配置文件。你可设置需要监听的端口,需要禁止、监控的IP地址,等等。可以看PortSentry得“README.install”文件以获取更多的信息。
编辑“portsentry.conf”文件(vi /usr/psionic/portsentry.conf)并且根据需要做出改变:
PortSentry Configuration
$Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
The default ports will catch a large number of common probes
All entries must be in quotes.
#######################
Port Configurations
#######################
Some example port configs for classic and basic Stealth modes
I like to always keep some ports at the "low" end of the spectrum.
This will detect a sequential port sweep really quickly and usually
these ports are not in use (i.e. tcpmux port 1)
** X-Windows Users **: If you are running X on your box, you need to be sure
you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
Doing so will prevent the X-client from starting properly.
These port bindings are ignored for Advanced Stealth Scan Detection Mode.
Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2
000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,4
0421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,3277
0,32771,32772,32773,32774,31337,54321"
Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32
771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,327
74,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
###########################################
Advanced Stealth Scan Detection Options
###########################################
This is the number of ports you want PortSentry to monitor in Advanced mode.
Any port below this number will be monitored. Right now it watches
everything below 1023.
On many Linux systems you cannot bind above port 61000. This is because
these ports are used as part of IP masquerading. I don't recommend you
bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
warned! Don't write me if you have have a problem because I'll only tell
you to RTFM and don't run above the first 1023 ports.
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
This field tells PortSentry what ports (besides listening daemons) to
ignore. This is helpful for services like ident that services such
as FTP, SMTP, and wrappers look for but you may not run (and probably
shouldn't IMHO).
By specifying ports here PortSentry will simply not respond to
incoming requests, in effect PortSentry treats them as if they are
actual bound daemons. The default ports are ones reported as
problematic false alarms and should probably be left alone for
all but the most isolated systems/networks.
Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
######################
Configuration Files#
######################
Hosts to ignore
IGNORE_FILE="/usr/psionic/portsentry/portsentry.ignore"
Hosts that have been denied (running history)
HISTORY_FILE="/usr/psionic/portsentry/portsentry.history"
Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/psionic/portsentry/portsentry.blocked"
###################
Response Options#
###################
Options to dispose of attacker. Each is an action that will
be run if an attack is detected. If you don't want a particular
option then comment it out and it will be skipped.
The variable $TARGET$ will be substituted with the target attacking
host when an attack is detected. The variable $PORT$ will be substituted
with the port that was scanned.
##################
Ignore Options
##################
These options allow you to enable automatic response
options for UDP/TCP. This is useful if you just want
warnings for connections, but don't want to react for
a particular protocol (i.e. you want to block TCP, but
not UDP). To prevent a possible Denial of service attack
against UDP and stealth scan detection for TCP, you may
want to disable blocking, but leave the warning enabled.
I personally would wait for this to become a problem before
doing though as most attackers really aren't doing this.
The third option allows you to run just the external command
in case of a scan to have a pager script or such execute
but not drop the route. This may be useful for some admins
who want to block TCP, but only want pager/e-mail warnings
on UDP, etc.
0 = Do not block UDP/TCP scans.
1 = Block UDP/TCP scans.
2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
Dropping Routes:#
###################
This command is used to drop the route or add the host into
a local filter table.
The gateway (333.444.555.666) should ideally be a dead host on
the local subnet. On some hosts you can also point this at
localhost (127.0.0.1) and get the same effect. NOTE THAT
333.444.555.66 WILL NOT WORK. YOU NEED TO CHANGE IT!!
All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
uncomment the correct line for your OS. If you OS is not listed
here and you have a route drop command that works then please
mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
NOTE: The route commands are the least optimal way of blocking
and do not provide complete protection against UDP attacks and
will still generate alarms for both UDP and stealth scans. I
always recommend you use a packet filter because they are made
for this purpose.
Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
Newer versions of Linux support the reject flag now. This
is cleaner than the above option.
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
Using a packet filter is the preferred method. The below lines
work well on many OS's. Remember, you can only uncomment one
KILL_ROUTE option.
###############
TCP Wrappers#
###############
This text will be dropped into the hosts.deny file for wrappers
to use. There are two formats for TCP wrappers:
Format One: Old Style - The default when extended host processing
options are not enabled.
KILL_HOSTS_DENY="ALL: $TARGET$"
Format Two: New Style - The format used when extended option
processing is enabled. You can drop in extended processing
options, but be sure you escape all '%' symbols with a backslash
to prevent problems writing out (i.e. %c %h )
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
###################
External Command#
###################
This is a command that is run when a host connects, it can be whatever
you want it to be (pager, etc.). This command is executed before the
route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
AGAINST THE HOST SCANNING YOU. TCP/IP is an unauthenticated protocol
and people can make scans appear out of thin air. The only time it
is reasonably safe (and I never think it is reasonable) to run
reverse probe scripts is when using the "classic" -tcp mode. This
mode requires a full connect and is very hard to spoof.
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
#####################
Scan trigger value#
#####################
Enter in the number of port connects you will allow before an
alarm is given. The default is 0 which will react immediately.
A value of 1 or 2 will reduce false alarms. Anything higher is
probably not necessary. This value must always be specified, but
generally can be left at 0.
NOTE: If you are using the advanced detection option you need to
be careful that you don't make a hair trigger situation. Because
Advanced mode will react for any host connecting to a non-used
below your specified range, you have the opportunity to really
break things. (i.e someone innocently tries to connect to you via
SSL [TCP port 443] and you immediately block them). Some of you
may even want this though. Just be careful.
SCAN_TRIGGER="0"
######################
Port Banner Section#
######################
Enter text in here you want displayed to a person tripping the PortSentry.
I don't recommend taunting the person as this will aggravate them.
Leave this commented out to disable the feature
Stealth scan detection modes don't use this feature
PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS
BEEN LOGGED. GO AWAY."
EOF
现在,因为安全方面的原因,我们必须检查和改变文件的权限:
[root@deep /]# chmod 600 /usr/psionic/portsentry/portsentry.conf
配置“/usr/psionic/portsentry/portsentry.ignore”文件
在“/usr/psionic/portsentry/portsentry.ignore”文件中设置希望PortSentry忽略的主机。这个文件中至少要包括localhost(127.0.0.1)和本地界面(lo)的IP。最后不要把网络中所有文件的IP都放在这个文件中。
编辑“portsentry.ignore”文件(vi /usr/psionic/portsentry.ignore)加入任何呢你想让PortSentr