LINUX下防恶意扫描软件PortSentry

最近我们公司总是被恶意攻击。后面查看了LINUX下有免费的防恶意扫描软件PortSentry去解决了

1.安装portSentry

下裁portsentry-1.2.tar.gz

[root@tomcat135 ~]# tar zxvf portsentry-1.2.tar.gz

[root@tomcat135 ~]# cd portsentry_beta/

打开portsentry.c在1590行左右Copyright 1997-2003那行内容调整为一行，不然安装报警

  1584   printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot

   1585 sourceforget dot net>\n");

修改成

1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");

[root@tomcat135 portsentry_beta]# make && make install

发现cp: 无法 stat “./portsentry”: 没有那个文件或目录

make: *** [install] 错误 1这问题，我们在一次make&& make install&& make linux

[root@tomcat135 portsentry_beta]# make linux

port Sentry的配置

[root@tomcat135 portsentry_beta]# vi /usr/local/psionic/portsentry/portsentry.conf

找到

# Use these if you just want to be aware:

TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"

UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"

可以把你所要监视的端口增加进去

启动portsentry的命令如下

[root@tomcat135 portsentry_beta]# /usr/local/psionic/portsentry/portsentry -atcp

查看日志

[root@tomcat135 portsentry_beta]# tail /var/log/messages

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced mode will manually exclude port: 139

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 80

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 111

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 631

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 637

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139

Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: PortSentry is now active and listening.

如果被攻击的我们可以查看

[root@tomcat135 portsentry_beta]# cat /etc/hosts.deny

#

# hosts.deny    This file contains access rules which are used to

#                deny connections to network services that either use

#                the tcp_wrappers library or that have been

#                started through a tcp_wrappers-enabled xinetd.

#

#                The rules in this file can also be set up in

#                /etc/hosts.allow with a 'deny' option instead.

#

#                See 'man 5 hosts_options' and 'man 5 hosts_access'

#                for information on rule syntax.

#                See 'man tcpd' for information on tcp_wrappers

#

ALL: 216.99.158.196

ALL: 116.10.191.184

ALL: 65.111.161.35

ALL: 58.52.149.161

ALL: 137.175.69.43

ALL: 14.108.157.240

ALL: 198.13.104.182

ALL: 137.175.70.226

ALL: 119.36.79.10

ALL: 27.16.231.69

ALL: 137.175.9.239

ALL: 142.4.126.35

ALL: 112.125.18.175

ALL: 119.122.9.152

ALL: 218.77.79.43

ALL: 204.93.154.216

ALL: 42.120.145.6

ALL: 23.105.86.26

说明这些IP是恶意扫描的，被这软件自动增加到这里面去。

本文转自 jxzhfei  51CTO博客，原文链接:http://blog.51cto.com/jxzhfei/1444740