Following is the how i use Portsentry to block port scan activities.
By default Portsentry detect and block given ip/ports, but it will not expire the Iptable rules after given time,here i have a script written to do that job as well.
#Port Sentry On ubuntu 12.04
apt-get install portsentry
#I use the following config entries for my setup
#######################Start of Config file entries################################
#######################
# Port Configurations #
#######################
#Under the Port Configurations first set is enabled.[comprehensive set]
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
##################
# Ignore Options #
##################
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
###################
# External Command#
###################
KILL_RUN_CMD_FIRST = "0"
#
#
KILL_RUN_CMD="/etc/portsentry/scripts/notify.sh $TARGET$ $PORT$ $MODE$"
#This script will notify when port scan trigger
#####################
# Scan trigger value#
#####################
SCAN_TRIGGER="2"
#######################End of Config file entries ################################
Below are the scripts used for Portsentry
#----------------------------------Notification script-----------------------------------------------------
##/etc/portsentry/scripts/notify.sh
#!/bin/bash
TARGET=$1
PORT=$2
MODE=$3
echo "Attack reported-${TARGET}- ${PORT} - ${MODE}" | mail -s 'Unauthorized Port scan Alert' email@address.com
------------------------------------------------------------------------------------------------------------
-----------Firewall rules expiration script------------------------------------------------------------------
#delete_fw_entries.sh
#This script is running as cronjob every 5 minutes
#!/bin/bash
BLOCKED_LIST_TCP="/var/lib/portsentry/portsentry.blocked.tcp"
BLOCKED_LIST_UDP="/var/lib/portsentry/portsentry.blocked.udp"
ECHO=/bin/echo
TOUCH=/usr/bin/touch
CAT=/bin/cat
AWK=/usr/bin/awk
DATE=/bin/date
EXPR=/usr/bin/expr
FW_EXPIRE_TIME=10 #Iptable rule expiration time in minutes
TR=/usr/bin/tr
CUT=/usr/bin/cut
IPTABLE=/sbin/iptables
SED=/bin/sed
#
#DO NOT CHANGE BELOW THIS LINE--------------------------------------------
#
get_time_diff() {
BLOCKED_TIME=$1
CURRENT_TIME=`${DATE} +%s`
TIME_DIFF_IN_SEC=`${EXPR} ${CURRENT_TIME} - ${BLOCKED_TIME}`
TIME_DIFF_IN_MIN=`${EXPR} ${TIME_DIFF_IN_SEC} / 60`
}
#Get the blocked list entries for processing
BLOCKED_LIST_TCP_ARRAY=(`${CAT} ${BLOCKED_LIST_TCP} | ${TR} -d " " |${TR} '\n' ' ' `)
BLOCKED_LIST_UDP_ARRAY=(`${CAT} ${BLOCKED_LIST_UDP} | ${TR} -d " " | ${TR} '\n' ' ' `)
#TCP
for i in "${BLOCKED_LIST_TCP_ARRAY[@]}"
do
BLOCKED_IP=`${ECHO} $i |${CUT} -d ":" -f4|${CUT} -d "/" -f1`
BLOCKED_TIME=`${ECHO} $i | ${CUT} -d "-" -f1`
get_time_diff ${BLOCKED_TIME}
echo "time$TIME_DIFF_IN_MIN"
echo "ip - ${BLOCKED_IP}"
if [ "${TIME_DIFF_IN_MIN}" -ge ${FW_EXPIRE_TIME} ];then
echo "need to flush"
${IPTABLE} -D INPUT -s ${BLOCKED_IP} -j DROP
#remove entry from block lidt file
${SED} -i "/${BLOCKED_TIME}/d" ${BLOCKED_LIST_TCP}
else
echo "wait and see"
fi
done
#UDP
for i in "${BLOCKED_LIST_UDP_ARRAY[@]}"
do
BLOCKED_IP=`${ECHO} $i |${CUT} -d ":" -f4|${CUT} -d "/" -f1`
BLOCKED_TIME=`${ECHO} $i | ${CUT} -d "-" -f1`
get_time_diff ${BLOCKED_TIME}
echo "time$TIME_DIFF_IN_MIN"
echo "ip - ${BLOCKED_IP}"
if [ "${TIME_DIFF_IN_MIN}" -ge ${FW_EXPIRE_TIME} ];then
echo "need to flush"
${IPTABLE} -D INPUT -s ${BLOCKED_IP} -j DROP
#remove entry from block lidt file
${SED} -i "/${BLOCKED_TIME}/d" ${BLOCKED_LIST_UDP}
else
echo "wait and see"
fi
done
------------------------------------------------------------------------------------------------------------
REF:-http://www.symantec.com/connect/articles/portsentry-attack-detection-part-one
REF:-http://www.symantec.com/connect/articles/portsentry-attack-detection-part-two
No comments:
Post a Comment