Настройка portsentry в Debian.

На главную

Настройка portsentry в Debian.



aptitude install portsentry

cat /etc/default/portsentry
# /etc/default/portsentry
#  
# This file is read by /etc/init.d/portsentry. See the portsentry.8 
# manpage for details.
#
# The options in this file refer to commandline arguments (all in lowercase)
# of portsentry. Use only one tcp and udp mode at a time.
#
TCP_MODE="tcp"
UDP_MODE="udp"


cat /etc/portsentry/portsentry.conf
#НИЖЕ НУЖНО УКАЗАТЬ TCP и UDP ПОРТЫ КОТОРЫЕ БУДЕТ СЛУШАТЬ portsentry --> http://ru.wikipedia.org/wiki/Список_портов_TCP_и_UDP
TCP_PORTS=""
UDP_PORTS=""

ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
ADVANCED_EXCLUDE_TCP=""
ADVANCED_EXCLUDE_UDP=""

IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/var/lib/portsentry/portsentry.history"
BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"

RESOLVE_HOST = "0"

BLOCK_UDP="1"
BLOCK_TCP="1"

KILL_ROUTE="/etc/portsentry/./portsentry.run $TARGET$ $MODE$ $PORT$"
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

KILL_RUN_CMD_FIRST = "0"


SCAN_TRIGGER="0"


chown root:root /etc/portsentry/portsentry.run
chmod 500 /etc/portsentry/portsentry.run


Cкрипт создает три файла:
общий(заносятся все хосты) - /etc/portsentry/portsentry_blocked_ip_all
заносятся хосты для блокирования на день - /etc/portsentry/portsentry_blocked_ip_day
заносятся хосты для блокирования на одну неделю - /etc/portsentry/portsentry_blocked_ip_week

cat /etc/portsentry/portsentry.run
#!/bin/bash
ip=$1
mode=$2
port=$3
dat=`date +%Y.%m.%d_%H:%M`;
dat2=`date +%d`;
dat3=`date +%V`;

ps axu|grep -i "portsentry.run"|grep -v grep >/dev/null 2>&1
REK=$?
if [ $REK = "0" ];then
sleep 2
fi

cat /etc/portsentry/portsentry_blocked_ip_day| while read line; do
q1=`echo "$line"|awk -F" " '{print $1}'`
q2=`echo "$line"|awk -F" " '{print $2}'`
if [ $dat2 != $q1 ]; then
sed -ie "/^.*$q2.*$/d" /firewall_portsentry
sed -ie "/^.*$q2.*$/d" /etc/portsentry/portsentry_blocked_ip_day
/sbin/iptables -t filter  -D INPUT -i eth0 -s $q2 -j LOG --log-level DEBUG --log-prefix 'Portsentry dropping:'
/sbin/iptables -t filter  -D INPUT -i eth0 -s $q2 -j DROP
/./firewall
fi
done

cat /etc/portsentry/portsentry_blocked_ip_week| while read line; do
q1=`echo "$line"|awk -F" " '{print $1}'`
q2=`echo "$line"|awk -F" " '{print $2}'`
if [ $dat3 != $q1 ]; then
sed -ie "/^.*$q2.*$/d" /firewall_portsentry
sed -ie "/^.*$q2.*$/d" /etc/portsentry/portsentry_blocked_ip_week
/sbin/iptables -t filter  -D INPUT -i eth0 -s $q2 -j LOG --log-level DEBUG --log-prefix 'Portsentry dropping:'
/sbin/iptables -t filter  -D INPUT -i eth0 -s $q2 -j DROP
/./firewall
fi
done

ipc=`cat /etc/portsentry/portsentry_blocked_ip_all |grep "$ip"`
REK=$?
if [ $REK = "0" ];then
echo "$dat3 $ip" >>/etc/portsentry/portsentry_blocked_ip_week
echo "$dat    $ip $mode $port week" >>/etc/portsentry/portsentry_blocked_ip_all
else
echo "$dat2 $ip" >>/etc/portsentry/portsentry_blocked_ip_day
echo "$dat    $ip $mode $port day" >>/etc/portsentry/portsentry_blocked_ip_all
fi


if [ ! -e /firewall_portsentry ]; then
#
echo "#!/bin/bash" >/firewall_portsentry
echo "iptables=/sbin/iptables" >>/firewall_portsentry
echo "" >>/firewall_portsentry
#
chown root:root /firewall_portsentry
chmod 700 /firewall_portsentry
else
chown root:root /firewall_portsentry
chmod 700 /firewall_portsentry
fi


echo "" >>/firewall_portsentry
echo "\$iptables -t filter  -A INPUT -i eth0 -s $ip -j LOG --log-level DEBUG --log-prefix 'Portsentry dropping:'" >>/firewall_portsentry
echo "\$iptables -t filter  -A INPUT -i eth0 -s $ip -j DROP" >>/firewall_portsentry
echo "" >>/firewall_portsentry
/./firewall


nsl=`nslookup "$ip" |grep 'name = '|awk '{print $4}'`;
ipt=`iptables -L -n -v|grep "Portsentry"|awk '{print $8}'`

/bin/echo -e "\nDATE = $dat\n\nHost = $ip\nHostname = $nsl\nMode = $mode\nPort = $port\n\n\n$ipt"| /usr/bin/mailx -s "Host blocked(portsentry): $ip" ВАШ_ЕМАЙЛ



Еще нужно добавить вызов скрипта /./firewall_portsentry в главный скрипт фаервола впереди разрешающих правил.


ЗЫ: Незабывайте открыть в фаерволе нужные порты.


Используемые материалы:
интернет

Автор: smeegul

  27.02.2012 18:14
  01.04.2014 15:52
  30.04.2014 12:50