最近我们公司总是被恶意攻击。后面查看了LINUX下有免费的防恶意扫描软件PortSentry去解决了
1.安装portSentry
下裁portsentry-1.2.tar.gz
[root@tomcat135 ~]# tar zxvf portsentry-1.2.tar.gz
[root@tomcat135 ~]# cd portsentry_beta/
打开portsentry.c在1590行左右Copyright 1997-2003那行内容调整为一行,不然安装报警
1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
1585 sourceforget dot net>\n");
修改成
1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");
[root@tomcat135 portsentry_beta]# make && make install
发现cp: 无法 stat “./portsentry”: 没有那个文件或目录
make: *** [install] 错误 1这问题,我们在一次make&& make install&& make linux
[root@tomcat135 portsentry_beta]# make linux
port Sentry的配置
[root@tomcat135 portsentry_beta]# vi /usr/local/psionic/portsentry/portsentry.conf
找到
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
可以把你所要监视的端口增加进去
启动portsentry的命令如下
[root@tomcat135 portsentry_beta]# /usr/local/psionic/portsentry/portsentry -atcp
查看日志
[root@tomcat135 portsentry_beta]# tail /var/log/messages
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced mode will manually exclude port: 139
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 22
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 25
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 80
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 111
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 631
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 637
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 113
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: Advanced Stealth scan detection mode activated. Ignored TCP port: 139
Jul 23 19:58:59 tomcat135 portsentry[11037]: adminalert: PortSentry is now active and listening.
如果被攻击的我们可以查看
[root@tomcat135 portsentry_beta]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
ALL: 216.99.158.196
ALL: 116.10.191.184
ALL: 65.111.161.35
ALL: 58.52.149.161
ALL: 137.175.69.43
ALL: 14.108.157.240
ALL: 198.13.104.182
ALL: 137.175.70.226
ALL: 119.36.79.10
ALL: 27.16.231.69
ALL: 137.175.9.239
ALL: 142.4.126.35
ALL: 112.125.18.175
ALL: 119.122.9.152
ALL: 218.77.79.43
ALL: 204.93.154.216
ALL: 42.120.145.6
ALL: 23.105.86.26
说明这些IP是恶意扫描的,被这软件自动增加到这里面去。