Detectar y bloquear escaneos: portsentry

Por Paco Aldarias Raya

Impreso: Jun 13, 2004

Contents

1  Introducción

2  Instalación

apt-get install portsentry

dpkg -l | grep portsentry
ii  portsentry     1.2-4          Portscan detection daemon

3  Ficheros de configuración: /etc/portsentry/portsentry.ignore

4  Ficheros de configuración: /etc/portsentry/portsentry.conf

/etc/init.d/portsentry restart

5  Script portsentry.sh

KILL_RUN_CMD="/root/portsentry.sh $TARGET$"

d1=/var/log/portsentry/$1.txt
d2=/var/log/portsentryh.txt
d=/var/log/portsentry.txt
lee 'Ataque Ataque Ataque por '  $1 'ya le mano un email'

# Sino se ha escaneado antes
#if  [ ! -d $d1 ];  then
echo '**********************************' >> $d1
echo $1 - $(date +%d-%m-%Y-%H:%M) >> $d2
echo $1 >> $d
echo $(date +%d-%m-%Y-%H:%M) >> $d1
echo $1 >> $d1
echo $1 >> /root/intrusos.txt
nslookup $1 >> $d1
whois $1 >> $d1
echo "Puertos abiertos: " >> $d1
nmap -P0 --max_rtt_timeout 20000 $1 >> $d1
echo "Por horas: /var/log/portsentryh.txt" >> $d1
echo "Solo IPS:  /var/log/portsentry.txt" >> $d1
echo "Intrusos IPS: /root/intrusos.txt" >> $d1
echo "Sistema: " >> $d1
#fi

mail -s "Ataque de $1" paco < $d1
#/root/mamon.sh $1
#/root/flood.sh $1

6  Script lee

echo "$CABECERA $1  " |festival --tts --language spanish

Index (showing section)