Scribd
Upload
313 views18 pages

Modul 8 Portsentry

Portsentry is a software that detects and actively responds to port scanning in real time. It works on FreeBSD, OpenBSD and Linux and detects various types of scans like SYN, FIN, and NULL scans. When a scan is detected, Portsentry logs it, adds the attacker's IP to the hosts.deny file to block access, and can also block the attacker by adding a route to a "black hole." It is typically placed behind a firewall or to protect individual hosts.

Uploaded by

AdeMuhendra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
313 views18 pages

Modul 8 Portsentry

Portsentry is a software that detects and actively responds to port scanning in real time. It works on FreeBSD, OpenBSD and Linux and detects various types of scans like SYN, FIN, and NULL scans. When a scan is detected, Portsentry logs it, adds the attacker's IP to the hosts.deny file to block access, and can also block the attacker by adding a route to a "black hole." It is typically placed behind a firewall or to protect individual hosts.

Uploaded by

AdeMuhendra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Portsentry

Pendahuluan
Port

scan adalah proses scanning berbagai


aplikasi servis yang dijalankan di server
Internet. Port scan adalah langkah paling
awal sebelum sebuah serangan di lakukan.

PortSentry
http://www.psionic.com/products/
portsentry.html.

Apa itu Port Sentry


Port

: Pelabuhan
Sentry : Penjaga
PortSentry adalah sebuah perangkat lunak
yang di rancang untuk mendeteksi adanya
port scanning & meresponds secara aktif
jika ada port scanning secara real time

Platform Port Sentry


FreeBSD
Open
Linux

BSD

Keuntungan Port Sentry

Kekurangan Port Sentry


Portsentry

bind to port, therefore


countermeasure is necessary
Cannot detect spoofing

Dimana Port Sentry Diletakkan


Dibelakang

Firewall
Dibelakang tiap host yang dilindungi

Fiture PortSentry
Mendeteksi

scan
Melakukan aksi terhadap host yg melakukan
pelanggaran
Mengemail admin system bila di integrasikan
dengan Logcheck/LogSentry

Jenis-Jenis Scan
Connect

scans SYN Scans - .


FIN Scans NULL Scans XMAS Scans - .
FULL-XMAS Scan UDP Scan

Aksi yang dilakukan Port Sentry


Stealth

setting ????
Melogging pelanggaran akses di
/var/log/messages
Menambahkan entry untuk penyerang di
/etc/hosts.deny
Menambahkan non-permanent route dari
penyerang ke "black-hole"
Mengeblok akses ke sistem

File Konfigurasi PortSentry


file

/etc/portsentry/portsentry.conf
file /etc/portsentry.modes
file /etc/portsentry/portsentry.ignore

Menjalankan portsentry
/usr/sbin/portsentry
/etc/rc.d/init.d/portsentry
portsentry

-udp
portsentry -tcp
portsentry -audp
portsentry -sudp
portsentry -atcp
portsentry -stcp

start

Konfigurasi Port Sentry


Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,13
9,143,512,513,514,515,540,635,1080,1524,2000,2001,[..]
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,5
13,517,518,635,640,641,666,700,2049,31335,27444,34555,[.
.]
# # Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,20
00,5742,6667,12345,12346,20034,27665,31337,32771,32772
,[..]
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,
34555,31335,32770,32771,32772,32773,32774,31337,54321

# # Use these for just bare-bones


#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,200
0,12345,12346,20034,32771,32772,32773,32774,49724,5432
0"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,3
2772,32773,32774,31337,54321"

KILL_ROUTE="/usr/local/sbin/iptables

-I

INPUT -s $TARGET$ -j DROP


KILL_HOSTS_DENY="ALL: $TARGET$ #
Portsentry blocked"

Daftar Log Serangan


/etc/hosts.deny

/etc/portsentry/portsentry.blocked.atcp
/etc/portsentry/portsentry.blocked.audp
/etc/portsentry/portsentry.history .

Output PortSentry
Sep

19 01:50:19 striker portsentry[129]:


attackalert: \ Host 192.168.0.1 has been blocked
via dropped route using command: \ "/sbin/ipfw
add 1 deny all from 192.168.0.1:255.255.255.255
to any"
Sep 19 01:50:19 striker portsentry[129]:
attackalert: \ Connect from host:
192.168.0.1/192.168.0.1 to TCP port: 9 Sep 19
01:50:19 striker portsentry[129]: attackalert: \
Host: 192.168.0.1 is already blocked. Ignoring

Tool Tools lain


scanlogd

- Attack detection.
InterSect Alliance - Intrusiuon analysis. Identifies
malicious or unauthorized access attempts.
snort - Instead of monitoring a single server with
portsentry, snort monitors the network,
performing real-time traffic analysis and packet
logging on IP networks for the detection of an
attack or probe.

You might also like