Pendahuluan► Port scan adalah proses scanning berbagai aplikasi servis yang dijalankan di server Internet. Port scan adalah langkah paling awal sebelum sebuah serangan di lakukan. PortSentry
http://www.psionic.com/products/portsentry.html
Apa
itu
Port Sentry
► Port : Pelabuhan► Sentry : Penjaga► PortSentry adalah sebuah perangkat lunak yang di rancang untuk mendeteksi adanya port scanning & meresponds secara aktif jika ada port scanning secara real time
Platform
Port Sentry► FreeBSD► Open BSD► Linux
Keuntungan
Port Sentry
Kekurangan
Port Sentry► Portsentry bind to port, therefore countermeasure is necessary► Cannot detect spoofing
Dimana
Port Sentry Diletakkan► Dibelakang Firewall► Dibelakang tiap host yang dilindungiFiture PortSentry► Mendeteksi scan► Melakukan aksi terhadap host yg melakukan pelanggaran► Mengemail admin system bila di integrasikan dengan Logcheck/LogSentryPortSentry akan bereaksi secara real-time (langsung) dengan cara memblokir IP address si penyerang. Hal ini dilakukan dengan menggunakan ipchains/ipfwadm dan memasukan ke file /etc/host.deny secara otomatis oleh TCP Wrapper.PortSentry akan bereaksi secara real-time (langsung) dengan cara memblokir IP address si penyerang. Hal ini dilakukan dengan menggunakan ipchains/ipfwadm dan memasukan ke file /etc/host.deny secara otomatis oleh TCP Wrapper.mempunyai mekanisme untuk mengingat mesin / host mana yang pernah connect ke dia. Dengan cara itu, hanya mesin / host yang terlalu sering melakukan sambungan (karena melakukan scanning) yang akan di blokir.Fiture PortSentry► Mendeteksi scan► Melakukan aksi terhadap host yg melakukan pelanggaran► Mengemail admin system bila di integrasikan dengan Logcheck/LogSentryJenis-Jenis Scan► Connect scans – ► SYN Scans – . ► FIN Scans – ► NULL Scans – ► XMAS Scans – . ► FULL-XMAS Scan – ► UDP Scan Connect scans – These are full-connection scans. The entire, three-way TCP handshake is completed before being torn down. These types of scans are also the most obvious since the target host may record the event of a connection being made from the scanning IP address. SYN Scans – Also known as “half-open” scans, these are one way an attacker can try to enumerate ports on a system in a stealthy manner. These scans only execute the first two steps of the three-way TCP handshake. The initiating system sendsa TCP SYN packet as though it were requesting a full connection. The target system responds with a SYN-ACK packet. The initiator then sends a TCP RST (reset) packet back to the target, thereby closing the connection. The idea here is to prevent the full connection from being established since it may be logged. FIN Scans – FIN scans – These scans use packets with the TCP FIN flag set. Typically, FIN packets are only seen during the closing sequence of a connection. Unsolicited FIN packets sent to a closed TCP port should elicit an RST packet from the target. NULL Scans – NULL scans – NULL scans use packets without any TCP flags set. Again, as per RFC 793, this should elicit an RST packet in return. XMAS Scans – XMAS scans – XMAS scans have the FIN, URG, and PUSH TCP flags set in the TCP header. These are technically not “normal” packets seen across the internet (or even on a local LAN) and should ellicit an RST from a closed port. FULL-XMAS Scan – This scan has all of the TCP flags set (SYN,ACK,RST, FIN,URG,PSH). This type of packet should never be seen on a LAN, much less on the internet. UDP Scan – This scan is detected by the presence of multiple UDP packets originating from a single IP addre Aksi yang dilakukan Port Sentry► Stealth setting ????► Melogging pelanggaran akses di /var/log/messages ► Menambahkan entry untuk penyerang di /etc/hosts.deny ► Menambahkan non-permanent route dari penyerang ke “black-hole” ► Mengeblok akses ke sistem Melogging semua pelanggaran di syslog dan mengindikasikan nama system, waktu serangan, IP mesin penyerang, TCP / UDP port tempat serangan dilakukan. File Konfigurasi PortSentry► file /etc/portsentry/portsentry.conf ► file /etc/portsentry.modes ► file /etc/portsentry/portsentry.ignorefile /etc/portsentry/portsentry.conf merupakan konfigurasi utama portsentry. Disini secara bertahap diset port mana saja yang perlu di monitor, responds apa yang harus di lakukan ke mesin yang melakukan portscan, mekanisme menghilangkan mesin dari routing table, masukan ke host.deny. pada file /etc/portsentry/always_ignore Berisi semua IP address di LAN yang akan di abaikan oleh portsentry. Digunakan jika ingin IP address terntent agar tidak terblokir secara tidak sengaja.Pada file /etc/portsentry/portsentry.ignore isikan IP address yang perlu di abaikan sama dengan isi file /etc/portsentry/always_ignore.Pada file /etc/portsentry.modes set mode deteksi yang dilakukan portsentry. Semakin baik mode deteksi yang dipilih (advanced stealth TCP/UP scanning), biasanya PortSentry akan semakin sensitif & semakin rewel karena sedikit-sedikit akan memblokir mesin.Menjalankan portsentry► /usr/sbin/portsentry ► /etc/rc.d/init.d/portsentry start► portsentry -udp ► portsentry -tcp ► portsentry -audp ► portsentry -sudp ► portsentry -atcp ► portsentry -stcp With either the -udp or the -tcp options, normal scan detection is done. With -sudp and -stcp, normal stealth scan detection is done. With -audp or -atcp, advanced stealth scan detection is done. It is recommended that two instances of PortSentry are running. /usr/local/psionic/portsentry/portsentry -sudp and /usr/local/psionic/portsentry/portsentry -atcp Adding the above two commands to /etc/rc.d/rc.local will have PortSentry automatically started at boot up
Konfigurasi
Port Sentry
► Un-comment these if you are really anal: #TCP_PORTS=”1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,[..] #UDP_PORTS=”1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,[..] ► # # Use these if you just want to be aware: TCP_PORTS=”1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,[..] UDP_PORTS=”1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321“► # # Use these for just bare-bones #TCP_PORTS=”1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320″ #UDP_PORTS=”1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321″ ► KILL_ROUTE=”/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP“► KILL_HOSTS_DENY=”ALL: $TARGET$ # Portsentry blocked” Daftar Log Serangan► /etc/hosts.deny – ► /etc/portsentry/portsentry.blocked.atcp – ► /etc/portsentry/portsentry.blocked.audp – ► /etc/portsentry/portsentry.history – . /etc/hosts.deny – yang berisi daftar IP mesin yang tidak diperkenankan untuk berinteraksi ke server kita. Daftar ini di gunakan oleh TCP Wrappers & di hasilkan secara automatis oleh PortSentry pada saat serangan di lakukan./etc/portsentry/portsentry.blocked.atcp – daftar alamat IP mesin yang di blok akses-nya ke semua port TCP./etc/portsentry/portsentry.blocked.audp – daftar alamat IP mesin yang di blok akses-nya ke semua port UDP./etc/portsentry/portsentry.history – sejarah serangan yang diterima oleh mesin kita. Output PortSentry► Sep 19 01:50:19 striker portsentry[129]: attackalert: \ Host 192.168.0.1 has been blocked via dropped route using command: \ “/sbin/ipfw add 1 deny all from 192.168.0.1:255.255.255.255 to any” ► Sep 19 01:50:19 striker portsentry[129]: attackalert: \ Connect from host: 192.168.0.1/192.168.0.1 to TCP port: 9 Sep 19 01:50:19 striker portsentry[129]: attackalert: \ Host: 192.168.0.1 is already blocked. Ignoring Tool – Tools lain► scanlogd – Attack detection. ► InterSect Alliance – Intrusiuon analysis. Identifies malicious or unauthorized access attempts. ► snort – Instead of monitoring a single server with portsentry, snort monitors the network, performing real-time traffic analysis and packet logging on IP networks for the detection of an attack or probe.