Portsentry salah satu jenis IDS

Pendahuluan     Port scan adalah proses scanning berbagai aplikasi servis yang dijalankan di server Internet. Port scan adalah langkah paling awal sebelum sebuah serangan di lakukan. PortSentry
http://www.psionic.com/products/portsentry.html

Apa
itu
Port
Sentry

     Port : Pelabuhan     Sentry : Penjaga     PortSentry adalah sebuah perangkat lunak yang di rancang untuk mendeteksi adanya port scanning & meresponds secara aktif jika ada port scanning secara real time

Platform
Port
Sentry
     FreeBSD     Open BSD     Linux

Keuntungan
Port
Sentry

Kekurangan
Port
Sentry
     Portsentry bind to port, therefore countermeasure is necessary     Cannot detect spoofing

Dimana
Port
Sentry Diletakkan
     Dibelakang Firewall     Dibelakang tiap host yang dilindungiFiture PortSentry     Mendeteksi scan     Melakukan aksi  terhadap host yg melakukan pelanggaran     Mengemail admin system bila di integrasikan dengan Logcheck/LogSentryPortSentry akan bereaksi secara real-time (langsung) dengan cara memblokir IP address si penyerang. Hal ini dilakukan dengan menggunakan ipchains/ipfwadm dan memasukan ke file /etc/host.deny secara otomatis oleh TCP Wrapper.PortSentry akan bereaksi secara real-time (langsung) dengan cara memblokir IP address si penyerang. Hal ini dilakukan dengan menggunakan ipchains/ipfwadm dan memasukan ke file /etc/host.deny secara otomatis oleh TCP Wrapper.mempunyai mekanisme untuk mengingat mesin / host mana yang pernah connect ke dia. Dengan cara itu, hanya mesin / host yang terlalu sering melakukan sambungan (karena melakukan scanning) yang akan di blokir.Fiture PortSentry     Mendeteksi scan     Melakukan aksi  terhadap host yg melakukan pelanggaran     Mengemail admin system bila di integrasikan dengan Logcheck/LogSentryJenis-Jenis Scan     Connect scans       SYN Scans  .      FIN Scans        NULL Scans       XMAS Scans  .      FULL-XMAS Scan        UDP Scan  Connect scans – These are full-connection scans. The entire, three-way TCP handshake is completed before being torn down. These types of scans are also the most obvious since the target host may record the event of a connection being made from the scanning IP address. SYN Scans – Also known as “half-open” scans, these are one way an attacker can try to enumerate ports on a system in a stealthy manner. These scans only execute the first two steps of the three-way TCP handshake. The initiating system sendsa TCP SYN packet as though it were requesting a full connection. The target system responds with a SYN-ACK packet. The initiator then sends a TCP RST (reset) packet back to the target, thereby closing the connection. The idea here is to prevent the full connection from being established since it may be logged. FIN Scans – FIN scans – These scans use packets with the TCP FIN flag set. Typically, FIN packets are only seen during the closing sequence of a connection. Unsolicited FIN packets sent to a closed TCP port should elicit an RST packet from the target. NULL Scans – NULL scans – NULL scans use packets without any TCP flags set. Again, as per RFC 793, this should elicit an RST packet in return. XMAS Scans – XMAS scans – XMAS scans have the FIN, URG, and PUSH TCP flags set in the TCP header. These are technically not “normal” packets seen across the internet (or even on a local LAN) and should ellicit an RST from a closed port. FULL-XMAS Scan – This scan has all of the TCP flags set (SYN,ACK,RST, FIN,URG,PSH). This type of packet should never be seen on a LAN, much less on the internet. UDP Scan – This scan is detected by the presence of multiple UDP packets originating from a single IP addre Aksi yang dilakukan Port Sentry     Stealth setting ????     Melogging  pelanggaran akses di            /var/log/messages      Menambahkan entry untuk penyerang di   /etc/hosts.deny      Menambahkan  non-permanent route dari penyerang ke “black-hole”      Mengeblok akses ke sistem   Melogging semua pelanggaran di syslog dan mengindikasikan nama system, waktu serangan, IP mesin penyerang, TCP / UDP port tempat serangan dilakukan.  File Konfigurasi PortSentry     file /etc/portsentry/portsentry.conf      file /etc/portsentry.modes      file /etc/portsentry/portsentry.ignorefile /etc/portsentry/portsentry.conf merupakan konfigurasi utama portsentry. Disini secara bertahap diset port mana saja yang perlu di monitor, responds apa yang harus di lakukan ke mesin yang melakukan portscan, mekanisme menghilangkan mesin dari routing table, masukan ke host.deny. pada file /etc/portsentry/always_ignore Berisi semua IP address di LAN yang akan  di abaikan oleh portsentry. Digunakan jika ingin IP address terntent agar tidak terblokir secara tidak sengaja.Pada file /etc/portsentry/portsentry.ignore isikan IP address yang perlu di abaikan sama dengan isi file /etc/portsentry/always_ignore.Pada file /etc/portsentry.modes set mode deteksi yang dilakukan portsentry. Semakin baik mode deteksi yang dipilih (advanced stealth TCP/UP scanning), biasanya PortSentry akan semakin sensitif & semakin rewel karena sedikit-sedikit akan memblokir mesin.Menjalankan portsentry     /usr/sbin/portsentry      /etc/rc.d/init.d/portsentry start     portsentry -udp      portsentry -tcp      portsentry -audp      portsentry -sudp      portsentry -atcp      portsentry -stcp   With either the -udp or the -tcp options, normal scan detection is done. With -sudp and -stcp, normal stealth scan detection is done. With -audp or -atcp, advanced stealth scan detection is done. It is recommended that two instances of PortSentry are running. /usr/local/psionic/portsentry/portsentry -sudp and /usr/local/psionic/portsentry/portsentry -atcp Adding the above two commands to /etc/rc.d/rc.local will have PortSentry automatically started at boot up

Konfigurasi
Port
Sentry

       Un-comment these if you are really anal: #TCP_PORTS=”1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,[..] #UDP_PORTS=”1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,[..]        # # Use these if you just want to be aware: TCP_PORTS=”1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,[..] UDP_PORTS=”1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321“        # # Use these for just bare-bones #TCP_PORTS=”1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320″ #UDP_PORTS=”1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321″        KILL_ROUTE=”/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP“       KILL_HOSTS_DENY=”ALL: $TARGET$ # Portsentry blocked” Daftar Log Serangan     /etc/hosts.deny –       /etc/portsentry/portsentry.blocked.atcp –       /etc/portsentry/portsentry.blocked.audp –       /etc/portsentry/portsentry.history –  . /etc/hosts.deny – yang berisi daftar IP mesin yang tidak diperkenankan untuk berinteraksi ke server kita. Daftar ini di gunakan oleh TCP Wrappers & di hasilkan secara automatis oleh PortSentry pada saat serangan di lakukan./etc/portsentry/portsentry.blocked.atcp – daftar alamat IP mesin yang di blok akses-nya ke semua port TCP./etc/portsentry/portsentry.blocked.audp – daftar alamat IP mesin yang di blok akses-nya ke semua port UDP./etc/portsentry/portsentry.history – sejarah serangan yang diterima oleh mesin kita.  Output PortSentry       Sep 19 01:50:19 striker portsentry[129]: attackalert: \ Host 192.168.0.1 has been blocked via dropped route using command: \ “/sbin/ipfw add 1 deny all from 192.168.0.1:255.255.255.255 to any”        Sep 19 01:50:19 striker portsentry[129]: attackalert: \ Connect from host: 192.168.0.1/192.168.0.1 to TCP port: 9 Sep 19 01:50:19 striker portsentry[129]: attackalert: \ Host: 192.168.0.1 is already blocked. Ignoring Tool – Tools lain     scanlogd – Attack detection.      InterSect Alliance – Intrusiuon analysis. Identifies malicious or unauthorized access attempts.      snort – Instead of monitoring a single server with portsentry, snort monitors the network, performing real-time traffic analysis and packet logging on IP networks for the detection of an attack or probe.  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: