Portsentry Electronic Engineering Polytechnic Institut of Surabaya ITS
Portsentry Electronic Engineering Polytechnic Institut of Surabaya – ITS Kampus ITS Sukolilo Surabaya 60111
Pendahuluan ► Port scan adalah proses scanning berbagai aplikasi servis yang dijalankan di server Internet. Port scan adalah langkah paling awal sebelum sebuah serangan di lakukan.
Port. Sentry http: //www. psionic. com/products/ portsentry. html.
Apa itu Port Sentry ► Port : Pelabuhan ► Sentry : Penjaga ► Port. Sentry adalah sebuah perangkat lunak yang di rancang untuk mendeteksi adanya port scanning & meresponds secara aktif jika ada port scanning secara real time
Platform Port Sentry ► Free. BSD ► Open ► Linux BSD
Keuntungan Port Sentry
Kekurangan Port Sentry ► Portsentry bind to port, therefore countermeasure is necessary ► Cannot detect spoofing
Dimana Port Sentry Diletakkan ► Dibelakang Firewall ► Dibelakang tiap host yang dilindungi
Fiture Port. Sentry ► Mendeteksi scan ► Melakukan aksi terhadap host yg melakukan pelanggaran ► Mengemail admin system bila di integrasikan dengan Logcheck/Log. Sentry
Jenis-Jenis Scan ► Connect scans ► SYN Scans -. ► FIN Scans ► NULL Scans ► XMAS Scans -. ► FULL-XMAS Scan ► UDP Scan
Aksi yang dilakukan Port Sentry ► Stealth setting ? ? ► Melogging pelanggaran akses di /var/log/messages ► Menambahkan entry untuk penyerang di /etc/hosts. deny ► Menambahkan non-permanent route dari penyerang ke "black-hole" ► Mengeblok akses ke sistem
File Konfigurasi Port. Sentry ► file /etc/portsentry. conf ► file /etc/portsentry. modes ► file /etc/portsentry. ignore
Menjalankan portsentry ► /usr/sbin/portsentry ► /etc/rc. d/init. d/portsentry ► portsentry -udp ► portsentry -tcp ► portsentry -audp ► portsentry -sudp ► portsentry -atcp ► portsentry -stcp start
Konfigurasi Port Sentry Un-comment these if you are really anal: #TCP_PORTS="1, 7, 9, 11, 15, 70, 79, 80, 109, 110, 111, 119, 138, 13 9, 143, 512, 513, 514, 515, 540, 635, 1080, 1524, 2000, 2001, [. . ] #UDP_PORTS="1, 7, 9, 66, 67, 68, 69, 111, 137, 138, 161, 162, 474, 5 13, 517, 518, 635, 640, 641, 666, 700, 2049, 31335, 27444, 34555, [. . ] ► # # Use these if you just want to be aware: TCP_PORTS="1, 15, 79, 111, 119, 143, 540, 635, 1080, 1524, 20 00, 5742, 6667, 12345, 12346, 20034, 27665, 31337, 32771, 32772, [. . ] UDP_PORTS="1, 7, 9, 69, 161, 162, 513, 635, 640, 641, 700, 37444, 34555, 31335, 32770, 32771, 32772, 32773, 32774, 31337, 54321 “ ► # # Use these for just bare-bones #TCP_PORTS="1, 15, 110, 111, 143, 540, 635, 1080, 1524, 200 0, 12345, 12346, 20034, 32771, 32772, 32773, 32774, 49724, 5432 0" #UDP_PORTS="1, 7, 9, 69, 161, 162, 513, 640, 700, 32771, 3 2772, 32773, 32774, 31337, 54321" ►
► KILL_ROUTE="/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP“ ► KILL_HOSTS_DENY="ALL: $TARGET$ # Portsentry blocked"
Daftar Log Serangan ► /etc/hosts. deny – ► /etc/portsentry. blocked. atcp – ► /etc/portsentry. blocked. audp – ► /etc/portsentry. history –.
Output Port. Sentry ► Sep 19 01: 50: 19 striker portsentry[129]: attackalert: Host 192. 168. 0. 1 has been blocked via dropped route using command: "/sbin/ipfw add 1 deny all from 192. 168. 0. 1: 255 to any" ► Sep 19 01: 50: 19 striker portsentry[129]: attackalert: Connect from host: 192. 168. 0. 1/192. 168. 0. 1 to TCP port: 9 Sep 19 01: 50: 19 striker portsentry[129]: attackalert: Host: 192. 168. 0. 1 is already blocked. Ignoring
Tool – Tools lain ► scanlogd - Attack detection. ► Inter. Sect Alliance - Intrusiuon analysis. Identifies malicious or unauthorized access attempts. ► snort - Instead of monitoring a single server with portsentry, snort monitors the network, performing real-time traffic analysis and packet logging on IP networks for the detection of an attack or probe.
- Slides: 18