PSAD: Port Scan Attack Detector
Neste artigo vamos conhecer o PSAD, um um software criado exclusivamente para agir como um detector de ataques como port scan e DDoS. Veremos suas principais características e como tirar proveito deste projeto muito interessante.
Parte 5: Proof of Concept: testes de segurança
Agora que já configuramos basicamente o PSAD, vamos inicializá-lo:
# /etc/init.d/psad start
Starting the psad daemons.
Os seguintes daemons fazem parte do psad:
Agora ele está executando e protegendo nosso sistema.
Vamos realizar um teste com o nmap localmente:
# nmap -sT -v -PT localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-01 17:29 BRT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 2.150 seconds
BINGO, como vimos não retornou nenhuma porta válida, agora vamos ver os emails:
# mail
"/var/spool/mail/root": 12 messages 1 new 12 unread
U 1 root@unsekurity.lo Wed Sep 1 17:27 52/1715 [psad-alert] DL2 src: loc
U 2 root@unsekurity.lo Wed Sep 1 17:27 52/1715 [psad-alert] DL2 src: loc
?1
Message 1:
From root@unsekurity.local Wed Sep 1 17:27:07 2004
X-Original-To: root@localhost
Delivered-To: root@localhost.unsekurity.local
Date: Wed, 01 Sep 2004 17:27:06 -0300
To: root@localhost.unsekurity.local
Subject: [psad-alert] DL2 src: localhost dst: localhost
User-Agent: nail 10.5 4/27/03
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: root@unsekurity.local (root)
=-=-=-=-=-=-=-=-=-=-=-= Wed Sep 1 17:27:06 2004 =-=-=-=-=-=-=-=-=-=-=-=
Como vimos ele detalhou o ataque: tipo de scan, protocolos utilizados e etc.
Vamos ver o syslog também:
# tail /var/log/messages
Sep 1 17:28:00 RootSec kernel: Port Scan AttackIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=39 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32771 DPT=512 LEN=19
Sep 1 17:28:01 RootSec kernel: Port Scan AttackIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=45715 PROTO=TCP SPT=54369 DPT=1427 WINDOW=4096 RES=0x00 SYN URGP=0
Sep 1 17:28:05 RootSec psad: scan detected: 127.0.0.1 -> 127.0.0.1 tcp=[142-1427] SYN tcp=2 udp=1 icmp=0 dangerlevel: 2
Sep 1 17:28:05 RootSec psad: sending email alert to: root@localhost
Sep 1 17:28:32 RootSec kernel: Port Scan AttackIN=ppp0 OUT= MAC= SRC=200.176.2.10 DST=200.232.209.247 LEN=115 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=53 DPT=32776 LEN=95
O PSAD além de reportar com grande precisão o ataque, não permitiu que o atacante pudesse coletar informações sobre nosso servidor.
# /etc/init.d/psad start
Starting the psad daemons.
Os seguintes daemons fazem parte do psad:
- /usr/bin/perl -w /usr/sbin/psad
- /usr/sbin/psadwatchd
- /usr/sbin/kmsgsd
Agora ele está executando e protegendo nosso sistema.
Vamos realizar um teste com o nmap localmente:
# nmap -sT -v -PT localhost
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-01 17:29 BRT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 2.150 seconds
BINGO, como vimos não retornou nenhuma porta válida, agora vamos ver os emails:
"/var/spool/mail/root": 12 messages 1 new 12 unread
U 1 root@unsekurity.lo Wed Sep 1 17:27 52/1715 [psad-alert] DL2 src: loc
U 2 root@unsekurity.lo Wed Sep 1 17:27 52/1715 [psad-alert] DL2 src: loc
?1
Message 1:
From root@unsekurity.local Wed Sep 1 17:27:07 2004
X-Original-To: root@localhost
Delivered-To: root@localhost.unsekurity.local
Date: Wed, 01 Sep 2004 17:27:06 -0300
To: root@localhost.unsekurity.local
Subject: [psad-alert] DL2 src: localhost dst: localhost
User-Agent: nail 10.5 4/27/03
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: root@unsekurity.local (root)
=-=-=-=-=-=-=-=-=-=-=-= Wed Sep 1 17:27:06 2004 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [2] (out of 5) Multi-Protocol
Scanned tcp ports: [4-6112: 22 packets]
tcp flags: [SYN: 22 packets, Nmap: -sT or -sS]
Iptables chain: INPUT (prefix "Port Scan Attack"), 22 packets
Scanned udp ports: [512: 1 packets, Nmap: -sU]
Iptables chain: INPUT (prefix "Port Scan Attack"), 1 packets
Source: 127.0.0.1
DNS: localhost
Destination: 127.0.0.1
DNS: localhost
Syslog hostname: RootSec
Current interval: Wed Sep 1 17:27:01 2004 (start)
Wed Sep 1 17:27:06 2004 (end)
Overall scan start: Wed Sep 1 17:26:40 2004
Total email alerts: 5
Complete tcp range: [4-44443]
Complete udp range: [512]
chain: interface: tcp: udp: icmp:
INPUT lo 161 4 0
[+] Whois Information:
Unknown AS number or IP network. Please upgrade this program.
?q
Como vimos ele detalhou o ataque: tipo de scan, protocolos utilizados e etc.
Vamos ver o syslog também:
# tail /var/log/messages
Sep 1 17:28:00 RootSec kernel: Port Scan AttackIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=39 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32771 DPT=512 LEN=19
Sep 1 17:28:01 RootSec kernel: Port Scan AttackIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=40 TOS=0x00 PREC=0x00 TTL=39 ID=45715 PROTO=TCP SPT=54369 DPT=1427 WINDOW=4096 RES=0x00 SYN URGP=0
Sep 1 17:28:05 RootSec psad: scan detected: 127.0.0.1 -> 127.0.0.1 tcp=[142-1427] SYN tcp=2 udp=1 icmp=0 dangerlevel: 2
Sep 1 17:28:05 RootSec psad: sending email alert to: root@localhost
Sep 1 17:28:32 RootSec kernel: Port Scan AttackIN=ppp0 OUT= MAC= SRC=200.176.2.10 DST=200.232.209.247 LEN=115 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=53 DPT=32776 LEN=95
O PSAD além de reportar com grande precisão o ataque, não permitiu que o atacante pudesse coletar informações sobre nosso servidor.