阿里云服务器snort+guardian防护环境搭建
下面是故障过程原始版(归纳总结版请下载附件链接)
- 获取攻击程序对应的源IP地址
- 清空定时扫描任务
- 清空异常ssh key
- Redis设置密码访问(可选,待防御系统建立后可以不用修改密码)
5.挖矿查杀:yum -y install epel-release yum -y install unhide
6.unhide quick 查看隐裂进程
7.iptables禁止原IP的出入
测试环境:
(snort+guard环境机)服务器1.1.1.1-------------------服务器2.2.2.2
二:安装snort,防御检测
yum install https://www.snort.org/downloads/snort/snort-2.9.16-1.centos7.x86_64.rpm
yum install libdnet
shell输入snort报错:
snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
发现libdnet.1在/usr/lib64下面,软连接也是存在的。
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64
运行snort还是报同样的错误。
readelf -a snort查看到底依赖库是什么问题,发现elf中
0x000000000000000f (RPATH) Library rpath: [/usr/local/lib]
指定了依赖库的路径在/usr/local/lib中,
所以拷贝/usr/lib64下面的libdnet.so.1.0.1到/usr/local/lib下,并建立软连接 ln -s libdnet.so.1.0.1 libdnet.1
shell 输入snort
启动成功,初始化并各种检侧,提示告警:WARNING: No preprocessors configured for policy 0.
到此snort安装运行成功。
下面创建snort规则数据库:
进入官网下载rule包,rule包有三种,通用包,注册包,发布包(收费的)。
这里用公司邮箱密码注册一个用户,下载注册包里面的snortrules-snapshot-29160.tar.gz和版本对应。
snort规则数据库安装步骤:
1.mkdir /root/rule
tar zxvf snortrules-snapshot-29160.tar.gz //解压后发现这个包里所有规则和配置都被写好了,后面我们自己定制规则再论
2.
cp -R -f /root/rule/preproc_rules /root/rule/rules /root/rule/so_rules /etc/snort
cp -R -f /root/rule/etc /etc/snort
三:配置snort
1.vim /etc/snort/snort.conf
ipvar HOME_NET 1.1.1.1 //监视阿里云真实网卡地址就是私网地址,因为公网地址进来后始终转换为私网网卡地址
2.修改变量路径
var LIB_PATH /usr/lib64
var CONF_PATH /etc/snort
var RULE_PATH $CONF_PATH/rules
var SO_RULE_PATH $CONF_PATH/so_rules
var PREPROC_RULE_PATH $CONF_PATH/preproc_rules
var WHITE_LIST_PATH $CONF_PATH/rules
var BLACK_LIST_PATH $CONF_PATH/rules
3.裁剪规则
snort.conf中目前全部引入了我们下载的规则包里的检测规则,另外local.rules中空,我们暂时不添加额外的检测规则
4.增加需要监视的网卡
vim /etc/sysconfig/snort
INTERFACE=eth0 //阿里云只有一个eth0物理网卡,其余的容器云的虚拟网桥docker0我们暂时不需要监视
5.启动snort服务:service snortd start
查看service snortd status是否启动成功,提示:
snortd.service - SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
Active: active (exited) since Sat 2020-05-23 14:08:51 CST; 11s ago
Docs: man:systemd-sysv-generator(8)
Process: 3288 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
Process: 3327 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
May 23 14:08:51 znzz002 snort[3336]:
May 23 14:08:51 znzz002 snort[3336]: PortVar 'SHELLCODE_PORTS' defined :
May 23 14:08:51 znzz002 snort[3336]: [ 0:79 81:65535 ]
May 23 14:08:51 znzz002 snort[3336]:
May 23 14:08:51 znzz002 snort[3336]: PortVar 'ORACLE_PORTS' defined :
May 23 14:08:51 znzz002 snort[3336]: [ 1024:65535 ]
May 23 14:08:51 znzz002 snort[3336]:
May 23 14:08:51 znzz002 snort[3336]: PortVar 'SSH_PORTS' defined :
May 23 14:08:51 znzz002 systemd[1]: Started SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and netw... and more..
May 23 14:08:51 znzz002 snortd[3327]: Starting snort: [FAILED]
Hint: Some lines were ellipsized, use -l to show in full.
因为使用service启动服务,所以查看cat /var/log/messages,提示:
May 23 14:26:17 localhost snort[5255]: FATAL ERROR: /etc/snort/snort.conf(259) Could not stat dynamic module path "/usr/lib64/snort_dynamicrules": No such file or directory.
find / -name snort_dynamicrules,缺少该文件。
mkdir -p /usr/lib64/snort_dynamicrules
重新启动服务:继续报错
May 23 14:39:00 localhost snort[6528]: FATAL ERROR: /etc/snort/snort.conf(518) => Unable to open address file /etc/snort/../rules/white_list.rules, Error: No such file or directory
/etc/snort/rules/下手动创建white_list.rules,black_list.rules 内容为空。
cd /etc/snort/rules
touch white_list.rules
touch black_list.rules
再次启动成功。
[root@znzz002 lib64]# service snortd status
â— snortd.service - SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
Active: active (running) since Sat 2020-05-23 14:51:36 CST; 58s ago
Docs: man:systemd-sysv-generator(8)
Process: 7899 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
Process: 5193 ExecReload=/etc/rc.d/init.d/snortd reload (code=exited, status=0/SUCCESS)
Process: 7922 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
Tasks: 2
Memory: 695.1M
CGroup: /system.slice/snortd.service
└─7944 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_SIP Version 1.1 <Build 1>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_DNS Version 1.1 <Build 4>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_POP Version 1.0 <Build 1>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_GTP Version 1.1 <Build 1>
May 23 14:51:36 znzz002 snort[7944]: Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
May 23 14:51:36 znzz002 snort[7944]: Commencing packet processing (pid=7944)
[root@znzz002 lib64]# ps -aux |grep snort
snort 7944 0.0 8.9 801796 713560 ? Ssl 14:51 0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
6.测试
snort -T -i eth0 -c /etc/snort/snort.conf
提示:
Snort successfully validated the configuration!
Snort exiting
至此,snort成功运行。
再测试下规则:vim /etc/snort/rules/local.rules
alert icmp 2.2.2.2 any -> any any (msg:"snort test";sid:1000001;)
使用2.2.2.2ping本机地址,本机/var/log/snort/alert触发告警。
7.查看攻击告警日志
tail -f /var/log/snort/alert
至此我们被动防御检测snort开源软件部署结束。
三:安装主动防御系统Guardian
Guardian设计的原理:有个守护进程一直在监视/var/log/snort/alert,一旦有告警信息就会禁止该告警信息中的ip地址,过段时间自动解除禁止该IP地址。比人工维护的优势在于,他发生在事前或入侵的第一步就禁止ip。人工维护肯定是在入侵成功后再行处理。
1.下载guardian-1.7.tar.gz 并解压
cp guardian.pl /usr/local/bin/ //执行文件
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh //iptable禁止IP脚本
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh //iptables解禁IP脚本
cp guardian.conf /etc/snort/ //guardian配置文件
touch /etc/snort/guardian.ignore //对本文件中填写的IP地址,不采取任何反应,有点白名单的味道
touch /etc/snort/guardian.target //本机需要保护的IP地址,譬如本机网卡有子接口,eth:0 ,eth:1,默认是eth:0,如果eth:1不填写到本文件中,即使eth:1被攻击snort产生alert文件,guardian也不会起反应
touch /etc/snort/guardian.log //日志文件
2.配置/etc/snort/guardian.conf
HostIpAddr 1.1.1.1 //因为是阿里云软件的网卡实际地址
Interface eth0
LogFile /var/log/snort/guardian.log
AlertFile /var/log/snort/alert
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
3.创建启动脚本
vim /usr/local/bin/guardian.sh
#!/bin/bash
cd /usr/local/bin
start()
{
export PATH=$PATH:/usr/local/bin
/usr/local/bin/guardian.pl -c/etc/snort/guardian.conf
}
stop()
{
ps aux |grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
kill `ps aux |grep 'guardian.pl *-c' `
else
echo "guardian is not running ...."
fi
}
status()
{
ps aux |grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
echo "guardian is running ...."
else
echo "guardian is not running ...."
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac
运行该脚本:提示Can't locate getopts.pl
安装yum -y install cpan
cpan Module::Build
cpan Perl4::CoreLibs
cp getopts.pl /usr/local/bin
再次执行guardian.sh start
报错:
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address
vim /etc/snort/guardian.conf中增加HostIpAddr 1.1.1.1
再次执行guardian.sh start提示:Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
创建log文件:touch /var/log/snort/guardian.log
再次启动guardian.sh start, 启动成功:
[root@znzz002 bin]# ./guardian.sh start
OS shows Linux
My ip address and interface are: 1.1.1.1 eth0
Loaded 0 addresses from /etc/snort/guardian.ignore
Loaded 0 addresses from /etc/snort/guardian.target
Becoming a daemon..
[root@znzz002 bin]# ps -aux |grep guardian
root 21013 0.0 0.0 132212 1588 pts/0 S 10:38 0:00 /usr/bin/perl /usr/local/bin/guardian.pl -c/etc/snort/guardian.conf
root 21052 0.0 0.0 112812 972 pts/0 S+ 10:38 0:00 grep --color=auto guardian
下面将启动服务,加入开机自启动:
vim /etc/rc.d/rc.local
到此为止:snort检测和guardian防御环境搭建完成
四:snort+guard联动测试
(snort+guard环境机)服务器1.1.1.1-------------------服务器2.2.2.2
vim /etc/snort/guardian.target
输入guardian监视的目标地址:1.1.1.1
vim /etc/snort/rules/local.rules //自定义告警规则
alert icmp 2.2.2.2 any -> any any (msg:"snort test";sid:1000001;)
然后在2.2.2.2上ping1.1.1.1
发现第2包到第3包之后就丢弃了,所以是第3包开始丢弃 是因为guardian监视进程扫描时间是1秒,所以在1秒内第二包会通过。第三包开始1.1.1.1的guardian使用iptables命令在INPUT阶段drop了2.2.2.2过来的报文。