×ðÁú¿­Ê±¹ÙÍøµÇ¼

ÔõÑùʹÓÃÍø¹ØIDS±£»¤CentOSЧÀÍÆ÷ÄÚ²¿ÍøÂçµÄÇå¾²

ÔõÑùʹÓÃÍø¹Øids±£»¤centosЧÀÍÆ÷ÄÚ²¿ÍøÂçµÄÇå¾²

ÕªÒª£ºËæ×ÅÍøÂç¹¥»÷µÄÒ»Ö±Ôö¶à £¬±£»¤Ð§ÀÍÆ÷ÄÚÍøÇå¾²±äµÃÓÈΪÖ÷Òª¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃÍø¹ØIDS£¨Intrusion Detection System£©À´±£»¤CentOSЧÀÍÆ÷ÄÚ²¿ÍøÂçµÄÇå¾²¡£ÎÒÃǽ«Í¨¹ýÉèÖÃÍø¹ØIDSÀ´¼à¿ØÍøÂçÁ÷Á¿ £¬²¢Ê¹ÓûùÓÚ¹æÔòµÄ·À»ðǽÀ´×èÖ¹¶ñÒâÁ÷Á¿½øÈëÄÚ²¿ÍøÂç¡£ÎÄÕÂÖл¹½«°üÀ¨Ò»Ð©Ê¾Àý´úÂëÀ´×ÊÖú¶ÁÕ߸üºÃµØÃ÷È·ºÍʵÑéÕâЩÇå¾²²½·¥¡£

¼ò½é

Íø¹ØIDSÊÇÒ»ÖÖͨ¹ý¼à¿ØºÍÆÊÎöÍøÂçÁ÷Á¿À´¼ì²âºÍ×èÖ¹¶ñÒâÔ˶¯µÄϵͳ¡£Ëüͨ¹ý¼àÊÓÍøÂçÐÐΪºÍÁ÷Á¿ £¬Ê¶±ðºÍ±¨¸æ¿ÉÄܵĹ¥»÷ÐÐΪ¡£Í¨¹ý½«Íø¹ØIDSÖÃÓÚÄÚ²¿ÍøÂçºÍÍⲿÍøÂçÖ®¼äµÄÍø¹ØλÖà £¬ÎÒÃÇ¿ÉÒÔÓÐÓõر£»¤Ð§ÀÍÆ÷ÄÚÍøµÄÇå¾²¡£

×°ÖúÍÉèÖÃÍø¹ØIDS

Ê×ÏÈ £¬ÎÒÃÇÐèҪװÖúÍÉèÖÃÒ»¸öÍø¹ØIDSÈí¼þ £¬ÀýÈçSuricata¡£SuricataÊÇÒ»¸ö¹¦Ð§Ç¿Ê¢µÄ¿ªÔ´IDS/IPSϵͳ £¬Ëü¿ÉÒÔÔÚCentOSЧÀÍÆ÷ÉÏÔËÐС£

(1) ×°ÖÃSuricata£º

$ sudo yum install epel-release

$ sudo yum install suricata

(2) ÉèÖÃSuricata£º

$ sudo vi /etc/suricata/suricata.yaml

ÔÚÉèÖÃÎļþÖÐ £¬ÎÒÃÇ¿ÉÒÔͨ¹ý½ç˵¹æÔò¼¯¡¢ÆôÓÃÈÕÖ¾¼Í¼¡¢ÉèÖø澯µÈÀ´¶¨ÖÆSuricataµÄÐÐΪ¡£

ÉèÖ÷À»ðǽ¹æÔò

ÔÚÍø¹ØÉÏÉèÖ÷À»ðǽ¹æÔòÀ´×èÖ¹¶ñÒâÁ÷Á¿½øÈëЧÀÍÆ÷ÄÚÍøÊǺÜÊÇÖ÷ÒªµÄ¡£ÎÒÃÇ¿ÉÒÔʹÓÃiptables»ònftablesÀ´ÊµÏÖÕâÒ»µã¡£ÒÔÏÂÊÇÒ»¸öʹÓÃiptablesµÄʾÀý£º

(1) ½¨ÉèÒ»¸öеÄiptablesÁ´£º

$ sudo iptables -N IDS

(2) ½«Íø¹ØIDSµÄÈÕÖ¾Á÷Á¿¶¨Ïòµ½Õâ¸öÁ´£º

$ sudo iptables -A INPUT -j IDS

(3) ÔÚIDSÁ´ÉÏÉèÖùæÔò£º

$ sudo iptables -A IDS -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

$ sudo iptables -A IDS -m conntrack –ctstate INVALID -j DROP

$ sudo iptables -A IDS -p tcp –dport 22 -m recent –name ssh –set -m comment –comment “Allow SSH”

$ sudo iptables -A IDS -p tcp –dport 22 -m recent –name ssh –rcheck –seconds 60 –hitcount 4 -j DROP

ÒÔÉϹæÔòµÄ¼ÄÒåÊÇ£ºÔÊÐíÒѾ­½¨ÉèµÄºÍÏà¹ØµÄÅþÁ¬Í¨¹ý £¬ÑïÆúÎÞЧÅþÁ¬ £¬ÈôÊÇÓÐÒ»Á¬4´ÎSSHÅþÁ¬ÔÚ60ÃëÄÚ±»´¥·¢ £¬ÔòեȡSSHÅþÁ¬¡£

ÈÕÖ¾ÆÊÎöºÍ±¨¾¯

ÉèÖÃÍø¹ØIDS¿ÉÒÔ±¬·¢´ó×ÚµÄÈÕÖ¾¡£ÎÒÃÇ¿ÉÒÔ̫ͨ¹ýÎöÕâЩÈÕÖ¾²¢ÉèÖñ¨¾¯À´·¢Ã÷DZÔڵĹ¥»÷Ô˶¯¡£ÒÔÏÂÊÇÒ»¸öʹÓÃPython¾ç±¾¶ÁÈ¡²¢ÆÊÎöSuricataÈÕÖ¾µÄ´úÂëʾÀý£º

import sys

logfile_path = '/var/log/suricata/eve.json'

def analyze_logs():
    with open(logfile_path, 'r') as logfile:
        for line in logfile:
            # ÔÚÕâÀï¾ÙÐÐÈÕÖ¾ÆÊÎöºÍ±¨¾¯µÄÂß¼­
            pass

if __name__ == '__main__':
    analyze_logs()

µÇ¼ºó¸´ÖÆ

ͨ¹ý±àдÊʵ±µÄÂß¼­ £¬ÎÒÃÇ¿ÉÒÔ¼ì²âµ½Òì³£Á÷Á¿¡¢¶ñÒâIPºÍÆäËûDZÔڵĹ¥»÷Ô˶¯ £¬²¢ÊµÊ±·¢³ö±¨¾¯¡£

°´ÆÚ¸üйæÔò¼¯ºÍÈí¼þ

ΪÁ˼á³ÖЧÀÍÆ÷ÄÚÍøµÄÇå¾²ÐÔ £¬°´ÆÚ¸üÐÂÍø¹ØIDSµÄ¹æÔò¼¯ºÍÈí¼þÊǺÜÖ÷ÒªµÄ¡£ÎÒÃÇ¿ÉÒÔʹÓÃÏÂÁîÐй¤¾ß»òÉèÖÃÎļþÀ´¸üÐÂSuricataµÄ¹æÔò¼¯¡£±ðµÄ £¬ÎÒÃÇ»¹Ó¦¸Ã¾­³£¸üÐÂЧÀÍÆ÷ÉϵIJÙ×÷ϵͳºÍÏà¹ØÈí¼þ £¬ÒÔÐÞ¸´Ç±ÔÚµÄÎó²î¡£

½áÂÛ:

ͨ¹ýʹÓÃÍø¹ØIDS²¢ÉèÖ÷À»ðǽ¹æÔò £¬ÎÒÃÇ¿ÉÒÔ±£»¤CentOSЧÀÍÆ÷ÄÚ²¿ÍøÂçµÄÇå¾²¡£½ö½ö×°ÖÃÒ»¸öIDSϵͳÊDz»·óµÄ £¬ÎÒÃÇ»¹ÐèÒª°´ÆÚ¸üйæÔò¼¯¡¢¼à¿ØÈÕÖ¾²¢ÊµÊ±±¨¾¯¡£Ö»ÓÐͨ¹ý×ۺϵÄÇå¾²²½·¥ £¬²Å»ªÓÐÓõر£»¤Ð§ÀÍÆ÷ÄÚÍøÃâÊÜÍøÂç¹¥»÷µÄÍþв¡£

²Î¿¼×ÊÁÏ£º

Suricata¹Ù·½Îĵµ: https://suricata.readthedocs.io/

iptablesÎĵµ: https://netfilter.org/documentation/

£¨×¢£º±¾ÎÄÖеÄʾÀý´úÂë½ö¹©²Î¿¼ £¬ÏêϸÇéÐÎÏÂÇëƾ֤ÏÖÕæÏàÐξÙÐе÷½âºÍ²âÊÔ¡££©

ÒÔÉϾÍÊÇÔõÑùʹÓÃÍø¹ØIDS±£»¤CentOSЧÀÍÆ÷ÄÚ²¿ÍøÂçµÄÇå¾²µÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ