В mun rufe yadda ake gudanar da ingantaccen sigar Suricata akan Ubuntu 18.04 LTS. Ƙirƙirar IDS akan kulli ɗaya da ba da damar saitin ƙa'ida kyauta kyakkyawa ce mai sauƙi. A yau za mu gano yadda za a kare cibiyar sadarwar kamfanoni ta amfani da nau'ikan hare-haren da aka fi sani da su ta amfani da Suricata da aka shigar a kan uwar garken kama-da-wane. Don yin wannan, muna buƙatar VDS akan Linux tare da maƙallan kwamfuta guda biyu. Adadin RAM ya dogara da nauyin: 2 GB ya isa ga wani, kuma ana iya buƙatar 4 ko ma 6 don ƙarin ayyuka masu mahimmanci. Amfanin na'ura mai mahimmanci shine ikon yin gwaji: zaka iya farawa tare da ƙaramin tsari kuma ƙara haɓaka. albarkatun kamar yadda ake bukata.
Hoto: Reuters
Haɗin hanyoyin sadarwa
Ana iya buƙatar cire IDS zuwa injin kama-da-wane da farko don gwaje-gwaje. Idan baku taɓa magance irin waɗannan hanyoyin ba, bai kamata ku yi gaggawar yin odar kayan aiki na zahiri ba kuma ku canza gine-ginen cibiyar sadarwa. Zai fi kyau a gudanar da tsarin cikin aminci da farashi mai inganci don tantance buƙatun ku. Yana da mahimmanci a fahimci cewa duk zirga-zirgar kamfanoni dole ne a wuce ta kulli ɗaya na waje: don haɗa cibiyar sadarwar gida (ko cibiyoyin sadarwa da yawa) zuwa VDS tare da shigar da IDS Suricata, zaku iya amfani da su. - Sabar VPN mai sauƙin daidaitawa, giciye-dandamali wanda ke ba da ɓoyayyen ɓoyewa mai ƙarfi. Haɗin Intanet na ofis bazai sami ainihin IP ba, don haka yana da kyau a saita shi akan VPS. Babu shirye-shiryen da aka yi a cikin ma'ajiyar Ubuntu, dole ne ku sauke software ko dai daga , ko daga wurin ajiyar waje akan sabis ɗin (idan kun amince dashi):
sudo add-apt-repository ppa:paskal-07/softethervpn
sudo apt-get updateKuna iya duba jerin fakitin da aka samu tare da umarni mai zuwa:
apt-cache search softether
Za mu buƙaci softether-vpnserver (sabar da ke cikin tsarin gwajin yana gudana akan VDS), haka kuma softether-vpncmd - kayan aikin layin umarni don daidaita shi.
sudo apt-get install softether-vpnserver softether-vpncmdAna amfani da kayan aikin layin umarni na musamman don daidaita sabar:
sudo vpncmd
Ba za mu yi magana dalla-dalla game da saitin ba: hanya mai sauƙi ne, an kwatanta shi da kyau a cikin wallafe-wallafe da yawa kuma ba ya danganta da batun labarin. A takaice, bayan fara vpncmd, kuna buƙatar zaɓar abu na 1 don zuwa na'ura mai sarrafa uwar garken. Don yin wannan, kuna buƙatar shigar da sunan localhost kuma danna shigar maimakon shigar da sunan cibiyar. Ana saita kalmar sirrin mai gudanarwa a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa tare da umarnin kalmar sirri na uwar garken, an goge DEFAULT Virtual hub (umarnin Hubdelete) kuma an ƙirƙiri wani sabo mai suna Suricata_VPN, sannan kuma kalmar sirrin sa kuma an saita (umarnin cibiyar sadarwa). Bayan haka, kuna buƙatar zuwa na'ura mai sarrafa na'ura ta sabon cibiya ta amfani da hub ɗin Suricata_VPN umarnin don ƙirƙirar ƙungiya da mai amfani ta amfani da rukunin ƙirƙira da umarnin mai amfani. An saita kalmar wucewa ta mai amfani ta amfani da kalmar sirrin mai amfani.
SoftEther yana goyan bayan hanyoyin canja wurin zirga-zirga guda biyu: SecureNAT da Gadar Gida. Na farko fasaha ce ta mallaka don gina cibiyar sadarwa mai zaman kanta mai kama da ita tare da nata NAT da DHCP. SecureNAT baya buƙatar TUN/TAP ko Netfilter ko wasu saitunan wuta. Gudanarwa ba ya shafar ainihin tsarin, kuma duk matakai suna da kyau kuma suna aiki akan kowane VPS / VDS, ba tare da la'akari da hypervisor da aka yi amfani da su ba. Wannan yana haifar da ƙarar nauyin CPU da saurin gudu idan aka kwatanta da Yanayin Gada na Gida, wanda ke haɗa SoftEther rumbun kwamfutarka zuwa adaftar cibiyar sadarwa ta jiki ko na'urar TAP.
Kanfigareshan a cikin wannan yanayin ya zama mafi rikitarwa, tun lokacin da ake gudanar da zirga-zirga a matakin kwaya ta amfani da Netfilter. An gina VDS ɗin mu akan Hyper-V, don haka a mataki na ƙarshe mun ƙirƙiri gada ta gida kuma mu kunna na'urar TAP tare da gadacreate Suricate_VPN -na'urar: suricate_vpn -tap: eh umurnin. Bayan fita daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa, za mu ga sabon hanyar sadarwa a cikin tsarin da ba a sanya IP ɗin ba tukuna:
ifconfig
Na gaba, dole ne ku kunna hanyar fakiti tsakanin musaya (ip forward), idan ba ya aiki:
sudo nano /etc/sysctl.confRashin amsa layi mai zuwa:
net.ipv4.ip_forward = 1Ajiye canje-canje a fayil ɗin, fita daga editan kuma yi amfani da su tare da umarni mai zuwa:
sudo sysctl -pNa gaba, muna buƙatar ayyana wani yanki don cibiyar sadarwar kama-da-wane tare da IPs na almara (misali, 10.0.10.0/24) kuma sanya adireshi zuwa ke dubawa:
sudo ifconfig tap_suricata_vp 10.0.10.1/24Sannan kuna buƙatar rubuta dokokin Netfilter.
1. Idan ya cancanta, ba da izinin fakiti masu shigowa akan tashoshin sauraron sauraro (Ka'idar mallakar SoftEther tana amfani da HTTPS da tashar jiragen ruwa 443)
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 992 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT2. Saita NAT daga 10.0.10.0/24 subnet zuwa babban uwar garken IP
sudo iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j SNAT --to-source 45.132.17.1403. Bada izinin fakitin wucewa daga rukunin yanar gizo 10.0.10.0/24
sudo iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT4. Bada izinin fakitin wucewa don haɗin da aka riga aka kafa
sudo iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPTZa mu bar aikin sarrafa kansa lokacin da aka sake kunna tsarin ta amfani da rubutun farawa ga masu karatu azaman aikin gida.
Idan kuna son ba da IP ga abokan ciniki ta atomatik, kuna buƙatar shigar da wani nau'in sabis na DHCP don gadar gida. Wannan yana kammala saitin uwar garken kuma kuna iya zuwa abokan ciniki. SoftEther yana goyan bayan ka'idoji da yawa, amfani da su ya dogara da damar kayan aikin LAN.
netstat -ap |grep vpnserver
Tun da na'ura mai ba da hanya tsakanin hanyoyin sadarwa ita ma tana gudana a ƙarƙashin Ubuntu, bari mu shigar da fakitin softether-vpnclient da softether-vpncmd daga wurin ajiyar waje a kai don amfani da ka'idar mallakar mallaka. Kuna buƙatar gudanar da abokin ciniki:
sudo vpnclient startDon daidaitawa, yi amfani da mai amfani vpncmd, zaɓi localhost azaman injin da vpnclient ke gudana. Ana yin duk umarni a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa: kuna buƙatar ƙirƙirar keɓaɓɓen dubawa (NicCreate) da asusu (AccountCreate).
A wasu lokuta, dole ne ka saka hanyar tantancewa ta amfani da AccountAnonymousSet, AccountPasswordSet, AccountCertSet, da AccountSecureCertSet umarni. Tunda bama amfani da DHCP, an saita adireshin adaftar kama-da-wane da hannu.
Bugu da kari, muna buƙatar kunna ip gaba (zaɓin net.ipv4.ip_forward=1 a cikin fayil ɗin /etc/sysctl.conf) da kuma daidaita hanyoyin da suke tsaye. Idan ya cancanta, akan VDS tare da Suricata, zaku iya saita tura tashar jiragen ruwa don amfani da ayyukan da aka shigar akan hanyar sadarwar gida. A kan wannan, ana iya la'akari da haɗakar hanyar sadarwa cikakke.
Tsarin tsarin da muka tsara zai yi kama da haka:
Saita Suricata
В Mun yi magana game da hanyoyin aiki guda biyu na IDS: ta hanyar layin NFQUEUE (yanayin NFQ) kuma ta hanyar kwafin sifili (yanayin AF_PACKET). Na biyu yana buƙatar musaya guda biyu, amma yana da sauri - za mu yi amfani da shi. An saita siga ta tsohuwa a /etc/default/suricata. Muna kuma buƙatar gyara sashin vars a cikin /etc/suricata/suricata.yaml, saita rumbun kwamfyuta a can azaman gida.
Don sake kunna IDS, yi amfani da umarnin:
systemctl restart suricataMaganin yana shirye, yanzu kuna iya buƙatar gwada shi don juriya ga ayyukan mugunta.
Simulating harin
Ana iya samun yanayi da yawa don fama da amfani da sabis na IDS na waje:
Kariya daga hare-haren DDoS (manufa ta farko)
Yana da wuya a aiwatar da irin wannan zaɓi a cikin cibiyar sadarwar kamfanoni, tun da fakiti don bincike dole ne su isa ga tsarin tsarin da ke kallon Intanet. Ko da IDS ya toshe su, ɓarnawar zirga-zirga na iya saukar da hanyar haɗin bayanan. Don guje wa wannan, kuna buƙatar yin odar VPS tare da isasshiyar haɗin Intanet mai amfani wanda zai iya wuce duk zirga-zirgar hanyar sadarwar gida da duk zirga-zirgar waje. Sau da yawa yana da sauƙi kuma mai rahusa don yin wannan fiye da fadada tashar ofis. A matsayin madadin, yana da daraja ambaton ayyuka na musamman don kariya daga DDoS. Farashin sabis ɗin su yayi daidai da farashin sabar mai kama-da-wane, kuma baya buƙatar tsari mai cin lokaci, amma akwai kuma rashin amfani - abokin ciniki yana karɓar kariya ta DDoS kawai don kuɗinsa, yayin da nasa IDS za a iya daidaita shi azaman ku. kamar.
Kariya daga hare-haren waje na wasu nau'ikan
Suricata yana iya jure yunƙurin yin amfani da lahani iri-iri a cikin ayyukan cibiyar sadarwar kamfanoni da ake samu daga Intanet (sabar saƙo, sabar yanar gizo da aikace-aikacen yanar gizo, da sauransu). Yawancin lokaci, don wannan, ana shigar da IDS a cikin LAN bayan na'urorin kan iyaka, amma ɗaukar shi a waje yana da hakkin ya wanzu.
Kariya daga masu ciki
Duk da ƙoƙarce-ƙoƙarce na mai sarrafa tsarin, kwamfutoci a kan hanyar sadarwar kamfanoni na iya kamuwa da malware. Bugu da kari, a wasu lokatai ’yan iska suna fitowa a yankin, wadanda ke kokarin yin wasu ayyuka da suka sabawa doka. Suricata na iya taimakawa wajen toshe irin waɗannan yunƙurin, ko da yake don kare hanyar sadarwa na ciki yana da kyau a shigar da shi a cikin kewaye da kuma amfani da shi a cikin tandem tare da maɓallin sarrafawa wanda zai iya kwatanta zirga-zirga zuwa tashar jiragen ruwa guda ɗaya. IDS na waje shima ba shi da amfani a wannan yanayin - aƙalla zai iya kama ƙoƙarin malware da ke zaune akan LAN don tuntuɓar sabar waje.
Da farko, za mu ƙirƙiri wani gwajin da ke kai hari ga VPS, kuma a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida za mu ɗaga Apache tare da saitunan tsoho, bayan haka za mu tura tashar jiragen ruwa na 80 zuwa gare ta daga uwar garken IDS. Na gaba, za mu kwaikwayi harin DDoS daga mai kai hari. Don yin wannan, zazzage daga GitHub, tara kuma gudanar da ƙaramin shirin xerxes akan kumburin hari (zaku iya buƙatar shigar da kunshin gcc):
git clone https://github.com/Soldie/xerxes-DDos-zanyarjamal-C.git
cd xerxes-DDos-zanyarjamal-C/
gcc xerxes.c -o xerxes
./xerxes 45.132.17.140 80Sakamakon aikinta ya kasance kamar haka.
Suricata ya yanke mugu, kuma shafin Apache yana buɗewa ta tsohuwa, duk da harin da aka kai mana da kuma matacciyar tashar cibiyar sadarwar "ofis" (ainihin gida). Don ƙarin ayyuka masu tsanani, ya kamata ku yi amfani da su . An tsara shi don gwajin shiga kuma yana ba ku damar kwaikwayi hare-hare iri-iri. umarnin shigarwa akan gidan yanar gizon aikin. Bayan shigarwa, ana buƙatar sabuntawa:
sudo msfupdateDon gwaji, gudanar da msfconsole.
Abin takaici, sabbin nau'ikan tsarin ba su da ikon fasawa ta atomatik, don haka za'a tsara abubuwan amfani da hannu kuma a yi amfani da umarnin amfani. Da farko, yana da daraja ƙayyade tashoshin jiragen ruwa da aka buɗe akan na'urar da aka kai hari, alal misali, ta amfani da nmap (a cikin yanayinmu, za a maye gurbinsa gaba ɗaya ta hanyar netstat akan rundunar da aka kai hari), sannan zaɓi kuma amfani da abin da ya dace. .
Akwai wasu hanyoyi don gwada juriyar IDS daga hare-hare, gami da ayyukan kan layi. Domin son sani, zaku iya shirya gwajin damuwa ta amfani da sigar gwaji . Don duba abin da ya faru ga ayyukan masu kutse na ciki, yana da daraja shigar da kayan aiki na musamman akan ɗayan injinan kan hanyar sadarwar gida. Akwai zaɓuɓɓuka da yawa kuma daga lokaci zuwa lokaci ya kamata a yi amfani da su ba kawai ga shafin gwaji ba, har ma da tsarin aiki, kawai wannan labari ne daban-daban.
source: www.habr.com