Ofufuza za ma virus ndi ofufuza zachitetezo apakompyuta akuthamanga kuti atole zitsanzo zambiri zamabotolo atsopano momwe angathere. Amagwiritsa ntchito miphika ya uchi pazolinga zawo ... Koma bwanji ngati mukufuna kuwona pulogalamu yaumbanda muzochitika zenizeni? Ikani seva yanu kapena rauta pachiwopsezo? Bwanji ngati palibe chipangizo choyenera? Ndi mafunso awa omwe adandipangitsa kuti ndipange bhunter, chida chopezera ma node a botnet.
Lingaliro lalikulu
Pali njira zambiri zofalira pulogalamu yaumbanda kuti muwonjezere ma botnets: kuchokera pachinyengo mpaka kugwiritsa ntchito zovuta zamasiku 0. Koma njira yodziwika kwambiri ikadali mawu achinsinsi a SSH.
Lingaliro ndi losavuta kwambiri. Ngati node ina ya botnet ikuyesera kukakamiza mawu achinsinsi a seva yanu, ndiye kuti node iyi yokha idagwidwa ndi mawu achinsinsi okakamiza mwankhanza. Izi zikutanthauza kuti kuti mupeze mwayi, muyenera kubwezera.
Umu ndi momwe bhunter imagwirira ntchito. Imamvera port 22 (SSH service) ndikusonkhanitsa ma logins onse ndi mapasiwedi omwe amayesa kulumikizana nawo. Kenako, pogwiritsa ntchito mawu achinsinsi osonkhanitsidwa, imayesa kulumikizana ndi zida zowukira.
Ntchito algorithm
Pulogalamuyi imatha kugawidwa m'magawo awiri akuluakulu, omwe amagwira ntchito mosiyana. Choyamba ndi mphika wa uchi. Njira zoyeserera zolowera, zimasonkhanitsa ma logins apadera ndi mapasiwedi (panthawiyi, lolowera + mawu achinsinsi awiriwa amawonedwa ngati amodzi), ndikuwonjezeranso ma adilesi a IP omwe amayesa kulumikiza pamzere kuti aukirenso.
Gawo lachiwiri ndilomwe limayambitsa kuukira. Kuphatikiza apo, kuwukiraku kumachitika m'njira ziwiri: BurstAttack (kuphulika kwachiwopsezo) - kulowa kwamphamvu ndi mawu achinsinsi kuchokera pamndandanda wanthawi zonse ndi SingleShotAttack (kuwombera kumodzi) - mapasiwedi amphamvu omwe adagwiritsidwa ntchito ndi malo omwe adawukira, koma sanakhalepobe. kuwonjezeredwa ku mndandanda wamba.
Kuti mukhale ndi nkhokwe ya ma logins ndi mapasiwedi mutangoyambitsa, bhunter imayambitsidwa ndi mndandanda kuchokera pa fayilo /etc/bhunter/defaultLoginPairs.
mawonekedwe
Pali njira zingapo zoyambira bhunter:
Monga gulu
sudo bhunterNdi kukhazikitsidwa uku, ndizotheka kuwongolera bhunter kudzera m'mawu ake: onjezani ma logins ndi mapasiwedi kuti muwukire, tumizani nkhokwe ya ma logins ndi mapasiwedi, tchulani chandamale cha kuwukira. Node zonse zomwe zidabedwa zitha kuwoneka mufayilo /var/log/bhunter/hacked.log
Kugwiritsa ntchito tmux
sudo bhunter-ts # ΠΊΠΎΠΌΠ°Π½Π΄Π° Π·Π°ΠΏΡΡΠΊΠ° bhunter ΡΠ΅ΡΠ΅Π· tmux
sudo tmux attach -t bhunter # ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΠΌΡΡ ΠΊ ΡΠ΅ΡΡΠΈΠΈ, Π² ΠΊΠΎΡΠΎΡΠΎΠΉ Π·Π°ΠΏΡΡΠ΅Π½ bhunter
Tmux ndi terminal multiplexer, chida chosavuta kwambiri. Imakulolani kuti mupange mawindo angapo mkati mwa terminal imodzi, ndikugawa mawindo kukhala mapanelo. Pogwiritsa ntchito, mutha kutuluka mu terminal ndikulowa popanda kusokoneza njira zoyendetsera.
Zolemba za bhunter-ts zimapanga gawo la tmux ndikugawa zenera kukhala mapanelo atatu. Yoyamba, yayikulu kwambiri, ili ndi mndandanda wamawu. Kumanja kumanja kuli zipika za uchi, apa mutha kuwona mauthenga okhudza kuyesa kulowa mumphika wa uchi. Gulu lakumanja lakumanja likuwonetsa zambiri za momwe kuukira kwa ma botnet node kumayendera komanso za ma hacks opambana.
Ubwino wa njirayi kuposa woyamba ndikuti titha kutseka komaliza ndikubwereranso pambuyo pake, popanda bhunter kuyimitsa ntchito yake. Kwa iwo omwe sadziwa pang'ono za tmux, ndikupangira .
Monga utumiki
systemctl enable bhunter
systemctl start bhunterPankhaniyi, timatsegula bhunter autostart poyambitsa dongosolo. Mwanjira iyi, kuyanjana ndi bhunter sikuperekedwa, ndipo mndandanda wama node omwe adabedwa atha kupezeka ku /var/log/bhunter/hacked.log
Mphamvu
Ndikugwira ntchito pa bhunter, ndinatha kupeza ndi kupeza zipangizo zosiyana kwambiri: rasipiberi pi, ma routers (makamaka mikrotik), ma seva a pa intaneti, ndipo kamodzi famu yamigodi (mwatsoka, kufikako kunali masana, kotero panalibe chidwi. nkhani). Nachi chithunzithunzi cha pulogalamuyo, chomwe chikuwonetsa mndandanda wamalo omwe adabedwa patatha masiku angapo akugwira ntchito:
Tsoka ilo, mphamvu ya chida ichi sichinafikire zomwe ndikuyembekezera: bhunter akhoza kuyesa mapasiwedi ku mfundo kwa masiku angapo popanda kupambana, ndipo akhoza kuthyolako mipherezero angapo mu maola angapo. Koma izi ndizokwanira pakuwonjezeka kwanthawi zonse kwa zitsanzo zatsopano za botnet.
Kuchita bwino kumakhudzidwa ndi magawo monga: dziko lomwe seva yokhala ndi bhunter ili, kuchititsa, ndi mtundu womwe adilesi ya IP imaperekedwa. Muzochitika zanga, panali vuto pamene ndinabwereka ma seva awiri kuchokera ku hoster imodzi, ndipo imodzi mwa izo inagwidwa ndi botnets 2 nthawi zambiri.
Zolakwitsa zomwe sindinazikonze
Mukalimbana ndi omwe ali ndi kachilomboka, nthawi zina sizingatheke kudziwa mosabisa ngati mawu achinsinsi ndi olondola kapena ayi. Milandu yotere imalowetsedwa mu fayilo ya /var/log/debug.log.
Module ya Paramiko, yomwe imagwiritsidwa ntchito ndi SSH, nthawi zina imachita molakwika: imadikirira mosalekeza kuyankha kuchokera kwa wolandirayo ikayesa kulumikizana nayo. Ndinayesa zowerengera, koma sindinapeze zotsatira zomwe ndinkafuna
Ndi chiyani chinanso chomwe chiyenera kukonzedwa?
Zina lautumiki
Malinga ndi RFC-4253, makasitomala ndi seva amasinthanitsa mayina azinthu zomwe zimakhazikitsa protocol ya SSH isanakhazikitsidwe. Dzinali lili mu gawo la "SERVICE NAME", lomwe lili muzopempha kuchokera ku mbali ya kasitomala komanso mu mayankho ochokera ku mbali ya seva. Munda ndi chingwe, ndipo mtengo wake ukhoza kupezeka pogwiritsa ntchito wireshark kapena nmap. Nachi chitsanzo cha OpenSSH:
$ nmap -p 22 ***.**.***.** -sV
Starting Nmap ...
PORT STATE SERVICE VERSION
22/tcp open ssh <b>OpenSSH 7.9p1 Debian 10+deb10u2</b> (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Komabe, pankhani ya Paramiko, mundawu uli ndi chingwe monga "Paramiko Python sshd 2.4.2", yomwe imatha kuopseza botnets omwe amapangidwa kuti "apewe" misampha. Chifukwa chake, ndikuganiza kuti ndikofunikira kusintha mzerewu ndi zina zosalowerera ndale.
Ma vector ena
SSH si njira yokhayo yoyendetsera kutali. Palinso telnet, rdp. Ndikoyenera kuwayang'anitsitsa.
kutambasuka
Zingakhale zabwino kukhala ndi misampha ingapo m'maiko osiyanasiyana ndikusonkhanitsa malo olowera, mapasiwedi ndi ma node otsekeka kuchokera kwa iwo kukhala nkhokwe wamba.
Kodi ndingatsitse kuti?
Panthawi yolemba, mtundu woyeserera ndi wokonzeka, womwe ungathe kutsitsidwa kuchokera .
Source: www.habr.com