Π
Kufefetera kana Suricata. Chikamu 1: Kusarudza Yemahara IDS/IPS Kudzivirira Yako Corporate Network Kufefetera kana Suricata. Chikamu 2: Kuiswa uye kutanga kuseta kweSuricata
Kubatanidza network
Kubvisa IDS kumuchina chaiwo pakutanga kunogona kudikanwa pabvunzo. Kana usati wambobata nemhinduro dzakadaro, haufanirwe kumhanyisa kuraira Hardware yemuviri uye shandura network yekuvaka. Zvakanakisa kumhanyisa sisitimu zvakachengeteka uye zvisingadhuri kuti uone zvaunoda komputa. Izvo zvakakosha kuti unzwisise kuti traffic yese yekambani ichafanirwa kupfuudzwa kuburikidza neimwe yekunze node: kubatanidza network yemuno (kana akati wandei network) kuVDS ine IDS Suricata yakaiswa, unogona kushandisa.
sudo add-apt-repository ppa:paskal-07/softethervpn
sudo apt-get update
Unogona kuona rondedzero yemapakeji aripo nemurairo unotevera:
apt-cache search softether
Isu tichada softether-vpnserver (sevha iri muyedzo yekumisikidza iri kushanda paVDS), pamwe nesoftether-vpncmd - yekuraira mutsara zvinoshandiswa pakuigadzirisa.
sudo apt-get install softether-vpnserver softether-vpncmd
Yakakosha yekuraira mutsara utility inoshandiswa kugadzirisa server:
sudo vpncmd
Isu hatisi kuzotaura zvakadzama nezve marongero: maitiro acho ari nyore, anotsanangurwa mumabhuku akawanda uye haaenderane zvakananga nemusoro wechinyorwa. Muchidimbu, mushure mekutanga vpncmd, unofanirwa kusarudza chinhu 1 kuenda kune server management console. Kuti uite izvi, unofanirwa kuisa zita rekuti localhost uye wodzvanya pinda pane kuisa zita rehubhu. Iyo password password yakaiswa mukoni ine serverpasswordset command, iyo DEFAULT virtual hub inobviswa (hubdelete command) uye imwe nyowani inogadzirwa ine zita rekuti Suricata_VPN, uye password yayo yakaiswawo (hubcreate command). Tevere, iwe unofanirwa kuenda kune manejimendi console yehubhu nyowani uchishandisa hub Suricata_VPN kuraira kugadzira boka uye mushandisi uchishandisa iyo groupcreate uye usercreate mirairo. Iyo password yemushandisi inoiswa uchishandisa userpasswordset.
SoftEther inotsigira nzira mbiri dzekufambisa traffic: SecureNAT uye Local Bridge. Yekutanga ndeye tekinoroji tekinoroji yekuvaka chaiyo yakavanzika network ine yayo NAT uye DHCP. SecureNAT haidi TUN/TAP kana Netfilter kana mamwe firewall marongero. Routing haina kukanganisa musimboti weiyo sisitimu, uye ese maitiro anoonekwa uye anoshanda pane chero VPS / VDS, zvisinei neiyo hypervisor inoshandiswa. Izvi zvinoguma nekuwedzera kweCPU mutoro uye inononoka kumhanya ichienzaniswa neLocal Bridge mode, iyo inobatanidza iyo SoftEther virtual hub kune yemuviri network adapta kana TAP mudziyo.
Kugadzirisa munyaya iyi kunowedzera kuoma, sezvo nzira inoitika pa kernel level uchishandisa Netfilter. Yedu VDS yakavakirwa paHyper-V, saka mudanho rekupedzisira tinogadzira bhiriji remunharaunda uye tinomisa iyo TAP mudziyo nebhiriji kugadzira Suricate_VPN -device:suricate_vpn -tap:hongu raira. Mushure mekubuda muhubhu manejimendi console, tichaona itsva network interface muhurongwa iyo isati yapihwa IP:
ifconfig
Tevere, iwe uchafanirwa kugonesa packet routing pakati penzvimbo (ip kumberi), kana isingaite:
sudo nano /etc/sysctl.conf
Bvisa mutsara unotevera:
net.ipv4.ip_forward = 1
Sevha shanduko kufaira, buda mupepeti uye uishandise nemurairo unotevera:
sudo sysctl -p
Zvadaro, tinoda kutsanangura subnet yevirtual network ine fictitious IPs (somuenzaniso, 10.0.10.0/24) uye kupa kero kune interface:
sudo ifconfig tap_suricata_vp 10.0.10.1/24
Ipapo iwe unofanirwa kunyora mitemo yeNetfilter.
1. Kana zvichidiwa, bvumira mapaketi anouya pazviteshi zvekuteerera (SoftEther proprietary protocol inoshandisa HTTPS uye port 443)
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 992 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT
2. Seta NAT kubva ku10.0.10.0/24 subnet kuenda kune main server IP
sudo iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j SNAT --to-source 45.132.17.140
3. Bvumira kupfuudza mapaketi kubva kune subnet 10.0.10.0/24
sudo iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT
4. Bvumira mapaketi ekupfuura ekubatanidza kwatogadzirwa
sudo iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
Isu tichasiya otomatiki yemaitiro kana sisitimu yatangwazve tichishandisa zvinyorwa zvekutanga kuvaverengi sebasa repamba.
Kana iwe uchida kupa IP kune vatengi otomatiki, iwe zvakare uchafanirwa kuisa imwe mhando yeDHCP sevhisi yebhiriji renzvimbo. Izvi zvinopedzisa kuseta sevha uye unogona kuenda kune vatengi. SoftEther inotsigira mitemo yakawanda, kushandiswa kwayo kunoenderana nekugona kweLAN midziyo.
netstat -ap |grep vpnserver
Sezvo yedu test router zvakare ichimhanya pasi peUbuntu, ngatiisei yakapfava-vpnclient uye yakapfava-vpncmd mapakeji kubva kune yekunze repository pairi kushandisa proprietary protocol. Iwe unozofanirwa kumhanyisa mutengi:
sudo vpnclient start
Kugadzirisa, shandisa vpncmd utility, kusarudza localhost semuchina uri kushanda nevpnclient. Yese mirairo inogadzirwa mukoni: iwe uchafanirwa kugadzira chaiyo interface (NicCreate) uye account (AccountCreate).
Mune zvimwe zviitiko, unofanira kutsanangura nzira yechokwadi uchishandisa AccountAnonymousSet, AccountPasswordSet, AccountCertSet, uye AccountSecureCertSet mirairo. Sezvo isu tisiri kushandisa DHCP, kero yedhiraivha chaiyo inoiswa nemaoko.
Mukuwedzera, tinoda kugonesa ip mberi (the net.ipv4.ip_forward=1 parameter mu /etc/sysctl.conf file) uye kugadzirisa static nzira. Kana zvichidikanwa, paVDS neSuricata, unogona kugadzirisa kutumira kwechiteshi kushandisa masevhisi akaiswa panetiweki yemuno. Pane izvi, iyo network yekubatanidza inogona kutorwa seyakakwana.
Yedu yakarongwa gadziriso ichaita seizvi:
Kugadzira Suricata
Π
Kuti utangezve IDS, shandisa murairo:
systemctl restart suricata
Mhinduro yakagadzirira, ikozvino iwe ungada kuiyedza kuti irambe zviito zvakashata.
Simulating kurwisa
Panogona kuve neakati wandei mamiriro ekushandiswa kwekurwisa kwekunze IDS sevhisi:
Dziviriro kubva kuDDoS kurwiswa (chinangwa chekutanga)
Zvakaoma kuita sarudzo yakadaro mukati mekambani network, sezvo mapaketi ekuongorora anofanirwa kusvika kune system interface inotarisa paInternet. Kunyangwe iyo IDS ichivavharira, manyepo traffic inogona kudzikisa iyo data link. Kuti udzivise izvi, iwe unofanirwa kuodha VPS ine inokwana inobereka Internet yekubatanidza iyo inogona kupfuura ese emunharaunda network traffic uye ese ekunze traffic. Kazhinji zviri nyore uye zvakachipa kuita izvi pane kuwedzera hofisi chiteshi. Seimwe nzira, zvakakodzera kutaura masevhisi akasarudzika ekudzivirira kubva kuDDoS. Mutengo wemasevhisi avo unofananidzwa nemutengo weiyo chaiyo sevha, uye haidi nguva-inopedza gadziriso, asi pane zvakare zvipingamupinyi - mutengi anogamuchira chete DDoS dziviriro yemari yake, nepo IDS yake inogona kugadzirwa sezvaunoita iwe. kufanana.
Kudzivirirwa pakurwisa kwekunze kwemamwe marudzi
Suricata inokwanisa kurarama nekuedza kushandisa kusasimba kwakasiyana-siyana mumakambani etiweki masevhisi anowanikwa kubva paInternet (mail server, web server uye web applications, nezvimwewo). Kazhinji, nekuda kweizvi, IDS inoiswa mukati meLAN mushure memidziyo yemuganhu, asi kuitora kunze kune kodzero yekuvepo.
Kudzivirirwa kubva mukati
Pasinei nekuedza kwakanyanya kwemutongi wehurongwa, makomputa ari pamakambani network anogona kutapukirwa nemalware. Mukuwedzera, hooligan dzimwe nguva dzinoonekwa munharaunda, dzinoedza kuita zvimwe zvisiri pamutemo. Suricata inogona kubatsira kuvharira kuedza kwakadaro, kunyangwe kuchengetedza iyo yemukati network zviri nani kuiisa mukati meiyo perimeter uye kuishandisa tandem ine inogadziriswa switch inogona girazi traffic kune imwe chiteshi. Iyo yekunze IDS zvakare haina basa mune iyi kesi - zvirinani ichakwanisa kubata kuyedza ne malware inogara paLAN kubata sevha yekunze.
Kutanga, isu tichagadzira imwe bvunzo inorwisa VPS, uye pane yemuno network router isu tichasimudza Apache neyakagadzika gadziriso, mushure mezvo isu tichaendesa iyo 80th port kwairi kubva kuIDS server. Tevere, isu tinotevedzera DDoS kurwisa kubva kune anorwisa. Kuti uite izvi, dhawunirodha kubva kuGitHub, unganidza uye mhanyisa diki xerxes chirongwa pane inorwisa node (ungangoda kuisa iyo gcc package):
git clone https://github.com/Soldie/xerxes-DDos-zanyarjamal-C.git
cd xerxes-DDos-zanyarjamal-C/
gcc xerxes.c -o xerxes
./xerxes 45.132.17.140 80
Mhedzisiro yebasa rake yakaita seizvi:
Suricata inocheka villain, uye peji reApache rinovhura nekukasira, kunyangwe kurwiswa kwedu kusingatarisirwi uye nzira yakafa ye "hofisi" (chaiyo imba) network. Kune mamwe mabasa akakomba, iwe unofanirwa kushandisa
sudo msfupdate
Kuti uedze, mhanya msfconsole.
Nehurombo, iwo achangoburwa vhezheni eiyo sisitimu inoshaya kugona kutsemuka otomatiki, saka mashandisirwo achafanirwa kurongwa nemaoko uye kumhanya uchishandisa iyo yekushandisa command. Kutanga, zvakakosha kuona kuti zviteshi zvakavhurika pamushini wakarwiswa, semuenzaniso, kushandisa nmap (kwedu, ichatsiviwa zvachose netstat pane akarwiswa), uye wozosarudza uye shandisa yakakodzera.
Kune dzimwe nzira dzekuyedza kusimba kweIDS pakurwiswa, kusanganisira masevhisi epamhepo. Nekuda kwekuda kuziva, unogona kuronga kuyedza kushushikana uchishandisa iyo yekuedza vhezheni
Source: www.habr.com