Π
Ukuphefumla okanye iSuricata. Icandelo 1: Ukukhetha i-IDS/IPS yasimahla yokuKhusela iNethiwekhi yakho yeNkampani Ukuphefumla okanye iSuricata. Icandelo 2: Ufakelo kunye nokusekwa kokuqala kweSuricata
Ukudibanisa iinethiwekhi
Ukususa i-IDS kumatshini wenyani kwasekuqaleni kungafuneka kuvavanyo. Ukuba awuzange ujongane nezisombululo ezinjalo, akufanele ukhawuleze ukuya kwi-hardware yomzimba kwaye utshintshe i-architecture yenethiwekhi. Kungcono ukuqhuba inkqubo ngokukhuselekileyo nangeendleko ezifanelekileyo ukumisela iimfuno zakho zekhompyutha. Kubalulekile ukuqonda ukuba yonke i-traffic yenkampani iya kufuneka igqithwe kwindawo enye yangaphandle: ukudibanisa inethiwekhi yendawo (okanye iinethiwekhi ezininzi) kwi-VDS ene-IDS Suricata efakwe, ungasebenzisa.
sudo add-apt-repository ppa:paskal-07/softethervpn
sudo apt-get update
Ungajonga uluhlu lweepakethe ezikhoyo ngalo myalelo ulandelayo:
apt-cache search softether
Siya kufuna i-softether-vpnserver (umncedisi kuqwalaselo lovavanyo lusebenza kwi-VDS), kunye ne-softether-vpncmd - izixhobo zomgca womyalelo wokuyiqwalasela.
sudo apt-get install softether-vpnserver softether-vpncmd
Usetyenziso olukhethekileyo lomgca womyalelo lusetyenziselwa ukuqwalasela umncedisi:
sudo vpncmd
Asiyi kuthetha ngokubanzi malunga nokucwangcisa: inkqubo ilula kakhulu, ichazwe kakuhle kwiincwadi ezininzi kwaye ayihambelani ngqo nesihloko senqaku. Ngamafutshane, emva kokuqala i-vpncmd, kufuneka ukhethe into 1 ukuya kwi-console yokulawula iseva. Ukwenza oku, kufuneka ufake igama lendawo kwaye ucinezele u-enter endaweni yokufaka igama le hub. Igama eligqithisiweyo lomlawuli libekwe kwi-console kunye nomyalelo we-serverpasswordset, i-DEFAULT i-hub ebonakalayo iyacinywa (umyalelo we-hubdelete) kwaye entsha yenziwe ngegama elithi Suricata_VPN, kunye negama lokugqitha libekwe (hubcreate command). Emva koko, kufuneka uye kwikhonsoli yokulawula yehabhu entsha usebenzisa i-hub Suricata_VPN umyalelo wokudala iqela kunye nomsebenzisi usebenzisa i-groupcreate kunye nemiyalelo yomsebenzisi. Igama lokugqithisa lomsebenzisi limiselwe kusetyenziswa isethi yegama lokugqitha.
I-SoftEther isekela iindlela ezimbini zokudlulisa i-traffic: SecureNAT kunye neBhulorho yeNdawo. Eyokuqala bubuchwephesha bobunini bokwakha inethiwekhi yabucala ebonakalayo eneNAT yayo kunye neDHCP. I-SecureNAT ayifuni i-TUN/TAP okanye i-Netfilter okanye ezinye iisetingi zomlilo. Umzila awuchaphazeli undoqo wenkqubo, kwaye zonke iinkqubo zenziwe ngokubonakalayo kwaye zisebenza kuyo nayiphi na i-VPS / VDS, kungakhathaliseki ukuba i-hypervisor esetyenziswayo. Oku kubangela ukwanda komthwalo we-CPU kunye nesantya esicothayo xa kuthelekiswa nemowudi yeBhulorho yeNdawo, edibanisa i-hub ye-SoftEther ebonakalayo kwi-adapter yenethiwekhi yomzimba okanye isixhobo se-TAP.
Uqwalaselo kulo mzekelo luba nzima ngakumbi, kuba umzila wenziwa kwinqanaba le-kernel usebenzisa i-Netfilter. I-VDS yethu yakhiwe kwi-Hyper-V, ngoko ke kwinqanaba lokugqibela senza ibhuloho yendawo kwaye sisebenze isixhobo se-TAP kunye ne-bridgecreate Suricate_VPN -device: suricate_vpn -tap: ewe umyalelo. Emva kokuphuma kwikhonsoli yolawulo lwehabhu, siya kubona ujongano olutsha lwenethiwekhi kwinkqubo engekabelwa iIP:
ifconfig
Okulandelayo, kuya kufuneka wenze ipakethe indlela phakathi kojongano (ip phambili), ukuba ayisebenzi:
sudo nano /etc/sysctl.conf
Sukuphawula lo mgca ulandelayo:
net.ipv4.ip_forward = 1
Gcina utshintsho kwifayile, phuma kumhleli kwaye uzisebenzise ngalo myalelo ulandelayo:
sudo sysctl -p
Okulandelayo, kufuneka sichaze i-subnet yenethiwekhi yenyani kunye nee-IP ezikhohlisayo (umzekelo, 10.0.10.0/24) kwaye sinikeze idilesi kujongano:
sudo ifconfig tap_suricata_vp 10.0.10.1/24
Emva koko kufuneka ubhale imithetho ye-Netfilter.
1. Ukuba kuyimfuneko, vumela iipakethi ezingenayo kwii-port zokumamela (i-SoftEther proprietary protocol isebenzisa i-HTTPS kunye ne-port 443)
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 992 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT
2. Cwangcisa i-NAT ukusuka kwi-10.0.10.0/24 subnet ukuya kumncedisi oyintloko we-IP
sudo iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j SNAT --to-source 45.132.17.140
3. Vumela iipakethi ezidlulayo kwi-subnet 10.0.10.0/24
sudo iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT
4. Vumela iipakethi zokupasa kuqhagamshelwano olusele lusekiwe
sudo iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
Siya kushiya i-automation yenkqubo xa inkqubo iphinda iqaliswe kusetyenziswa izikripthi zokuqalisa kubafundi njengomsebenzi wasekhaya.
Ukuba ufuna ukunika i-IP kubathengi ngokuzenzekelayo, kuya kufuneka kwakhona ufake uhlobo oluthile lwenkonzo ye-DHCP kwibhulorho yendawo. Oku kugqiba ukuseta iseva kwaye ungaya kubaxhasi. ISoftEther ixhasa iiprotocol ezininzi, ukusetyenziswa kwazo kuxhomekeke kubuchule bezixhobo zeLAN.
netstat -ap |grep vpnserver
Ekubeni i-router yethu yokuvavanya isebenza phantsi kwe-Ubuntu, masifake i-softether-vpnclient kunye ne-softether-vpncmd iiphakheji ezivela kwindawo yokugcina yangaphandle ukuze sisebenzise iprotocol yobunikazi. Kuya kufuneka uqhube umxhasi:
sudo vpnclient start
Ukuqwalasela, sebenzisa into eluncedo ye-vpncmd, ukhetha inginginya yendawo njengomatshini apho i-vpnclient isebenza khona. Yonke imiyalelo yenziwe kwikhonsoli: kuya kufuneka wenze ujongano olubonakalayo (NicCreate) kunye neakhawunti (AccountCreate).
Kwezinye iimeko, kufuneka ucacise indlela yokuqinisekisa usebenzisa i-AkhawuntiAnonymousSet, i-AkhawuntiPasswordSet, i-AccountCertSet, kunye nemiyalelo ye-AccountSecureCertSet. Ekubeni singasebenzisi i-DHCP, idilesi ye-adapter ebonakalayo isetwa ngesandla.
Ukongeza, kufuneka sivumele i-ip phambili (inketho net.ipv4.ip_forward=1 kwifayile /etc/sysctl.conf) kwaye uqwalasele iindlela ezimileyo. Ukuba kuyimfuneko, kwi-VDS kunye neSuricata, ungaqwalasela ukuthunyelwa kwezibuko ukusebenzisa iinkonzo ezifakwe kwinethiwekhi yendawo. Kule nto, ukudityaniswa kwenethiwekhi kunokuqwalaselwa ngokupheleleyo.
Ulungelelwaniso lwethu olucetywayo luya kujongeka ngolu hlobo:
Ukumisela iSuricata
Π
Ukuqalisa kwakhona i-IDS, sebenzisa lo myalelo:
systemctl restart suricata
Isisombululo silungile, ngoku unokufuna ukuvavanya ukuchasana nezenzo ezinobungozi.
Ukulinganisa uhlaselo
Kunokubakho iimeko ezininzi zokulwa nokusetyenziswa kwenkonzo ye-IDS yangaphandle:
Ukukhuselwa kuhlaselo lweDDoS (injongo ephambili)
Kunzima ukuphumeza ukhetho olunjalo ngaphakathi kwenethiwekhi yenkampani, kuba iipakethi zohlalutyo kufuneka zifike kujongano lwenkqubo olujonga kwi-Intanethi. Nokuba i-IDS iyabavimba, itrafikhi ekhohlisayo inokuthoba ikhonkco ledatha. Ukuze ugweme oku, kufuneka u-odole i-VPS enoqhagamshelo lwe-Intanethi olunemveliso ngokwaneleyo enokuthi idlule yonke i-traffic yenethiwekhi yendawo kunye nayo yonke i-traffic yangaphandle. Kuhlala kulula kwaye kutshiphu ukwenza oku kunokwandisa itshaneli yeofisi. Njengenye indlela, kufanelekile ukukhankanya iinkonzo ezikhethekileyo zokukhusela kwi-DDoS. Iindleko zeenkonzo zabo zithelekiseka neendleko zomncedisi wenyani, kwaye ayifuni uqwalaselo oluchitha ixesha, kodwa kukwakho nezinto ezingeloncedo - umxhasi ufumana ukhuseleko lweDDoS kuphela ngemali yakhe, ngelixa i-IDS yakhe inokuqwalaselwa njengawe. njengaye.
Ukukhuselwa ekuhlaselweni kwangaphandle kwezinye iintlobo
I-Suricata iyakwazi ukujamelana neenzame zokusebenzisa ubuthathaka obahlukeneyo kwiinkonzo zenethiwekhi ezihlangeneyo ezifumaneka kwi-Intanethi (iseva ye-imeyile, iseva yewebhu kunye nezicelo zewebhu, njl. njl.). Ngokuqhelekileyo, kule nto, i-IDS ifakwe ngaphakathi kwe-LAN emva kwezixhobo zomda, kodwa ukuyithatha ngaphandle kunelungelo lokuba khona.
Ukukhuselwa kwabangaphakathi
Ngaphandle kweenzame ezilungileyo zomlawuli wenkqubo, iikhomputha kuthungelwano lwenkampani zinokosulelwa yi-malware. Ukongeza, ama-hooligan ngamanye amaxesha avela kwindawo yendawo, azama ukwenza imisebenzi engekho mthethweni. I-Suricata inokunceda ukuvimba iinzame ezinjalo, nangona ukukhusela inethiwekhi yangaphakathi kungcono ukuyifaka ngaphakathi kwi-perimeter kwaye uyisebenzise kwi-tandem kunye ne-switch elawulwayo ekwazi ukubonisa i-traffic kwi-port enye. I-IDS yangaphandle nayo ayinamsebenzi kule meko - ubuncinane iya kukwazi ukubamba iinzame nge-malware ehlala kwi-LAN ukuqhagamshelana nomncedisi wangaphandle.
Ukuqala, siza kudala olunye uvavanyo oluhlasela i-VPS, kwaye kwi-router yenethiwekhi yendawo siya kuphakamisa i-Apache kunye noqwalaselo olungagqibekanga, emva koko siya kuthumela i-port ye-80 kuyo kwi-IDS iseva. Okulandelayo, siyakulinganisa uhlaselo lwe-DDoS kumkhosi ohlaselayo. Ukwenza oku, khuphela kwi-GitHub, qulunqa kwaye usebenzise inkqubo encinci ye-xerxes kwindawo yokuhlasela (kunokufuneka ufake iphakheji ye-gcc):
git clone https://github.com/Soldie/xerxes-DDos-zanyarjamal-C.git
cd xerxes-DDos-zanyarjamal-C/
gcc xerxes.c -o xerxes
./xerxes 45.132.17.140 80
Isiphumo somsebenzi wakhe saba ngolu hlobo lulandelayo:
I-Suricata inqumle i-villain, kwaye iphepha le-Apache livula ngokungagqibekanga, ngaphandle kohlaselo lwethu lwe-impromptu kunye nejelo elifileyo lenethiwekhi "yeofisi" (yekhaya ngokwenene). Ngemisebenzi enzima ngakumbi, kufuneka usebenzise
sudo msfupdate
Ukuvavanya, sebenzisa i-msfconsole.
Ngelishwa, iinguqulelo zamva nje zesakhelo azinawo amandla okuqhekeka ngokuzenzekelayo, ke ukuxhaphaza kuya kufuneka kuhlelwe ngesandla kwaye kuqhutywe usebenzisa umyalelo wokusetyenziswa. Ukuqala, kufanelekile ukumisela izibuko ezivulekileyo kumatshini ohlaselweyo, umzekelo, ukusebenzisa i-nmap (kwimeko yethu, iya kutshintshwa ngokupheleleyo yi-netstat kumamkeli ohlaselwe), kwaye emva koko ukhethe kwaye usebenzise efanelekileyo.
Kukho ezinye iindlela zokuvavanya ukomelela kwe-IDS kuhlaselo, kuquka neenkonzo ze-intanethi. Ngenxa yokufuna ukwazi, ungalungiselela uvavanyo loxinzelelo usebenzisa inguqulo yesilingo
umthombo: www.habr.com