Abahlaziyi begciwane kanye nabacwaningi bezokuphepha bekhompyutha bagijima ukuqoqa amasampula amaningi ama-botnets amasha ngangokunokwenzeka. Basebenzisa izimbiza zoju ngezinjongo zabo... Kodwa kuthiwani uma ufuna ukubona uhlelo olungayilungele ikhompuyutha ezimeni zangempela? Beka iseva yakho noma irutha engozini? Kuthiwani uma lungekho umshini ofanele? Yile mibuzo eyangenza ngenze i-bhunter, ithuluzi lokuthola ukufinyelela kumanodi e-botnet.
Umbono oyinhloko
Kunezindlela eziningi zokusabalalisa uhlelo olungayilungele ikhompuyutha ukuze unwebe ama-botnets: ukusuka ebugebengwini bokweba imininingwane ebucayi kuye ekusebenziseni ubungozi bezinsuku ezingu-0. Kodwa indlela ejwayeleke kakhulu kuseyi-password ye-SSH ephoqelela ngesihluku.
Umbono ulula kakhulu. Uma enye i-botnet node izama ukuphoqelela amagama ayimfihlo eseva yakho, cishe le nodi ngokwayo yathwetshulwa amaphasiwedi alula aphoqelela ngesihluku. Lokhu kusho ukuthi ukuze ukwazi ukuyifinyelela, udinga nje ukuphindisela.
Yile ndlela kanye ibhunter esebenza ngayo. Ilalela i-port 22 (isevisi ye-SSH) futhi iqoqa wonke ama-login nama-password abazama ngawo ukuxhuma kuwo. Bese, isebenzisa amaphasiwedi aqoqiwe, izama ukuxhuma kumanodi ahlaselayo.
Umsebenzi we-algorithm
Uhlelo lungahlukaniswa lube izingxenye ezi-2 eziyinhloko, ezisebenza ngemicu ehlukene. Eyokuqala imbiza yoju. Icubungula imizamo yokungena, iqoqa ukungena ngemvume okuyingqayizivele namagama ayimfihlo (kulokhu, ukubhanqwa kokungena + kwephasiwedi kubhekwa njengokuphelele), futhi yengeza amakheli e-IP azame ukuxhuma kulayini ukuze ahlaselwe okwengeziwe.
Ingxenye yesibili ibhekene ngqo nokuhlasela. Ngaphezu kwalokho, ukuhlasela kwenziwa ngezindlela ezimbili: I-BurstAttack (ukuhlasela kokuqhuma) - ukungena kwamandla okuhlukumeza kanye namaphasiwedi ohlwini olujwayelekile kanye ne-SingleShotAttack (ukuhlasela kwesibhamu esisodwa) - amaphasiwedi e-brute force asetshenziswe indawo ehlaselwe, kodwa abengakatholakali. kwengezwe ohlwini olujwayelekile.
Ukuze okungenani ube nemininingwane egciniwe yokungena namaphasiwedi ngokushesha ngemva kokwethulwa, i-bhunter iqalwa ngohlu olusuka kufayela /etc/bhunter/defaultLoginPairs.
isikhombikubona
Kunezindlela eziningi zokuqalisa i-bhunter:
Njengeqembu nje
sudo bhunterNgalokhu kwethulwa, kungenzeka ukulawula i-bhunter ngemenyu yayo yombhalo: engeza ukungena ngemvume namaphasiwedi okuhlasela, thumela isizindalwazi sokungena ngemvume namaphasiwedi, ucacise okuhlosiwe kokuhlasela. Wonke ama-node agqekeziwe angabonwa kufayela /var/log/bhunter/hacked.log
Ukusebenzisa i-tmux
sudo bhunter-ts # ΠΊΠΎΠΌΠ°Π½Π΄Π° Π·Π°ΠΏΡΡΠΊΠ° bhunter ΡΠ΅ΡΠ΅Π· tmux
sudo tmux attach -t bhunter # ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΠΌΡΡ ΠΊ ΡΠ΅ΡΡΠΈΠΈ, Π² ΠΊΠΎΡΠΎΡΠΎΠΉ Π·Π°ΠΏΡΡΠ΅Π½ bhunter
I-Tmux iyi-multiplexer yokugcina, ithuluzi elilula kakhulu. Ikuvumela ukuthi udale amawindi amaningana ngaphakathi kwetheminali eyodwa, futhi uhlukanise amawindi abe amaphaneli. Ngokuyisebenzisa, ungaphuma kutheminali bese ungena ngaphandle kokuphazamisa izinqubo ezisebenzayo.
Iskripthi se-bhunter-ts sidala iseshini ye-tmux futhi sihlukanise iwindi libe ngamaphaneli amathathu. Eyokuqala, enkulu kunazo zonke, iqukethe imenyu yombhalo. Ephezulu kwesokudla iqukethe izingodo zebhodwe lezinyosi, lapha ungabona imilayezo mayelana nemizamo yokungena ebhodweni lezinyosi. Iphaneli engezansi kwesokudla ibonisa ulwazi mayelana nenqubekelaphambili yokuhlaselwa kwama-botnet node kanye nama-hacks aphumelele.
Inzuzo yale ndlela ngaphezu kweyokuqala ukuthi singavala ngokuphephile i-terminal futhi sibuyele kuyo kamuva, ngaphandle kokuthi i-bhunter imise umsebenzi wayo. Kulabo abajwayelene kancane ne-tmux, ngiphakamisa .
Njengenkonzo
systemctl enable bhunter
systemctl start bhunterKulokhu, sinika amandla i-bhunter autostart ekuqaleni kwesistimu. Ngale ndlela, ukusebenzisana ne-bhunter akunikeziwe, futhi uhlu lwama-node agqekeziwe lungatholakala ku-/var/log/bhunter/hacked.log
Ukuphumelela
Ngenkathi ngisebenza kubhunter, ngikwazile ukuthola nokufinyelela kumadivayisi ahluke ngokuphelele: i-raspberry pi, ama-routers (ikakhulukazi i-mikrotik), amaseva ewebhu, kanye nepulazi lezimayini (ngeshwa, ukufinyelela kulo kwakuphakathi nosuku, ngakho-ke kwakungekho okuthakazelisayo. indaba). Nasi isithombe-skrini sohlelo, esibonisa uhlu lwama-node agqekeziwe ngemva kwezinsuku ezimbalwa zokusebenza:
Ngeshwa, ukusebenza kwaleli thuluzi akuzange kufinyelele engikulindele: ibhunter ingazama amaphasiwedi kumanodi izinsuku ezimbalwa ngaphandle kwempumelelo, futhi ingagenca okuhlosiwe okumbalwa emahoreni ambalwa. Kodwa lokhu kwanele ukuthutheleka okujwayelekile kwamasampula e-botnet amasha.
Ukusebenza kuthonywa amapharamitha afana nalawa: izwe lapho iseva ene-bhunter ikhona, ukusingathwa, kanye nobubanzi lapho ikheli lasesizindeni se-inthanethi linikezwa khona. Ngokuhlangenwe nakho kwami, kwakukhona icala lapho ngiqasha amaseva amabili abonakalayo kumphathi oyedwa, futhi omunye wabo wahlaselwa ama-botnets izikhathi ezingu-2 kaningi.
Iziphazamisi engingakazilungisi
Uma uhlasela ababungazi abathelelekile, kwezinye izimo akwenzeki ukucacisa ngokusobala ukuthi igama-mfihlo lilungile noma cha. Izimo ezinjalo zifakwe kufayela /var/log/debug.log.
Imojula yeParamiko, esetshenziselwa ukusebenza ne-SSH, ngezinye izikhathi iziphatha ngendlela engafanele: ilinda ngokungapheli impendulo evela kumsingathi lapho izama ukuxhuma kuyo. Ngazama ukusebenzisa izikhathi, kodwa angiwutholanga umphumela engangiwufuna
Yini enye okudingeka kusetshenzwe ngayo?
Igama lesevisi
Ngokuya nge-RFC-4253, iklayenti kanye namagama ashintshisana neseva amasevisi asebenzisa iphrothokholi ye-SSH ngaphambi kokufakwa. Leli gama liqukethwe kunkambu ethi βSERVICE NAMEβ, eliqukethwe kukho kokubili esicelweni sohlangothi lweklayenti kanye nasempendulweni evela ohlangothini lweseva. Inkambu iyiyunithi yezinhlamvu, futhi inani layo lingatholwa kusetshenziswa i-wireshark noma i-nmap. Nasi isibonelo se-OpenSSH:
$ nmap -p 22 ***.**.***.** -sV
Starting Nmap ...
PORT STATE SERVICE VERSION
22/tcp open ssh <b>OpenSSH 7.9p1 Debian 10+deb10u2</b> (protocol 2.0)
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
Kodwa-ke, endabeni yeParamiko, le nkambu iqukethe intambo efana ne-"Paramiko Python sshd 2.4.2", engathusa ama-botnets aklanyelwe "ukugwema" izicupho. Ngakho-ke, ngicabanga ukuthi kuyadingeka ukufaka esikhundleni salo mugqa ngokuthile okungathathi hlangothi.
Amanye ama-vector
I-SSH akuyona ukuphela kwendlela yokuphatha kude. Kukhona futhi i-telnet, rdp. Kuyafaneleka ukubabhekisisa.
Isandiso
Kungaba kuhle ukuba nezicupho ezimbalwa emazweni ahlukene futhi siqoqe ukungena, amagama ayimfihlo kanye namanodi agqekeziwe kusuka kuwo kuya kusizindalwazi esivamile.
Ngingalanda kuphi?
Ngesikhathi sokubhala, inguqulo yokuhlola kuphela elungile, engalandwa kuyo .
Source: www.habr.com