Π Sikubonise ukuthi uyisebenzisa kanjani inguqulo ezinzile ye-Suricata ku-Ubuntu 18.04 LTS. Ukusetha i-IDS endaweni eyodwa nokuxhuma imithetho yamahhala kulula kakhulu. Namuhla sizobona indlela yokuvikela inethiwekhi yezinkampani ezinhlotsheni ezivame kakhulu zokuhlaselwa kusetshenziswa i-Suricata efakwe kuseva ebonakalayo. Ukuze senze lokhu, sidinga i-VDS ku-Linux enama-computing cores amabili. Inani le-RAM lincike emthwalweni: kwabanye, i-2 GB yanele, kodwa emisebenzini engathi sΓna, kungadingeka 4 noma 6. Inzuzo yomshini obonakalayo yikhono lokuzama: ungaqala ngokucushwa okuncane. futhi andise izinsiza njengoba kudingeka.
isithombe: Reuters
Ixhuma amanethiwekhi
Ukuhambisa i-IDS emshinini obonakalayo kungase kudingeke ngokuyinhloko ukuze kuhlolwe. Uma ungakaze ubhekane nezixazululo ezinjalo, akufanele ugijimele uku-oda i-hardware ebonakalayo futhi ushintshe ukwakheka kwenethiwekhi. Kungcono ukuhlola isistimu ngokuphepha futhi ngaphandle kwezindleko ezengeziwe ukuze unqume izidingo zakho zensiza yekhompyutha. Kubalulekile ukuqonda ukuthi yonke i-traffic yezinkampani kuzodingeka idluliselwe endaweni eyodwa yangaphandle: ukuxhuma inethiwekhi yendawo (noma amanethiwekhi amaningana) ku-VDS ene-IDS Suricata efakiwe, ungasebenzisa. - iseva ye-VPN yenkundla efinyeleleka kalula ehlinzeka ngokubethela okuqinile. Ukuxhumeka kwe-inthanethi kwehhovisi kungase kungabi nayo i-IP yangempela, ngakho-ke kungcono ukuyithuthukisela ku-VPS. Awekho amaphakheji enziwe ngomumo endaweni yokugcina ye-Ubuntu; isoftware kuzodingeka ilandwe kusuka kuyo , noma kusuka endaweni yokugcina yangaphandle yesevisi (uma umethemba):
sudo add-apt-repository ppa:paskal-07/softethervpn
sudo apt-get updateUngabuka uhlu lwamaphakheji atholakalayo usebenzisa umyalo olandelayo:
apt-cache search softether
Sizodinga i-softether-vpnserver (iseva ekucushweni kokuhlola isebenza ku-VDS), kanye ne-softether-vpncmd - izinsiza zomugqa womyalo ukuze uyilungiselele.
sudo apt-get install softether-vpnserver softether-vpncmdUkuze ulungiselele iseva, sebenzisa insiza yomugqa womyalo okhethekile:
sudo vpncmd
Ngeke sikhulume ngokuningiliziwe mayelana nokusetha: inqubo ilula kakhulu, ichazwe kahle ezincwadini eziningi futhi ayihlobene ngokuqondile nesihloko se-athikili. Ngamafuphi, ngemva kokuqala i-vpncmd udinga ukukhetha into 1 ukuze uye kukhonsoli yokuphatha iseva. Ukuze wenze lokhu, udinga ukufaka igama le-localhost bese ucindezela u-enter esikhundleni sokufaka igama lehabhu. Ku-console, setha iphasiwedi yomqondisi ngomyalo we-serverpasswordset, susa ihabhu ebonakalayo ye-DEFAULT (umyalo we-hubdelete) bese udala entsha enegama elithi Suricata_VPN, futhi usethe iphasiwedi yayo (umyalo we-hubcreate). Okulandelayo, udinga ukuya kukhonsoli yokuphatha yehabhu entsha usebenzisa umyalo wehabhu Suricata_VPN ukuze udale iqembu nomsebenzisi usebenzisa imiyalo ye-groupcreate and usercreate. Iphasiwedi yomsebenzisi isethwe kusetshenziswa isethi yegama lomsebenzisi.
I-SoftEther isekela izindlela ezimbili zokudlulisela ithrafikhi: I-SecureNAT ne-Local Bridge. Esokuqala ubuchwepheshe bobunikazi bokwakha inethiwekhi yangasese ebonakalayo ene-NAT ne-DHCP yayo. I-SecureNAT ayidingi i-TUN/TAP, futhi ayidingi i-Netfilter noma ezinye izilungiselelo zohlelo lokuvikela. Umzila awuwuthinti umgogodla wesistimu, futhi zonke izinqubo zenziwe nge-virtual futhi zisebenza kunoma iyiphi i-VPS/VDS, kungakhathaliseki ukuthi i-hypervisor esetshenzisiwe. Lokhu kubangela ukukhuphuka komthwalo we-CPU kanye nesivinini esincishisiwe uma kuqhathaniswa nemodi Yebhuloho Lendawo, elixhuma ihabhu ebonakalayo ye-SoftEther ku-adaptha yenethiwekhi yangempela noma idivayisi ye-TAP.
Ukucushwa kuleli cala kuba nzima kakhulu, njengoba umzila wenziwa ezingeni le-kernel usebenzisa i-Netfilter. I-VDS yethu yakhelwe ku-Hyper-V, ngakho esinyathelweni sokugcina sakha ibhuloho lendawo bese sivula idivayisi ye-TAP ngebhulohocreate Suricate_VPN -device:suricate_vpn -tap:yebo umyalo. Ngemuva kokuphuma kukhonsoli yokuphatha ihabhu, sizobona isixhumi esibonakalayo esisha kusistimu, esingakanikezwa i-IP:
ifconfig
Okulandelayo kuzodingeka unike amandla umzila wephakethe phakathi kwezixhumi ezibonakalayo (ip phambili) uma ingasebenzi:
sudo nano /etc/sysctl.confSusa amazwana kulayini olandelayo:
net.ipv4.ip_forward = 1Sigcina izinguquko efayelini, siphume kusihleli bese sisisebenzisa sisebenzisa umyalo olandelayo:
sudo sysctl -pOkulandelayo, sidinga ukuchaza i-subnet enama-IP angelona iqiniso kunethiwekhi ebonakalayo (isibonelo, 10.0.10.0/24) futhi sinikeze ikheli kusixhumi esibonakalayo:
sudo ifconfig tap_suricata_vp 10.0.10.1/24Bese uzodinga ukusetha imithetho ye-Netfilter.
1. Uma kudingekile, vumela amaphakethe angenayo ezimbobeni zokulalela (Iphrothokholi yobunikazi beSoftEther isebenzisa i-HTTPS nembobo 443)
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 992 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT2. Lungiselela i-NAT kusukela ku-subnet engu-10.0.10.0/24 ukuya kuseva eyinhloko ye-IP
sudo iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j SNAT --to-source 45.132.17.1403. Vumela amaphakethe adlulayo asuka ku-subnet engu-10.0.10.0/24
sudo iptables -A FORWARD -s 10.0.10.0/24 -j ACCEPT4. Vumela amaphakethe adlulayo ekuxhumekeni osekusunguliwe
sudo iptables -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPTSizoshiya okuzenzakalelayo kwenqubo lapho siqala kabusha isistimu sisebenzisa imibhalo yokuqalisa njengomsebenzi wasekhaya wabafundi.
Uma ufuna ukukhiphela amaklayenti i-IP ngokuzenzakalelayo, kuzodingeka futhi ufake uhlobo oluthile lwesevisi ye-DHCP yebhuloho lendawo. Kuleli qophelo, ukusethwa kweseva kuqediwe futhi ungadlulela kumakhasimende. I-SoftEther isekela amaphrothokholi amaningi, ukusetshenziswa kwawo kuncike emandleni emishini yenethiwekhi yendawo.
netstat -ap |grep vpnserver
Njengoba i-router yethu yokuhlola isebenzisa Ubuntu, sizofaka amaphakheji e-softether-vpnclient kanye ne-softether-vpncmd kusuka endaweni yokugcina yangaphandle ukuze sisebenzise iphrothokholi yobunikazi. Uzodinga ukuqala iklayenti:
sudo vpnclient startUkuze ulungiselele, sebenzisa insiza ye-vpncmd, ukhethe i-localhost njengomshini lapho i-vpnclient isebenza khona. Yonke imiyalo yenziwa kukhonsoli: uzodinga ukudala isixhumi esibonakalayo (i-NicCreate) ne-akhawunti (AccountCreate).
Kwezinye izimo, udinga ukusetha indlela yokuqinisekisa usebenzisa imiyalo ye-AccountAnonymousSet, AccountPasswordSet, AccountCertSet, kanye ne-AccountSecureCertSet. Njengoba singasebenzisi i-DHCP, ikheli le-adaptha ebonakalayo lisethwa ngesandla.
Ukwengeza, sizodinga ukunika amandla i-ip phambili (net.ipv4.ip_forward=1 ipharamitha kufayela /etc/sysctl.conf) futhi silungise imizila emile. Uma kunesidingo, ungamisa ukudluliselwa kwembobo ku-VDS ene-Suricata ukuze usebenzise izinsiza ezifakwe kunethiwekhi yendawo. Kuleli qophelo, ukuhlanganiswa kwamanethiwekhi kungabhekwa njengokuphelele.
Ukucushwa kwethu okuhlongozwayo kuzobukeka kanje:
Isetha i-Suricata
Π sikhulume ngezindlela ezimbili zokusebenza kwe-IDS: ngomugqa we-NFQUEUE (imodi ye-NFQ) nangekhophi eyiziro (imodi ye-AF_PACKET). Okwesibili kudinga ukuxhumana okubili, kodwa kuyashesha - sizokusebenzisa. Inketho isethwe ngokuzenzakalelayo ku-/etc/default/suricata. Kuzodingeka futhi sihlele isigaba se-vars kokuthi /etc/suricata/suricata.yaml, sibhalise i-subnet ebonakalayo lapho njengekhaya.
Ukuze uqale kabusha i-IDS sebenzisa umyalo:
systemctl restart suricataIsixazululo sesilungile, manje kungase kudingeke usihlolele ukumelana nabahlaseli.
Ukulingisa ukuhlasela
Kungase kube nezimo ezimbalwa zokusebenzisa ukulwa kwesevisi ye-IDS yangaphandle:
Ukuvikelwa ekuhlaselweni kwe-DDoS (inhloso enkulu)
Kunzima ukusebenzisa le nketho ngaphakathi kwenethiwekhi yebhizinisi, njengoba amaphakethe okuhlaziya kufanele afinyelele isixhumi esibonakalayo esibhekene ne-inthanethi. Ngisho noma i-IDS ibavimbile, ithrafikhi engamanga ingavala isixhumanisi sedatha. Ukuze ugweme lokhu, udinga uku-oda i-VPS enoxhumano lwe-inthanethi olunamandla ngokwanele olungadlula kuwo wonke ithrafikhi yenethiwekhi yendawo kanye nayo yonke ithrafikhi yangaphandle. Lokhu ngokuvamile kulula futhi kushibhile ukukwenza kunokwandisa isiteshi sehhovisi. Njengenye indlela, kufanelekile ukusho izinsizakalo ezikhethekile zokuvikela i-DDoS. Izindleko zezinsizakalo zabo ziqhathaniswa nezindleko zeseva ebonakalayo, futhi ukucushwa okunamandla akudingekile, kodwa kukhona futhi nezinkinga - ngemali yabo iklayenti ithola ukuvikelwa kwe-DDoS kuphela, kuyilapho i-IDS yabo ingacushwa ngendlela efunwa ngayo.
Ukuvikelwa kwezinye izinhlobo zokuhlaselwa kwangaphandle
I-Suricata iyakwazi ukubhekana nemizamo yokusebenzisa ubungozi obuhlukahlukene ezinsizeni zenethiwekhi yezinkampani ezitholakala ku-inthanethi (iseva yemeyili, iseva yewebhu nezinhlelo zokusebenza zewebhu, njll.). Ngokuvamile, ngenxa yale njongo, i-IDS ifakwa ngaphakathi kwendawo yasendaweni ngemva kwamadivayisi onqenqema, kodwa ukuyihambisa ngaphandle kunelungelo lokuba khona.
Ukuvikelwa kubahlaseli bangaphakathi
Naphezu kwayo yonke imizamo yomphathi wesistimu, amakhompyutha kunethiwekhi yebhizinisi angangenwa i-malware. Ngaphezu kwalokho, ngezinye izikhathi izixhwanguxhwangu ziyavela endaweni bese zizama ukwenza imisebenzi engekho emthethweni. I-Suricata ingasiza ekuvimbeleni imizamo enjalo, nakuba ukuvikela inethiwekhi yangaphakathi kungcono ukuyifaka ngaphakathi kwe-perimeter futhi uyisebenzise ngokuhambisana ne-switch ephethwe engakwazi ukubukisa ithrafikhi echwebeni elilodwa. I-IDS yangaphandle ayisebenzi nakulokhu - okungenani izokwazi ukubamba imizamo yohlelo olungayilungele ikhompuyutha ehlala ku-LAN ukuze ixhumane neseva yangaphandle.
Okokuqala, sizodala enye isivivinyo esihlasela i-VPS, futhi kumzila wenethiwekhi yendawo sizofaka i-Apache ngokucushwa okuzenzakalelayo, bese sidlulisela phambili i-port 80 kusuka kuseva ye-IDS kuya kuyo. Okulandelayo sizolingisa ukuhlasela kwe-DDoS kusuka endaweni ehlaselayo. Ukuze wenze lokhu, landa ku-GitHub, hlanganisa futhi usebenzise uhlelo oluncane lwe-xerxes endaweni ehlaselayo (ungahle udinge ukufaka iphakheji ye-gcc):
git clone https://github.com/Soldie/xerxes-DDos-zanyarjamal-C.git
cd xerxes-DDos-zanyarjamal-C/
gcc xerxes.c -o xerxes
./xerxes 45.132.17.140 80Umphumela womsebenzi wakhe waba kanje:
I-Suricata inqamula isigebengu, futhi ikhasi le-Apache livuleka ngokuzenzakalelayo, naphezu kokuhlasela kwethu okungahleliwe kanye nesiteshi esifile senethiwekhi "yehhovisi" (empeleni eyasekhaya). Ukuze uthole imisebenzi enzima kakhulu kufanelekile ukuyisebenzisa . Idizayinelwe ukuhlola ukungena futhi ikuvumela ukuthi ulingise izinhlobonhlobo zokuhlasela. Imiyalo yokufaka kuwebhusayithi yephrojekthi. Ngemva kokufaka, isibuyekezo sizodingeka:
sudo msfupdateUkuze uhlole, sebenzisa i-msfconsole.
Ngeshwa, izinguqulo zakamuva zohlaka azinawo amandla okugebenga ngokuzenzakalela, ngakho-ke ukuxhashazwa kuzodingeka kuhlungwe ngesandla futhi kwethulwe kusetshenziswa umyalo wokusebenzisa. Okokuqala, kufanele unqume ukuthi izimbobo zivuliwe emshinini ohlaselwe, isibonelo, usebenzisa i-nmap (kithi, izoshintshwa ngokuphelele yi-netstat kumsingathi ohlaselwe), bese ukhetha futhi usebenzise ezifanele. .
Kunezinye izindlela zokuhlola ukumelana ne-IDS ekuhlaselweni, okuhlanganisa namasevisi aku-inthanethi. Ngenxa yelukuluku, ungahlela ukuhlolwa kokucindezeleka usebenzisa inguqulo yesilingo . Ukuhlola ukusabela ezenzweni zabahlaseli bangaphakathi, kufanelekile ukufaka amathuluzi akhethekile komunye wemishini kunethiwekhi yendawo. Kunezinketho eziningi futhi ngezikhathi ezithile akufanele zisetshenziswe endaweni yokuhlola kuphela, kodwa nasezinhlelweni zokusebenza, kodwa lena indaba ehluke ngokuphelele.
Source: www.habr.com