Snort - Iptables 簡易主動防禦 (IPS)
解壓縮/安裝guardian[root@snort snortsnarf]# tar zxvf guardian-1.7.tar.gz
[root@snort snortsnarf]# cd guardian-1.7
[root@snort snortsnarf]# echo > /etc/guardian.ignore
[root@snort snortsnarf]# cp guardian.pl /usr/local/bin/.
[root@snort snortsnarf]# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
[root@snort snortsnarf]# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
[root@snort snortsnarf]# cp guardian.conf /etc/
[root@snort snortsnarf]# touch /var/log/guardian.log
內容如下:
HostGatewayByte 192.168.1.100 //主機IP
LogFile /var/log/guardian.log //guardian的日誌檔
AlertFile /var/log/snort/alert //guardian從何處讀取snort的日誌
IgnoreFile /etc/guardian.ignore //將你需要忽略的IP放在此檔中
TimeLimit 86400 //封鎖IP的最長時間,99999999為沒有時限
執行[root@snort snortsnarf]# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
註 將上一條命令加入 /etc/rc.d/rc.local
互動測試snort與guardian如何得知snort與guardian是否有聯動關係, 可以作簡單測試
可以把 /etc/snort/snort.conf檔案裡的所有rule 選項先暫時註解
然後自己寫一個規則檔測試看看
撰寫測試rule[root@snort snortsnarf]# vi /etc/snort/rules/myrule
內容如下
alert tcp any any -> any 112(msg:”TCP Traffic”;)
完成後把myrule規則加到snort.conf中。
include $RULE_PATH/my.rules
先清空snort的的日誌檔, 方便觀察。 [root@snort snortsnarf]# cd /var/log/snort
[root@snort snortsnarf]# rm -rf *
開始測試[root@snort snortsnarf]# service snort restart
[root@snort snortsnarf]# perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
為了能即時的觀察現象……
[root@snort snortsnarf]# tail -f /var/log/snort/alert
[root@snort snortsnarf]# tail -f /var/log/guardian.log
如果測試正常, 我們就可以把剛原來rules註解拿掉並加入自己的rule
備忘: guardian有時會自動退出,可以使用如下script解決:
#!/usr/bin/perl
use Proc::ProcessTable;
$found=0;
$t = new Proc::ProcessTable;
$g = "guardian.pl";
foreach $p ( @{$t->table} ){
$f=($p->cmndline =~ m/guardian/);
if($f==1)
{$found=1;
last;
}
}
if($found == 1)
{
print "guardian is alive!\n";
}
else
{
print "guardian is dead!\n";
print "restart guardian now ... \n";
system "/usr/local/bin/guardian.pl -c /etc/guardian.conf";
}
註: 將上述腳本存為testguardian,放置到 /etc/cron.hourly目錄下,每1小時檢測guardian是否存在,如果已經死亡就重新啟動guardian
[root@snort snortsnarf]# chmod +x /etc/cron.hourly/testguardian另一解決方式
Kill guardian script
[root@snort bin]# perl -MCPAN -e 'install Proc::ProcessTable' //安裝perl 模組
[root@snort bin]# vi /usr/local/bin/killguardian
內容如下
#!/usr/bin/perl
use Proc::ProcessTable;
$t = new Proc::ProcessTable;
foreach $p (@{$t->table})
{
kill 9, $p->pid if $p->cmndline =~ 'guardian.pl';
}
[root@snort snortsnarf]# chmod +x /usr/local/bin/killguardian
編輯 shell script內容如下:
#!/bin/sh
/usr/local/bin/killguardian
/usr/local/bin/guardian.pl -c /etc/guardian.conf
exit 0
將上述script存為restartguardian,放置到/usr/local/bin
同时,crontab -e,加入如下一句:
* */6 * * * /usr/local/bin/restartguardian //每6小时重新啟動guardian