Proteção contra portscans com Ossec HIDS e Portsentry

9 amigos

Daniela Feitosa

4 comunidades

cryptoparty salvador

fisl15

fisl13

Ver todas

alexos

Posts do blog

2015 (3)

2014 (5)

2013 (11)

2012 (16)

2011 (40)

2010 (72)

2009 (44)

Voltar a Alexos Core ...

<a href="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning.jpg"><img class="alignright size-medium wp-image-2745" title="Binary man" src="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning-198x300.jpg" height="300" alt="" width="198" /></a>O <a href="http://www.ossec.net">Ossec HIDS</a> é sem sombra de dúvidas uma das maiores ferramentas de proteção de host, mas como nada é perfeito existe uma deficiência na detecção e bloqueio de portscans. O próprio Daniel Cid, pai da criança, informou isso em resposta a um <a href="http://www.mail-archive.com/ossec-list@googlegroups.com/msg00889.html">questionamento</a> sobre o assunto na <a href="http://groups.google.com/group/ossec-list">lista</a> do Ossec. Vejo o trecho abaixo: <blockquote>&#8220;Ossec by itself does not detect portscans. However, if you send your firewall logs to ossec it can detect portscans by analyzing your fw logs&#8230;&#8221;</blockquote> Para ajudar neste tarefa Daniel <a href="http://www.ossec.net/wiki/Detecting_port_scan_with_Ossec_and_iplog">indica</a> o uso do <a href="http://ojnk.sourceforge.net/">iplog</a> em conjunto com o Ossec, mas a última versão é de 2001 e sem manutenção como informa seu desenvolvedor: <blockquote>&#8220;I am through working on this project. I will not be making any updates, and I will ignore just about all email about it. If anybody wants to take it over (for whatever reason), let me know.&#8221;</blockquote> Para atender está demanda podemos utilizar o <a href="http://sourceforge.net/projects/sentrytools/">Postsentry</a>, IDS responsável por detectar e bloquear tentativas de varredura de portas TCP/UDP. Neste artigo irei apresentar como integrar o Ossec ao Portsentry tornando mais robusta a segurança do seu host. Estou levando em conta que você já possui o Ossec instalado e funcionando. Instale e inicie o Portsentry aptitude install portsentry &#038;&#038; portsentry -atcp &#038;&#038; portsentry -audp Prepare o Ossec para trabalhar juntamente com o Portsentry adicionando algumas regras locais e do decoder[1]. [1] O <a href="http://www.ossec.net/doc/manual/rules-decoders/create-custom.html">decoder</a> é responsável por interpretar os logs de várias ferramentas e juntamente com as regras realizar alguma ação. Primeiro remova a seguinte regra (linhas 2240-2257) do arquivo /var/ossec/etc/decoder.xml <table class="c1"> <tr> <td class="c2"> <!&#8211; Portsentry &#8211;&gt; &lt;decoder name="portsentry"&gt; &nbsp; &lt;program_name&gt;^portsentry&lt;/program_name&gt; &lt;/decoder&gt; &lt;decoder name="portsentry-attackalert"&gt; &nbsp; &lt;parent&gt;portsentry&lt;/parent&gt; &nbsp; &lt;prematch&gt;attackalert: Connect from host: &lt;/prematch&gt; &nbsp; &lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt; &nbsp; &lt;order&gt;srcip,protocol,dstport&lt;/order&gt; &lt;/decoder&gt; &lt;decoder name="portsentry-blocked"&gt; &nbsp; &lt;parent&gt;portsentry&lt;/parent&gt; &nbsp; &lt;prematch&gt;is already blocked. Ignoring$&lt;/prematch&gt; &nbsp; &lt;regex&gt;Host: (\S+) is&lt;/regex&gt; &nbsp; &lt;order&gt;srcip&lt;/order&gt; &lt;/decoder&gt; </td> </tr> </table> Adicione a seguinte regra no final do arquivo /var/ossec/etc/decoder.xml, antes da tag EOF <table class="c1"> <tr> <td class="c4"> &lt;decoder name="portsentry"&gt; &nbsp;&lt;program_name&gt;^portsentry&lt;/program_name&gt; &lt;/decoder&gt; &lt;decoder name="portsentry-attackalert"&gt; &nbsp; &nbsp;&lt;parent&gt;portsentry&lt;/parent&gt; &nbsp; &nbsp;&lt;prematch&gt;attackalert: TCP SYN/Normal scan from host: &lt;/prematch&gt; &nbsp; &nbsp;&lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt; &nbsp; &nbsp;&lt;order&gt;srcip,protocol,dstport&lt;/order&gt; &lt;/decoder&gt; &lt;decoder name="portsentry-blocked"&gt; &nbsp; &nbsp;&lt;parent&gt;portsentry&lt;/parent&gt; &nbsp; &nbsp;&lt;prematch&gt;is already blocked Ignoring$&lt;/prematch&gt; &nbsp; &nbsp;&lt;regex&gt;Host: (\S+)/\S+ is&lt;/regex&gt; &nbsp; &nbsp;&lt;order&gt;srcip&lt;/order&gt; &lt;/decoder&gt; &lt;decoder name="portsentry-scan"&gt; &nbsp; &lt;parent&gt;portsentry&lt;/parent&gt; &nbsp; &lt;prematch&gt;^attackalert: &lt;/prematch&gt; &nbsp; &lt;regex offset="after_prematch"&gt;scan from host: (\S+)/\S+ to \S+ port: (\d+)$&lt;/regex&gt; &nbsp; &lt;order&gt;srcip, dstport&lt;/order&gt; &lt;/decoder&gt; &lt;decoder name="portsentry-host"&gt; &nbsp; &lt;parent&gt;portsentry&lt;/parent&gt; &nbsp; &lt;prematch offset="after_parent"&gt;^attackalert: Host: &lt;/prematch&gt; &nbsp; &lt;regex offset="after_prematch"&gt;^(\S+)/\S+ &lt;/regex&gt; &nbsp;&lt;order&gt;srcip&lt;/order&gt; &lt;/decoder&gt; </td> </tr> </table> Apartir dai o OSSEC passará a interpretar os logs gerados pelo Postsentry. Agora adicione as seguintes linhas no final do arquivo /var/ossec/rules/local_rules.xml, antes da tag EOF &lt;group name="syslog,portsentry,"&gt; &nbsp; &lt;rule id="160000" level="0" noalert="1"&gt; &nbsp; &nbsp; &lt;decoded_as&gt;portsentry&lt;/decoded_as&gt; &nbsp; &nbsp; &lt;description&gt;Grouping for the PortSentry rules&lt;/description&gt; &nbsp; &lt;/rule&gt; &nbsp; &lt;rule id="160002" level="3"&gt; &nbsp; &nbsp; &lt;if_sid&gt;160000&lt;/if_sid&gt; &nbsp; &nbsp; &lt;match&gt;attackalert:&lt;/match&gt; &nbsp; &nbsp; &lt;description&gt;Connection from a host.&lt;/description&gt; &nbsp; &lt;/rule&gt; &nbsp; &lt;rule id="160003" level="8" frequency="4" timeframe="180" ignore="60"&gt; &nbsp; &nbsp; &lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt; &nbsp; &nbsp; &lt;description&gt;Repeated connections from the same host.&lt;/description&gt; &nbsp; &nbsp; &lt;same_source_ip/&gt; &nbsp; &nbsp; &lt;group&gt;recon,&lt;/group&gt; &nbsp; &lt;/rule&gt; &nbsp; &lt;rule id="160004" level="10" frequency="8" timeframe="180" ignore="60"&gt; &nbsp; &nbsp;&lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt; &nbsp; &nbsp; &lt;description&gt;Host is still scanning&lt;/description&gt; &nbsp; &nbsp; &lt;same_source_ip /&gt; &nbsp; &nbsp; &lt;group&gt;recon,&lt;/group&gt; &nbsp; &lt;/rule&gt; &lt;/group&gt; Reinicie o OSSEC <blockquote> invoke-rc.d ossec restart </blockquote> Após reiniciar o OSSEC qualquer tentativa de varredura usando NMAP ou qualquer outro portscan será bloqueada. Recomendo a utilização de um firewall local, segue o exemplo de um script bastante efetivo. <blockquote> #!/bin/sh SYSCTL=&#8221;/sbin/sysctl -w&#8221; IPT=&#8221;/sbin/iptables&#8221; IPTS=&#8221;/sbin/iptables-save&#8221; IPTR=&#8221;/sbin/iptables-restore&#8221; INET_IFACE=&#8221;eth0&#8243; LO_IFACE=&#8221;lo&#8221; LO_IP=&#8221;127.0.0.1&#8243; # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n &#8220;Saving firewall to /etc/sysconfig/iptables &#8230; &#8221; $IPTS > /etc/sysconfig/iptables echo &#8220;done&#8221; exit 0 elif [ "$1" = "restore" ] then echo -n &#8220;Restoring firewall from /etc/sysconfig/iptables &#8230; &#8221; $IPTR &lt; /etc/sysconfig/iptables echo "done" exit 0 fi echo "Loading kernel modules ..." # This enables SYN flood protection. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies=&#8221;1&#8243; fi # This enables source validation by reversed path according to RFC1812. if [ "$SYSCTL" = "" ] then echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter=&#8221;1&#8243; fi # This kernel parameter instructs the kernel to ignore all ICMP if [ "$SYSCTL" = "" ] then echo &#8220;1&#8243; > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=&#8221;1&#8243; fi # This option can be used to accept or refuse source routed packets. if [ "$SYSCTL" = "" ] then echo &#8220;0&#8243; > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route=&#8221;0&#8243; fi # However, we&#8217;ll ensure the secure_redirects option is on instead. if [ "$SYSCTL" = "" ] then echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects=&#8221;1&#8243; fi # This option logs packets from impossible addresses. if [ "$SYSCTL" = "" ] then echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/log_martians else $SYSCTL net.ipv4.conf.all.log_martians=&#8221;1&#8243; fi echo &#8220;Flushing Tables &#8230;&#8221; # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT # Flush all rules $IPT -F # Erase all non-default chains $IPT -X if [ "$1" = "stop" ] then echo &#8220;Firewall completely flushed! Now running with no firewall.&#8221; exit 0 fi $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP echo &#8220;Create and populate custom rule chains &#8230;&#8221; # Create a chain to filter INVALID packets $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets # Create separate chains for icmp, tcp (incoming and outgoing), # and incoming udp packets. $IPT -N icmp_packets # Used for UDP packets inbound from the Internet $IPT -N udp_inbound # Used to block outbound UDP services from internal network $IPT -N udp_outbound # Used to allow inbound services if desired $IPT -N tcp_inbound # Used to block outbound services from internal network $IPT -N tcp_outbound # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state &#8211;state INVALID -j LOG &#8211;log-prefix &#8216;fp=bad_packets:1 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_packets -p ALL -m state &#8211;state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN # bad_tcp_packets chain $IPT -A bad_tcp_packets -p tcp ! &#8211;syn -m state &#8211;state NEW -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:1 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp ! &#8211;syn -m state &#8211;state NEW -j DROP $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL NONE -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:2 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL NONE -j DROP $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL ALL -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:3 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL ALL -j DROP $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL FIN,URG,PSH -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:4 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:5 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,RST SYN,RST -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:6 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,RST SYN,RST -j DROP $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,FIN SYN,FIN -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:7 a=DROP&#8217; &#8211;log-level 4 $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,FIN SYN,FIN -j DROP # All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN # icmp_packets chain $IPT -A icmp_packets &#8211;fragment -p ICMP -j LOG &#8211;log-prefix &#8216;fp=icmp_packets:1 a=DROP&#8217; &#8211;log-level 4 $IPT -A icmp_packets &#8211;fragment -p ICMP -j DROP $IPT -A icmp_packets -p ICMP -s 0/0 &#8211;icmp-type 8 -j DROP # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 &#8211;icmp-type 11 -j ACCEPT # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN # Drop netbios calls $IPT -A udp_inbound -p UDP -s 0/0 &#8211;destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 &#8211;destination-port 138 -j DROP # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN # No match, so ACCEPT $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT # Web Server # HTTP $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 80 -j ACCEPT # HTTPS (Secure Web Server) $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 443 -j ACCEPT # sshd $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 22 -j ACCEPT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT echo &#8220;Process INPUT chain &#8230;&#8221; # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state &#8211;state ESTABLISHED,RELATED -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Drop without logging broadcasts that get this far. $IPT -A INPUT -m pkttype &#8211;pkt-type broadcast -j DROP # Log packets that still don&#8217;t match $IPT -A INPUT -j LOG &#8211;log-prefix &#8220;fp=INPUT:99 a=DROP &#8221; echo &#8220;Process FORWARD chain &#8230;&#8221; echo &#8220;Process OUTPUT chain &#8230;&#8221; $IPT -A OUTPUT -m state -p icmp &#8211;state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # Log packets that still don&#8217;t match $IPT -A OUTPUT -j LOG &#8211;log-prefix &#8216;fp=OUTPUT:99 a=DROP&#8217; &#8211;log-level 4 echo &#8220;Load rules for mangle table &#8230;&#8221; </blockquote> Referências <a href="http://svn.fedecarg.com/repo/Shell%20Scripts/ssh/iptables.sh">Firewall Script</a> <a href="http://groups.google.com/group/ossec-list/browse_thread/thread/c75a97559a43c389">Portsentry decoders and rules issues</a> <div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=2650&amp;lang=pt-br" class="crp_title">Ossec HIDS &#8211; Bloqueando o ZmEu bot e outros Web scanners</a></li><li><a href="http://blog.alexos.com.br/?p=2180&amp;lang=pt-br" class="crp_title">Nessus Viewer</a></li><li><a href="http://blog.alexos.com.br/?p=1644&amp;lang=pt-br" class="crp_title">Beta-Testing: Ossec 2.4 Beta</a></li><li><a href="http://blog.alexos.com.br/?p=1345&amp;lang=pt-br" class="crp_title">Habilitando o MSA ( submission ) no Postfix</a></li><li><a href="http://blog.alexos.com.br/?p=2157&amp;lang=pt-br" class="crp_title"> H3ll0 2k11</a></li></ul></div>

Fonte: http://blog.alexos.com.br/?p=2717&lang=pt-br

0sem comentários ainda

Enviar um comentário

Software livre Brasil

9 amigos

4 comunidades

Posts do blog

0sem comentários ainda

Conheça

Colabore

Compartilhe

Apoio

Entrar

Software livre Brasil

9 amigos

4 comunidades

Posts do blog

Proteção contra portscans com Ossec HIDS e Portsentry

0sem comentários ainda

Conheça

Colabore

Compartilhe

Apoio