Palestras no VI WorkShop Seginfo e na Vale Security Conference
11 de Agosto de 2011, 0:00 - sem comentários ainda
O Workshop SegInfo promovido pela Clavis Security ocorrerá dias 12 e 13 de agosto na Bolsa de Valores do Rio de Janeiro,e contará com a presença de grandes nomes do cenário de segurança da informação brasileiro como Anchises Morais (@anchisesbr), Nelson Brito (@nbrito), Rodrigo Rubira (@bsdaemon), Tony Rodrigues (@OctanesLabs) entre outros.
Neste evento estarei palestrando sobre segurança de servidores, hardening e demonstrando como proteger um servidor de forma simples e efetiva.
Em setembro estarei dividindo o palco com grandes nomes como Luiz Eduardo (@effffn), Wagner Elias (@welias), Andrew Cushman, entre outros na Vale Security Conference que ocorrerá nos dia 03 e 04 no Parque Tecnológico de São José dos Campos.
Nele apresentarei as principais falhas na implementação em ambientes JBoss, como corrigi-las e alguns pentests realizados em portais existentes na internet (#MEDO kkkkk)
Agradeço antecipadamente aos organizadores destes eventos por aceitarem meus papers e espero conhecê-los por lá.
Que venham H2HC 8, Ekoparty 2012 e YSTS 9 (2012) kkkkkkk.
See:
Proteção contra portscans com Ossec HIDS e Portsentry
5 de Agosto de 2011, 0:00 - sem comentários ainda<p><a href="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning.jpg"><img class="alignright size-medium wp-image-2745" title="Binary man" src="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning-198x300.jpg" height="300" alt="" width="198" /></a>O <a href="http://www.ossec.net">Ossec HIDS</a> é sem sombra de dúvidas uma das maiores ferramentas de proteção de host, mas como nada é perfeito existe uma deficiência na detecção e bloqueio de portscans.</p> <p>O próprio Daniel Cid, pai da criança, informou isso em resposta a um <a href="http://www.mail-archive.com/ossec-list@googlegroups.com/msg00889.html">questionamento</a> sobre o assunto na <a href="http://groups.google.com/group/ossec-list">lista</a> do Ossec. Vejo o trecho abaixo:</p> <blockquote><p>&#8220;Ossec by itself does not detect portscans. However, if you send your firewall<br /> logs to ossec it can detect portscans by analyzing your fw logs&#8230;&#8221;</p></blockquote> <p>Para ajudar neste tarefa Daniel <a href="http://www.ossec.net/wiki/Detecting_port_scan_with_Ossec_and_iplog">indica</a> o uso do <a href="http://ojnk.sourceforge.net/">iplog</a> em conjunto com o Ossec, mas a última versão é de 2001 e sem manutenção como informa seu desenvolvedor:</p> <blockquote><p>&#8220;I am through working on this project. I will not be making any updates, and I will ignore just about all email about it. If anybody wants to take it over (for whatever reason), let me know.&#8221;</p></blockquote> <p>Para atender está demanda podemos utilizar o <a href="http://sourceforge.net/projects/sentrytools/">Postsentry</a>, IDS responsável por detectar e bloquear tentativas de varredura de portas TCP/UDP.</p> <p>Neste artigo irei apresentar como integrar o Ossec ao Portsentry tornando mais robusta a segurança do seu host. Estou levando em conta que você já possui o Ossec instalado e funcionando.</p> <p>Instale e inicie o Portsentry</p> <p>aptitude install portsentry &#038;&#038; portsentry -atcp &#038;&#038; portsentry -audp</p> <p>Prepare o Ossec para trabalhar juntamente com o Portsentry adicionando algumas regras locais e do decoder[1].</p> <p>[1] O <a href="http://www.ossec.net/doc/manual/rules-decoders/create-custom.html">decoder</a> é responsável por interpretar os logs de várias ferramentas e juntamente com as regras realizar alguma ação.</p> <p>Primeiro remova a seguinte regra (linhas 2240-2257) do arquivo <em><strong>/var/ossec/etc/decoder.xml</strong></em></p> <p> <p class="c3"><span></span></p> <table class="c1"> <tr> <td class="c2"> <p class="c0"><span><!&#8211; Portsentry &#8211;&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;program_name&gt;^portsentry&lt;/program_name&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0 c4"><span></span></p> <p class="c0"><span>&lt;decoder name="portsentry-attackalert"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch&gt;attackalert: Connect from host: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &lt;order&gt;srcip,protocol,dstport&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0 c4"><span></span></p> <p class="c0"><span>&lt;decoder name="portsentry-blocked"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch&gt;is already blocked. Ignoring$&lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex&gt;Host: (\S+) is&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &lt;order&gt;srcip&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> </td> </tr> </table> <p class="c3"><span></span></p> <p></p> <p>Adicione a seguinte regra no final do arquivo <em><strong>/var/ossec/etc/decoder.xml</strong></em>, antes da tag <strong>EOF</strong></p> <p> <p class="c3"><span></span></p> <table class="c1"> <tr> <td class="c4"> <p class="c0"><span>&lt;decoder name="portsentry"&gt;</span></p> <p class="c0"><span>&nbsp;&lt;program_name&gt;^portsentry&lt;/program_name&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-attackalert"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;prematch&gt;attackalert: TCP SYN/Normal scan from host: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;order&gt;srcip,protocol,dstport&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-blocked"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;prematch&gt;is already blocked Ignoring$&lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;regex&gt;Host: (\S+)/\S+ is&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;order&gt;srcip&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-scan"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch&gt;^attackalert: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex offset="after_prematch"&gt;scan from host: (\S+)/\S+ to \S+ port: (\d+)$&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &lt;order&gt;srcip, dstport&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-host"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch offset="after_parent"&gt;^attackalert: Host: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex offset="after_prematch"&gt;^(\S+)/\S+ &lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp;&lt;order&gt;srcip&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt; </span></p> </td> </tr> </table> <p class="c1"><span></span></p> <p></p> <p>Apartir dai o OSSEC passará a interpretar os logs gerados pelo Postsentry. Agora adicione as seguintes linhas no final do arquivo <em><strong>/var/ossec/rules/local_rules.xml</strong></em>, antes da tag <strong>EOF</strong><br /> <p class="c3"><span>&lt;group name="syslog,portsentry,"&gt;</span></p> <p class="c1"><span>&nbsp; &lt;rule id="160000" level="0" noalert="1"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;decoded_as&gt;portsentry&lt;/decoded_as&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Grouping for the PortSentry rules&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&nbsp; &lt;rule id="160002" level="3"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;if_sid&gt;160000&lt;/if_sid&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;match&gt;attackalert:&lt;/match&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Connection from a host.&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&nbsp; &lt;rule id="160003" level="8" frequency="4" timeframe="180" ignore="60"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Repeated connections from the same host.&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;same_source_ip/&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;group&gt;recon,&lt;/group&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&nbsp; &lt;rule id="160004" level="10" frequency="8" timeframe="180" ignore="60"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Host is still scanning&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;same_source_ip /&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;group&gt;recon,&lt;/group&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&lt;/group&gt; </span></p> <p></p> <p>Reinicie o OSSEC</p> <blockquote><p> invoke-rc.d ossec restart </p></blockquote> <p>Após reiniciar o OSSEC qualquer tentativa de varredura usando NMAP ou qualquer outro portscan será bloqueada. Recomendo a utilização de um firewall local, segue o exemplo de um script bastante efetivo.</p> <blockquote><p> #!/bin/sh</p> <p>SYSCTL=&#8221;/sbin/sysctl -w&#8221;</p> <p>IPT=&#8221;/sbin/iptables&#8221;<br /> IPTS=&#8221;/sbin/iptables-save&#8221;<br /> IPTR=&#8221;/sbin/iptables-restore&#8221;</p> <p>INET_IFACE=&#8221;eth0&#8243;</p> <p>LO_IFACE=&#8221;lo&#8221;<br /> LO_IP=&#8221;127.0.0.1&#8243;</p> <p># Save and Restore arguments handled here<br /> if [ "$1" = "save" ]<br /> then<br /> echo -n &#8220;Saving firewall to /etc/sysconfig/iptables &#8230; &#8221;<br /> $IPTS > /etc/sysconfig/iptables<br /> echo &#8220;done&#8221;<br /> exit 0<br /> elif [ "$1" = "restore" ]<br /> then<br /> echo -n &#8220;Restoring firewall from /etc/sysconfig/iptables &#8230; &#8221;<br /> $IPTR &lt; /etc/sysconfig/iptables<br /> echo "done"<br /> exit 0<br /> fi</p> <p>echo "Loading kernel modules ..."</p> <p># This enables SYN flood protection.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo "1" > /proc/sys/net/ipv4/tcp_syncookies<br /> else<br /> $SYSCTL net.ipv4.tcp_syncookies=&#8221;1&#8243;<br /> fi</p> <p># This enables source validation by reversed path according to RFC1812.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/rp_filter<br /> else<br /> $SYSCTL net.ipv4.conf.all.rp_filter=&#8221;1&#8243;<br /> fi</p> <p># This kernel parameter instructs the kernel to ignore all ICMP<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br /> else<br /> $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=&#8221;1&#8243;<br /> fi</p> <p># This option can be used to accept or refuse source routed packets.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;0&#8243; > /proc/sys/net/ipv4/conf/all/accept_source_route<br /> else<br /> $SYSCTL net.ipv4.conf.all.accept_source_route=&#8221;0&#8243;</p> <p>fi</p> <p># However, we&#8217;ll ensure the secure_redirects option is on instead.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/secure_redirects<br /> else<br /> $SYSCTL net.ipv4.conf.all.secure_redirects=&#8221;1&#8243;<br /> fi</p> <p># This option logs packets from impossible addresses.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/log_martians<br /> else<br /> $SYSCTL net.ipv4.conf.all.log_martians=&#8221;1&#8243;<br /> fi</p> <p>echo &#8220;Flushing Tables &#8230;&#8221;</p> <p># Reset Default Policies<br /> $IPT -P INPUT ACCEPT<br /> $IPT -P FORWARD ACCEPT<br /> $IPT -P OUTPUT ACCEPT</p> <p># Flush all rules<br /> $IPT -F</p> <p># Erase all non-default chains<br /> $IPT -X</p> <p>if [ "$1" = "stop" ]<br /> then<br /> echo &#8220;Firewall completely flushed! Now running with no firewall.&#8221;<br /> exit 0<br /> fi</p> <p>$IPT -P INPUT DROP<br /> $IPT -P OUTPUT DROP<br /> $IPT -P FORWARD DROP</p> <p>echo &#8220;Create and populate custom rule chains &#8230;&#8221;</p> <p># Create a chain to filter INVALID packets</p> <p>$IPT -N bad_packets</p> <p># Create another chain to filter bad tcp packets</p> <p>$IPT -N bad_tcp_packets</p> <p># Create separate chains for icmp, tcp (incoming and outgoing),<br /> # and incoming udp packets.</p> <p>$IPT -N icmp_packets</p> <p># Used for UDP packets inbound from the Internet<br /> $IPT -N udp_inbound</p> <p># Used to block outbound UDP services from internal network<br /> $IPT -N udp_outbound</p> <p># Used to allow inbound services if desired<br /> $IPT -N tcp_inbound</p> <p># Used to block outbound services from internal network<br /> $IPT -N tcp_outbound</p> <p># Drop INVALID packets immediately<br /> $IPT -A bad_packets -p ALL -m state &#8211;state INVALID -j LOG &#8211;log-prefix &#8216;fp=bad_packets:1 a=DROP&#8217; &#8211;log-level 4</p> <p>$IPT -A bad_packets -p ALL -m state &#8211;state INVALID -j DROP</p> <p># Then check the tcp packets for additional problems<br /> $IPT -A bad_packets -p tcp -j bad_tcp_packets</p> <p># All good, so return<br /> $IPT -A bad_packets -p ALL -j RETURN</p> <p># bad_tcp_packets chain</p> <p>$IPT -A bad_tcp_packets -p tcp ! &#8211;syn -m state &#8211;state NEW -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:1 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp ! &#8211;syn -m state &#8211;state NEW -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL NONE -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:2 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL NONE -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL ALL -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:3 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL ALL -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL FIN,URG,PSH -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:4 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL FIN,URG,PSH -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:5 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,RST SYN,RST -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:6 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,RST SYN,RST -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,FIN SYN,FIN -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:7 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,FIN SYN,FIN -j DROP</p> <p># All good, so return<br /> $IPT -A bad_tcp_packets -p tcp -j RETURN</p> <p># icmp_packets chain</p> <p>$IPT -A icmp_packets &#8211;fragment -p ICMP -j LOG &#8211;log-prefix &#8216;fp=icmp_packets:1 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A icmp_packets &#8211;fragment -p ICMP -j DROP</p> <p>$IPT -A icmp_packets -p ICMP -s 0/0 &#8211;icmp-type 8 -j DROP</p> <p># Time Exceeded<br /> $IPT -A icmp_packets -p ICMP -s 0/0 &#8211;icmp-type 11 -j ACCEPT</p> <p># Not matched, so return so it will be logged<br /> $IPT -A icmp_packets -p ICMP -j RETURN</p> <p># Drop netbios calls<br /> $IPT -A udp_inbound -p UDP -s 0/0 &#8211;destination-port 137 -j DROP<br /> $IPT -A udp_inbound -p UDP -s 0/0 &#8211;destination-port 138 -j DROP</p> <p># Not matched, so return for logging<br /> $IPT -A udp_inbound -p UDP -j RETURN</p> <p># No match, so ACCEPT<br /> $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT</p> <p># Web Server</p> <p># HTTP<br /> $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 80 -j ACCEPT</p> <p># HTTPS (Secure Web Server)<br /> $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 443 -j ACCEPT</p> <p># sshd<br /> $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 22 -j ACCEPT</p> <p># Not matched, so return so it will be logged<br /> $IPT -A tcp_inbound -p TCP -j RETURN</p> <p># No match, so ACCEPT<br /> $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT</p> <p>echo &#8220;Process INPUT chain &#8230;&#8221;</p> <p># Allow all on localhost interface<br /> $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT</p> <p># Drop bad packets<br /> $IPT -A INPUT -p ALL -j bad_packets</p> <p># Accept Established Connections<br /> $IPT -A INPUT -p ALL -i $INET_IFACE -m state &#8211;state ESTABLISHED,RELATED -j ACCEPT</p> <p># Route the rest to the appropriate user chain<br /> $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound<br /> $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound<br /> $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets</p> <p># Drop without logging broadcasts that get this far.<br /> $IPT -A INPUT -m pkttype &#8211;pkt-type broadcast -j DROP</p> <p># Log packets that still don&#8217;t match<br /> $IPT -A INPUT -j LOG &#8211;log-prefix &#8220;fp=INPUT:99 a=DROP &#8221;</p> <p>echo &#8220;Process FORWARD chain &#8230;&#8221;</p> <p>echo &#8220;Process OUTPUT chain &#8230;&#8221;</p> <p>$IPT -A OUTPUT -m state -p icmp &#8211;state INVALID -j DROP</p> <p># Localhost<br /> $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT<br /> $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT</p> <p># To internet<br /> $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT</p> <p># Log packets that still don&#8217;t match<br /> $IPT -A OUTPUT -j LOG &#8211;log-prefix &#8216;fp=OUTPUT:99 a=DROP&#8217; &#8211;log-level 4</p> <p>echo &#8220;Load rules for mangle table &#8230;&#8221; </p></blockquote> <p><strong>Referências</strong></p> <p><a href="http://svn.fedecarg.com/repo/Shell%20Scripts/ssh/iptables.sh">Firewall Script</a></p> <p><a href="http://groups.google.com/group/ossec-list/browse_thread/thread/c75a97559a43c389">Portsentry decoders and rules issues</a> </p> <div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=2650&amp;lang=pt-br" class="crp_title">Ossec HIDS &#8211; Bloqueando o ZmEu bot e outros Web scanners</a></li><li><a href="http://blog.alexos.com.br/?p=2180&amp;lang=pt-br" class="crp_title">Nessus Viewer</a></li><li><a href="http://blog.alexos.com.br/?p=1644&amp;lang=pt-br" class="crp_title">Beta-Testing: Ossec 2.4 Beta</a></li><li><a href="http://blog.alexos.com.br/?p=1345&amp;lang=pt-br" class="crp_title">Habilitando o MSA ( submission ) no Postfix</a></li><li><a href="http://blog.alexos.com.br/?p=2157&amp;lang=pt-br" class="crp_title"> H3ll0 2k11</a></li></ul></div>
Proteção contra portscans com Ossec HIDS e Portsentry
5 de Agosto de 2011, 0:00 - sem comentários ainda<p><a href="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning.jpg"><img class="alignright size-medium wp-image-2745" title="Binary man" src="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning-198x300.jpg" height="300" alt="" width="198" /></a>O <a href="http://www.ossec.net">Ossec HIDS</a> é sem sombra de dúvidas uma das maiores ferramentas de proteção de host, mas como nada é perfeito existe uma deficiência na detecção e bloqueio de portscans.</p> <p>O próprio Daniel Cid, pai da criança, informou isso em resposta a um <a href="http://www.mail-archive.com/ossec-list@googlegroups.com/msg00889.html">questionamento</a> sobre o assunto na <a href="http://groups.google.com/group/ossec-list">lista</a> do Ossec. Vejo o trecho abaixo:</p> <blockquote><p>&#8220;Ossec by itself does not detect portscans. However, if you send your firewall<br /> logs to ossec it can detect portscans by analyzing your fw logs&#8230;&#8221;</p></blockquote> <p>Para ajudar neste tarefa Daniel <a href="http://www.ossec.net/wiki/Detecting_port_scan_with_Ossec_and_iplog">indica</a> o uso do <a href="http://ojnk.sourceforge.net/">iplog</a> em conjunto com o Ossec, mas a última versão é de 2001 e sem manutenção como informa seu desenvolvedor:</p> <blockquote><p>&#8220;I am through working on this project. I will not be making any updates, and I will ignore just about all email about it. If anybody wants to take it over (for whatever reason), let me know.&#8221;</p></blockquote> <p>Para atender está demanda podemos utilizar o <a href="http://sourceforge.net/projects/sentrytools/">Postsentry</a>, IDS responsável por detectar e bloquear tentativas de varredura de portas TCP/UDP.</p> <p>Neste artigo irei apresentar como integrar o Ossec ao Portsentry tornando mais robusta a segurança do seu host. Estou levando em conta que você já possui o Ossec instalado e funcionando.</p> <p>Instale e inicie o Portsentry</p> <p>aptitude install portsentry &#038;&#038; portsentry -atcp &#038;&#038; portsentry -audp</p> <p>Prepare o Ossec para trabalhar juntamente com o Portsentry adicionando algumas regras locais e do decoder[1].</p> <p>[1] O <a href="http://www.ossec.net/doc/manual/rules-decoders/create-custom.html">decoder</a> é responsável por interpretar os logs de várias ferramentas e juntamente com as regras realizar alguma ação.</p> <p>Primeiro remova a seguinte regra (linhas 2240-2257) do arquivo <em><strong>/var/ossec/etc/decoder.xml</strong></em></p> <p> <p class="c3"><span></span></p> <table class="c1"> <tr> <td class="c2"> <p class="c0"><span><!&#8211; Portsentry &#8211;&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;program_name&gt;^portsentry&lt;/program_name&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0 c4"><span></span></p> <p class="c0"><span>&lt;decoder name="portsentry-attackalert"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch&gt;attackalert: Connect from host: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &lt;order&gt;srcip,protocol,dstport&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0 c4"><span></span></p> <p class="c0"><span>&lt;decoder name="portsentry-blocked"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch&gt;is already blocked. Ignoring$&lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex&gt;Host: (\S+) is&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &lt;order&gt;srcip&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> </td> </tr> </table> <p class="c3"><span></span></p> <p></p> <p>Adicione a seguinte regra no final do arquivo <em><strong>/var/ossec/etc/decoder.xml</strong></em>, antes da tag <strong>EOF</strong></p> <p> <p class="c3"><span></span></p> <table class="c1"> <tr> <td class="c4"> <p class="c0"><span>&lt;decoder name="portsentry"&gt;</span></p> <p class="c0"><span>&nbsp;&lt;program_name&gt;^portsentry&lt;/program_name&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-attackalert"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;prematch&gt;attackalert: TCP SYN/Normal scan from host: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;order&gt;srcip,protocol,dstport&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-blocked"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;prematch&gt;is already blocked Ignoring$&lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;regex&gt;Host: (\S+)/\S+ is&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;order&gt;srcip&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-scan"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch&gt;^attackalert: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex offset="after_prematch"&gt;scan from host: (\S+)/\S+ to \S+ port: (\d+)$&lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp; &lt;order&gt;srcip, dstport&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt;</span></p> <p class="c0"><span>&lt;decoder name="portsentry-host"&gt;</span></p> <p class="c0"><span>&nbsp; &lt;parent&gt;portsentry&lt;/parent&gt;</span></p> <p class="c0"><span>&nbsp; &lt;prematch offset="after_parent"&gt;^attackalert: Host: &lt;/prematch&gt;</span></p> <p class="c0"><span>&nbsp; &lt;regex offset="after_prematch"&gt;^(\S+)/\S+ &lt;/regex&gt;</span></p> <p class="c0"><span>&nbsp;&lt;order&gt;srcip&lt;/order&gt;</span></p> <p class="c0"><span>&lt;/decoder&gt; </span></p> </td> </tr> </table> <p class="c1"><span></span></p> <p></p> <p>Apartir dai o OSSEC passará a interpretar os logs gerados pelo Postsentry. Agora adicione as seguintes linhas no final do arquivo <em><strong>/var/ossec/rules/local_rules.xml</strong></em>, antes da tag <strong>EOF</strong><br /> <p class="c3"><span>&lt;group name="syslog,portsentry,"&gt;</span></p> <p class="c1"><span>&nbsp; &lt;rule id="160000" level="0" noalert="1"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;decoded_as&gt;portsentry&lt;/decoded_as&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Grouping for the PortSentry rules&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&nbsp; &lt;rule id="160002" level="3"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;if_sid&gt;160000&lt;/if_sid&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;match&gt;attackalert:&lt;/match&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Connection from a host.&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&nbsp; &lt;rule id="160003" level="8" frequency="4" timeframe="180" ignore="60"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Repeated connections from the same host.&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;same_source_ip/&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;group&gt;recon,&lt;/group&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&nbsp; &lt;rule id="160004" level="10" frequency="8" timeframe="180" ignore="60"&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp;&lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;description&gt;Host is still scanning&lt;/description&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;same_source_ip /&gt;</span></p> <p class="c0"><span>&nbsp; &nbsp; &lt;group&gt;recon,&lt;/group&gt;</span></p> <p class="c0"><span>&nbsp; &lt;/rule&gt;</span></p> <p class="c0"><span>&lt;/group&gt; </span></p> <p></p> <p>Reinicie o OSSEC</p> <blockquote><p> invoke-rc.d ossec restart </p></blockquote> <p>Após reiniciar o OSSEC qualquer tentativa de varredura usando NMAP ou qualquer outro portscan será bloqueada. Recomendo a utilização de um firewall local, segue o exemplo de um script bastante efetivo.</p> <blockquote><p> #!/bin/sh</p> <p>SYSCTL=&#8221;/sbin/sysctl -w&#8221;</p> <p>IPT=&#8221;/sbin/iptables&#8221;<br /> IPTS=&#8221;/sbin/iptables-save&#8221;<br /> IPTR=&#8221;/sbin/iptables-restore&#8221;</p> <p>INET_IFACE=&#8221;eth0&#8243;</p> <p>LO_IFACE=&#8221;lo&#8221;<br /> LO_IP=&#8221;127.0.0.1&#8243;</p> <p># Save and Restore arguments handled here<br /> if [ "$1" = "save" ]<br /> then<br /> echo -n &#8220;Saving firewall to /etc/sysconfig/iptables &#8230; &#8221;<br /> $IPTS > /etc/sysconfig/iptables<br /> echo &#8220;done&#8221;<br /> exit 0<br /> elif [ "$1" = "restore" ]<br /> then<br /> echo -n &#8220;Restoring firewall from /etc/sysconfig/iptables &#8230; &#8221;<br /> $IPTR &lt; /etc/sysconfig/iptables<br /> echo "done"<br /> exit 0<br /> fi</p> <p>echo "Loading kernel modules ..."</p> <p># This enables SYN flood protection.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo "1" > /proc/sys/net/ipv4/tcp_syncookies<br /> else<br /> $SYSCTL net.ipv4.tcp_syncookies=&#8221;1&#8243;<br /> fi</p> <p># This enables source validation by reversed path according to RFC1812.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/rp_filter<br /> else<br /> $SYSCTL net.ipv4.conf.all.rp_filter=&#8221;1&#8243;<br /> fi</p> <p># This kernel parameter instructs the kernel to ignore all ICMP<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br /> else<br /> $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=&#8221;1&#8243;<br /> fi</p> <p># This option can be used to accept or refuse source routed packets.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;0&#8243; > /proc/sys/net/ipv4/conf/all/accept_source_route<br /> else<br /> $SYSCTL net.ipv4.conf.all.accept_source_route=&#8221;0&#8243;</p> <p>fi</p> <p># However, we&#8217;ll ensure the secure_redirects option is on instead.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/secure_redirects<br /> else<br /> $SYSCTL net.ipv4.conf.all.secure_redirects=&#8221;1&#8243;<br /> fi</p> <p># This option logs packets from impossible addresses.<br /> if [ "$SYSCTL" = "" ]<br /> then<br /> echo &#8220;1&#8243; > /proc/sys/net/ipv4/conf/all/log_martians<br /> else<br /> $SYSCTL net.ipv4.conf.all.log_martians=&#8221;1&#8243;<br /> fi</p> <p>echo &#8220;Flushing Tables &#8230;&#8221;</p> <p># Reset Default Policies<br /> $IPT -P INPUT ACCEPT<br /> $IPT -P FORWARD ACCEPT<br /> $IPT -P OUTPUT ACCEPT</p> <p># Flush all rules<br /> $IPT -F</p> <p># Erase all non-default chains<br /> $IPT -X</p> <p>if [ "$1" = "stop" ]<br /> then<br /> echo &#8220;Firewall completely flushed! Now running with no firewall.&#8221;<br /> exit 0<br /> fi</p> <p>$IPT -P INPUT DROP<br /> $IPT -P OUTPUT DROP<br /> $IPT -P FORWARD DROP</p> <p>echo &#8220;Create and populate custom rule chains &#8230;&#8221;</p> <p># Create a chain to filter INVALID packets</p> <p>$IPT -N bad_packets</p> <p># Create another chain to filter bad tcp packets</p> <p>$IPT -N bad_tcp_packets</p> <p># Create separate chains for icmp, tcp (incoming and outgoing),<br /> # and incoming udp packets.</p> <p>$IPT -N icmp_packets</p> <p># Used for UDP packets inbound from the Internet<br /> $IPT -N udp_inbound</p> <p># Used to block outbound UDP services from internal network<br /> $IPT -N udp_outbound</p> <p># Used to allow inbound services if desired<br /> $IPT -N tcp_inbound</p> <p># Used to block outbound services from internal network<br /> $IPT -N tcp_outbound</p> <p># Drop INVALID packets immediately<br /> $IPT -A bad_packets -p ALL -m state &#8211;state INVALID -j LOG &#8211;log-prefix &#8216;fp=bad_packets:1 a=DROP&#8217; &#8211;log-level 4</p> <p>$IPT -A bad_packets -p ALL -m state &#8211;state INVALID -j DROP</p> <p># Then check the tcp packets for additional problems<br /> $IPT -A bad_packets -p tcp -j bad_tcp_packets</p> <p># All good, so return<br /> $IPT -A bad_packets -p ALL -j RETURN</p> <p># bad_tcp_packets chain</p> <p>$IPT -A bad_tcp_packets -p tcp ! &#8211;syn -m state &#8211;state NEW -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:1 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp ! &#8211;syn -m state &#8211;state NEW -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL NONE -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:2 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL NONE -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL ALL -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:3 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL ALL -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL FIN,URG,PSH -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:4 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL FIN,URG,PSH -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:5 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,RST SYN,RST -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:6 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,RST SYN,RST -j DROP</p> <p>$IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,FIN SYN,FIN -j LOG &#8211;log-prefix &#8216;fp=bad_tcp_packets:7 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A bad_tcp_packets -p tcp &#8211;tcp-flags SYN,FIN SYN,FIN -j DROP</p> <p># All good, so return<br /> $IPT -A bad_tcp_packets -p tcp -j RETURN</p> <p># icmp_packets chain</p> <p>$IPT -A icmp_packets &#8211;fragment -p ICMP -j LOG &#8211;log-prefix &#8216;fp=icmp_packets:1 a=DROP&#8217; &#8211;log-level 4<br /> $IPT -A icmp_packets &#8211;fragment -p ICMP -j DROP</p> <p>$IPT -A icmp_packets -p ICMP -s 0/0 &#8211;icmp-type 8 -j DROP</p> <p># Time Exceeded<br /> $IPT -A icmp_packets -p ICMP -s 0/0 &#8211;icmp-type 11 -j ACCEPT</p> <p># Not matched, so return so it will be logged<br /> $IPT -A icmp_packets -p ICMP -j RETURN</p> <p># Drop netbios calls<br /> $IPT -A udp_inbound -p UDP -s 0/0 &#8211;destination-port 137 -j DROP<br /> $IPT -A udp_inbound -p UDP -s 0/0 &#8211;destination-port 138 -j DROP</p> <p># Not matched, so return for logging<br /> $IPT -A udp_inbound -p UDP -j RETURN</p> <p># No match, so ACCEPT<br /> $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT</p> <p># Web Server</p> <p># HTTP<br /> $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 80 -j ACCEPT</p> <p># HTTPS (Secure Web Server)<br /> $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 443 -j ACCEPT</p> <p># sshd<br /> $IPT -A tcp_inbound -p TCP -s 0/0 &#8211;destination-port 22 -j ACCEPT</p> <p># Not matched, so return so it will be logged<br /> $IPT -A tcp_inbound -p TCP -j RETURN</p> <p># No match, so ACCEPT<br /> $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT</p> <p>echo &#8220;Process INPUT chain &#8230;&#8221;</p> <p># Allow all on localhost interface<br /> $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT</p> <p># Drop bad packets<br /> $IPT -A INPUT -p ALL -j bad_packets</p> <p># Accept Established Connections<br /> $IPT -A INPUT -p ALL -i $INET_IFACE -m state &#8211;state ESTABLISHED,RELATED -j ACCEPT</p> <p># Route the rest to the appropriate user chain<br /> $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound<br /> $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound<br /> $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets</p> <p># Drop without logging broadcasts that get this far.<br /> $IPT -A INPUT -m pkttype &#8211;pkt-type broadcast -j DROP</p> <p># Log packets that still don&#8217;t match<br /> $IPT -A INPUT -j LOG &#8211;log-prefix &#8220;fp=INPUT:99 a=DROP &#8221;</p> <p>echo &#8220;Process FORWARD chain &#8230;&#8221;</p> <p>echo &#8220;Process OUTPUT chain &#8230;&#8221;</p> <p>$IPT -A OUTPUT -m state -p icmp &#8211;state INVALID -j DROP</p> <p># Localhost<br /> $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT<br /> $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT</p> <p># To internet<br /> $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT</p> <p># Log packets that still don&#8217;t match<br /> $IPT -A OUTPUT -j LOG &#8211;log-prefix &#8216;fp=OUTPUT:99 a=DROP&#8217; &#8211;log-level 4</p> <p>echo &#8220;Load rules for mangle table &#8230;&#8221; </p></blockquote> <p><strong>Referências</strong></p> <p><a href="http://svn.fedecarg.com/repo/Shell%20Scripts/ssh/iptables.sh">Firewall Script</a></p> <p><a href="http://groups.google.com/group/ossec-list/browse_thread/thread/c75a97559a43c389">Portsentry decoders and rules issues</a> </p> <div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=2650&amp;lang=pt-br" class="crp_title">Ossec HIDS &#8211; Bloqueando o ZmEu bot e outros Web scanners</a></li><li><a href="http://blog.alexos.com.br/?p=2180&amp;lang=pt-br" class="crp_title">Nessus Viewer</a></li><li><a href="http://blog.alexos.com.br/?p=1644&amp;lang=pt-br" class="crp_title">Beta-Testing: Ossec 2.4 Beta</a></li><li><a href="http://blog.alexos.com.br/?p=1345&amp;lang=pt-br" class="crp_title">Habilitando o MSA ( submission ) no Postfix</a></li><li><a href="http://blog.alexos.com.br/?p=2157&amp;lang=pt-br" class="crp_title"> H3ll0 2k11</a></li></ul></div>
