<a href="http://blog.alexos.com.br/?p=2650&amp;lang=pt-br" title="Ossec HIDS - Bloqueando o ZmEu bot e outros Web scanners"></a><p><a href="http://blog.alexos.com.br/wp-content/uploads/2011/06/zmeu.jpg"><img class="alignleft size-thumbnail wp-image-2661" title="zmeu" src="http://blog.alexos.com.br/wp-content/uploads/2011/06/zmeu-150x150.jpg" height="150" alt="" width="150" /></a>A <a href="http://www.pentestit.com/2010/01/15/list-free-web-application-scanners/">enchurrada de Web scanners</a> disponíveis na internet e o infeliz do <a href="http://linux.m2osw.com/zmeu-attack">ZmEu bot</a> acabam tornando a vida dos nossos servidores Web um inferno.</p>
<p>Geralmente o Apache responde a estas tentativas com sucessivos error 400 ( Bad Request ). Para acabar com essa apurrinhação podemos bloqueá-las usando o <a href="http://www.ossec.net/">Ossec HIDS</a>.</p>
<p>Exemplo de um log do ZmEu bot</p>
<blockquote><p>
82.145.xx.xx – – [13/Aug/2010:07:19:36 -0300] “GET /phpadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”<br />
82.145.xx.xx – – [13/Aug/2010:07:19:35 -0300] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 198 “-” “ZmEu”<br />
82.145.xx.xx – – [13/Aug/2010:07:19:35 -0300] “GET /mysqladmin/scripts/setup.php HTTP/1.1″ 404 194 “-” “ZmEu”<br />
82.145.xx.xx – – [13/Aug/2010:07:19:34 -0300] “GET /myadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”<br />
82.145.xx.xx – – [13/Aug/2010:07:19:33 -0300] “GET /dbadmin/scripts/setup.php HTTP/1.1″ 404 191 “-” “ZmEu”<br />
82.145.xx.xx – – [13/Aug/2010:07:19:33 -0300] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 196 “-” “ZmEu”
</p></blockquote>
<p>Para isso adicione as linhas abaixo dentro da tag <strong>Active Response Config</strong> localizada no arquivo <em><strong>/var/ossec/etc/ossec.conf</strong></em></p>
<div class="codecolorer-container xml geshi" style="overflow: auto; white-space: nowrap;">
<table>
<tr>
<td class="line-numbers">
<div>1<br />2<br />3<br />4<br />5<br />6<br />7<br />8</div>
</td>
<td>
<div class="xml codecolorer" style="white-space: nowrap;"><span style="color: #808080; font-style: italic;"><!– Active response to block http scanning –&gt;</span> <p></p>
<p> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;active-response<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <br />
<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;command<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>route-null<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/command<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <br />
<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;location<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>local<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/location<span style="color: #000000; font-weight: bold;">&gt;</span></span></span></p>
<p> <span style="color: #808080; font-style: italic;"><!– Multiple web server 400 error codes from same source IP –&gt;</span> <br />
<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;rules_id<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>31151<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/rules_id<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> <br />
<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;timeout<span style="color: #000000; font-weight: bold;">&gt;</span></span></span>600<span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/timeout<span style="color: #000000; font-weight: bold;">&gt;</span></span></span> </p>
<p> <span style="color: #009900;"><span style="color: #000000; font-weight: bold;">&lt;/active-response<span style="color: #000000; font-weight: bold;">&gt;</span></span></span></p></div>
</td>
</tr>
</table>
</div>
<p>A configuração acima executará o script route-null sempre que a regra 31151 em web_rules.xml for detectada bloqueando o atacante por 10 min ( 600s ), isto significa que ocorrendo vários erros 400 no log do Apache o ip de origem será bloqueado por 10 min.</p>
<p><strong>Fonte:</strong></p>
<p><a href="http://itscblog.tamu.edu/protecting-web-servers-with-ossec/">ITSC Blog</a></p>
<div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=2180&amp;lang=pt-br" class="crp_title">Nessus Viewer</a></li><li><a href="http://blog.alexos.com.br/?p=1644&amp;lang=pt-br" class="crp_title">Beta-Testing: Ossec 2.4 Beta</a></li><li><a href="http://blog.alexos.com.br/?p=1345&amp;lang=pt-br" class="crp_title">Habilitando o MSA ( submission ) no Postfix</a></li><li><a href="http://blog.alexos.com.br/?p=2157&amp;lang=pt-br" class="crp_title"> H3ll0 2k11</a></li><li><a href="http://blog.alexos.com.br/?p=1630&amp;lang=pt-br" class="crp_title">Novidades FLISOL 2010 Salvador</a></li></ul></div>
Alexandro Silva: Ossec HIDS – Bloqueando o ZmEu bot e outros Web scanners
13 de Junho de 2011, 0:00 - sem comentários ainda | Ninguém está seguindo este artigo ainda.
Visualizado 402 vezes
0sem comentários ainda