Ir para o conteúdo
ou

Software livre Brasil

 Voltar a Blogosfera d...
Tela cheia Sugerir um artigo

Alexandro Silva: Proteção contra portscans com Ossec HIDS e Portsentry

5 de Agosto de 2011, 0:00 , por Software Livre Brasil - 0sem comentários ainda | Ninguém está seguindo este artigo ainda.
Visualizado 226 vezes
&lt;a href=&quot;http://blog.alexos.com.br/?p=2717&amp;amp;lang=pt-br&quot; title=&quot;Proteção contra portscans com Ossec HIDS e Portsentry&quot;&gt;&lt;/a&gt;&lt;p&gt;&lt;a href=&quot;http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning.jpg&quot;&gt;&lt;img class=&quot;alignright size-medium wp-image-2745&quot; title=&quot;Binary man&quot; src=&quot;http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning-198x300.jpg&quot; height=&quot;300&quot; alt=&quot;&quot; width=&quot;198&quot; /&gt;&lt;/a&gt;O &lt;a href=&quot;http://www.ossec.net&quot;&gt;Ossec HIDS&lt;/a&gt; é sem sombra de dúvidas uma das maiores ferramentas de proteção de host, mas como nada é perfeito existe uma deficiência na detecção e bloqueio de portscans.&lt;/p&gt; &lt;p&gt;O próprio Daniel Cid, pai da criança, informou isso em resposta a um &lt;a href=&quot;http://www.mail-archive.com/ossec-list@googlegroups.com/msg00889.html&quot;&gt;questionamento&lt;/a&gt; sobre o assunto na &lt;a href=&quot;http://groups.google.com/group/ossec-list&quot;&gt;lista&lt;/a&gt; do Ossec. Vejo o trecho abaixo:&lt;/p&gt; &lt;blockquote&gt;&lt;p&gt;“Ossec by itself does not detect portscans. However, if you send your firewall&lt;br /&gt; logs to ossec it can detect portscans by analyzing your fw logs…”&lt;/p&gt;&lt;/blockquote&gt; &lt;p&gt;Para ajudar neste tarefa Daniel &lt;a href=&quot;http://www.ossec.net/wiki/Detecting_port_scan_with_Ossec_and_iplog&quot;&gt;indica&lt;/a&gt; o uso do &lt;a href=&quot;http://ojnk.sourceforge.net/&quot;&gt;iplog&lt;/a&gt; em conjunto com o Ossec, mas a última versão é de 2001 e sem manutenção como informa seu desenvolvedor:&lt;/p&gt; &lt;blockquote&gt;&lt;p&gt;“I am through working on this project. I will not be making any updates, and I will ignore just about all email about it. If anybody wants to take it over (for whatever reason), let me know.”&lt;/p&gt;&lt;/blockquote&gt; &lt;p&gt;Para atender está demanda podemos utilizar o &lt;a href=&quot;http://sourceforge.net/projects/sentrytools/&quot;&gt;Postsentry&lt;/a&gt;, IDS responsável por detectar e bloquear tentativas de varredura de portas TCP/UDP.&lt;/p&gt; &lt;p&gt;Neste artigo irei apresentar como integrar o Ossec ao Portsentry tornando mais robusta a segurança do seu host. Estou levando em conta que você já possui o Ossec instalado e funcionando.&lt;/p&gt; &lt;p&gt;Instale e inicie o Portsentry&lt;/p&gt; &lt;p&gt;aptitude install portsentry &amp;amp;&amp;amp; portsentry -atcp &amp;amp;&amp;amp; portsentry -audp&lt;/p&gt; &lt;p&gt;Prepare o Ossec para trabalhar juntamente com o Portsentry adicionando algumas regras locais e do decoder[1].&lt;/p&gt; &lt;p&gt;[1] O &lt;a href=&quot;http://www.ossec.net/doc/manual/rules-decoders/create-custom.html&quot;&gt;decoder&lt;/a&gt; é responsável por interpretar os logs de várias ferramentas e juntamente com as regras realizar alguma ação.&lt;/p&gt; &lt;p&gt;Primeiro remova a seguinte regra (linhas 2240-2257) do arquivo &lt;em&gt;&lt;strong&gt;/var/ossec/etc/decoder.xml&lt;/strong&gt;&lt;/em&gt;&lt;/p&gt; &lt;p&gt; &lt;/p&gt;&lt;p class=&quot;c3&quot;&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt; &lt;table class=&quot;c1&quot;&gt; &lt;tr&gt; &lt;td class=&quot;c2&quot;&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;<!– Portsentry –&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;program_name&amp;gt;^portsentry&amp;lt;/program_name&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0 c4&quot;&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry-attackalert&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;parent&amp;gt;portsentry&amp;lt;/parent&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;prematch&amp;gt;attackalert: Connect from host: &amp;lt;/prematch&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;regex offset=&quot;after_prematch&quot;&amp;gt;(\S+)/\S+ to (\S+) port: (\d+)$&amp;lt;/regex&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;order&amp;gt;srcip,protocol,dstport&amp;lt;/order&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0 c4&quot;&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry-blocked&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;parent&amp;gt;portsentry&amp;lt;/parent&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;prematch&amp;gt;is already blocked. Ignoring$&amp;lt;/prematch&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;regex&amp;gt;Host: (\S+) is&amp;lt;/regex&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;order&amp;gt;srcip&amp;lt;/order&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt; &lt;p class=&quot;c3&quot;&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt; &lt;p&gt;&lt;/p&gt; &lt;p&gt;Adicione a seguinte regra no final do arquivo &lt;em&gt;&lt;strong&gt;/var/ossec/etc/decoder.xml&lt;/strong&gt;&lt;/em&gt;, antes da tag &lt;strong&gt;EOF&lt;/strong&gt;&lt;/p&gt; &lt;p&gt; &lt;/p&gt;&lt;p class=&quot;c3&quot;&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt; &lt;table class=&quot;c1&quot;&gt; &lt;tr&gt; &lt;td class=&quot;c4&quot;&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt; &amp;lt;program_name&amp;gt;^portsentry&amp;lt;/program_name&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry-attackalert&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;parent&amp;gt;portsentry&amp;lt;/parent&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;prematch&amp;gt;attackalert: TCP SYN/Normal scan from host: &amp;lt;/prematch&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;regex offset=&quot;after_prematch&quot;&amp;gt;(\S+)/\S+ to (\S+) port: (\d+)$&amp;lt;/regex&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;order&amp;gt;srcip,protocol,dstport&amp;lt;/order&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry-blocked&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;parent&amp;gt;portsentry&amp;lt;/parent&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;prematch&amp;gt;is already blocked Ignoring$&amp;lt;/prematch&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;regex&amp;gt;Host: (\S+)/\S+ is&amp;lt;/regex&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;order&amp;gt;srcip&amp;lt;/order&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry-scan&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;parent&amp;gt;portsentry&amp;lt;/parent&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;prematch&amp;gt;^attackalert: &amp;lt;/prematch&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;regex offset=&quot;after_prematch&quot;&amp;gt;scan from host: (\S+)/\S+ to \S+ port: (\d+)$&amp;lt;/regex&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;order&amp;gt;srcip, dstport&amp;lt;/order&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;decoder name=&quot;portsentry-host&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;parent&amp;gt;portsentry&amp;lt;/parent&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;prematch offset=&quot;after_parent&quot;&amp;gt;^attackalert: Host: &amp;lt;/prematch&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;regex offset=&quot;after_prematch&quot;&amp;gt;^(\S+)/\S+ &amp;lt;/regex&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt; &amp;lt;order&amp;gt;srcip&amp;lt;/order&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/decoder&amp;gt; &lt;/span&gt;&lt;/p&gt; &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt; &lt;p class=&quot;c1&quot;&gt;&lt;span&gt;&lt;/span&gt;&lt;/p&gt; &lt;p&gt;&lt;/p&gt; &lt;p&gt;Apartir dai o OSSEC passará a interpretar os logs gerados pelo Postsentry. Agora adicione as seguintes linhas no final do arquivo &lt;em&gt;&lt;strong&gt;/var/ossec/rules/local_rules.xml&lt;/strong&gt;&lt;/em&gt;, antes da tag &lt;strong&gt;EOF&lt;/strong&gt;&lt;br /&gt; &lt;/p&gt;&lt;p class=&quot;c3&quot;&gt;&lt;span&gt;&amp;lt;group name=&quot;syslog,portsentry,&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c1&quot;&gt;&lt;span&gt;  &amp;lt;rule id=&quot;160000&quot; level=&quot;0&quot; noalert=&quot;1&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;decoded_as&amp;gt;portsentry&amp;lt;/decoded_as&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;description&amp;gt;Grouping for the PortSentry rules&amp;lt;/description&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;/rule&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;rule id=&quot;160002&quot; level=&quot;3&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;if_sid&amp;gt;160000&amp;lt;/if_sid&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;match&amp;gt;attackalert:&amp;lt;/match&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;description&amp;gt;Connection from a host.&amp;lt;/description&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;/rule&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;rule id=&quot;160003&quot; level=&quot;8&quot; frequency=&quot;4&quot; timeframe=&quot;180&quot; ignore=&quot;60&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;if_matched_sid&amp;gt;160002&amp;lt;/if_matched_sid&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;description&amp;gt;Repeated connections from the same host.&amp;lt;/description&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;same_source_ip/&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;group&amp;gt;recon,&amp;lt;/group&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;/rule&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;rule id=&quot;160004&quot; level=&quot;10&quot; frequency=&quot;8&quot; timeframe=&quot;180&quot; ignore=&quot;60&quot;&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;   &amp;lt;if_matched_sid&amp;gt;160002&amp;lt;/if_matched_sid&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;description&amp;gt;Host is still scanning&amp;lt;/description&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;same_source_ip /&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;    &amp;lt;group&amp;gt;recon,&amp;lt;/group&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;  &amp;lt;/rule&amp;gt;&lt;/span&gt;&lt;/p&gt; &lt;p class=&quot;c0&quot;&gt;&lt;span&gt;&amp;lt;/group&amp;gt; &lt;/span&gt;&lt;/p&gt; &lt;p&gt;&lt;/p&gt; &lt;p&gt;Reinicie o OSSEC&lt;/p&gt; &lt;blockquote&gt;&lt;p&gt; invoke-rc.d ossec restart &lt;/p&gt;&lt;/blockquote&gt; &lt;p&gt;Após reiniciar o OSSEC qualquer tentativa de varredura usando NMAP ou qualquer outro portscan será bloqueada. Recomendo a utilização de um firewall local, segue o exemplo de um script bastante efetivo.&lt;/p&gt; &lt;blockquote&gt;&lt;p&gt; #!/bin/sh&lt;/p&gt; &lt;p&gt;SYSCTL=”/sbin/sysctl -w”&lt;/p&gt; &lt;p&gt;IPT=”/sbin/iptables”&lt;br /&gt; IPTS=”/sbin/iptables-save”&lt;br /&gt; IPTR=”/sbin/iptables-restore”&lt;/p&gt; &lt;p&gt;INET_IFACE=”eth0″&lt;/p&gt; &lt;p&gt;LO_IFACE=”lo”&lt;br /&gt; LO_IP=”127.0.0.1″&lt;/p&gt; &lt;p&gt;# Save and Restore arguments handled here&lt;br /&gt; if [ &quot;$1&quot; = &quot;save&quot; ]&lt;br /&gt; then&lt;br /&gt; echo -n “Saving firewall to /etc/sysconfig/iptables … ”&lt;br /&gt; $IPTS &amp;gt; /etc/sysconfig/iptables&lt;br /&gt; echo “done”&lt;br /&gt; exit 0&lt;br /&gt; elif [ &quot;$1&quot; = &quot;restore&quot; ]&lt;br /&gt; then&lt;br /&gt; echo -n “Restoring firewall from /etc/sysconfig/iptables … ”&lt;br /&gt; $IPTR &amp;lt; /etc/sysconfig/iptables&lt;br /&gt; echo &quot;done&quot;&lt;br /&gt; exit 0&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;echo &quot;Loading kernel modules ...&quot;&lt;/p&gt; &lt;p&gt;# This enables SYN flood protection.&lt;br /&gt; if [ &quot;$SYSCTL&quot; = &quot;&quot; ]&lt;br /&gt; then&lt;br /&gt; echo &quot;1&quot; &amp;gt; /proc/sys/net/ipv4/tcp_syncookies&lt;br /&gt; else&lt;br /&gt; $SYSCTL net.ipv4.tcp_syncookies=”1″&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;# This enables source validation by reversed path according to RFC1812.&lt;br /&gt; if [ &quot;$SYSCTL&quot; = &quot;&quot; ]&lt;br /&gt; then&lt;br /&gt; echo “1″ &amp;gt; /proc/sys/net/ipv4/conf/all/rp_filter&lt;br /&gt; else&lt;br /&gt; $SYSCTL net.ipv4.conf.all.rp_filter=”1″&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;# This kernel parameter instructs the kernel to ignore all ICMP&lt;br /&gt; if [ &quot;$SYSCTL&quot; = &quot;&quot; ]&lt;br /&gt; then&lt;br /&gt; echo “1″ &amp;gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts&lt;br /&gt; else&lt;br /&gt; $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=”1″&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;# This option can be used to accept or refuse source routed packets.&lt;br /&gt; if [ &quot;$SYSCTL&quot; = &quot;&quot; ]&lt;br /&gt; then&lt;br /&gt; echo “0″ &amp;gt; /proc/sys/net/ipv4/conf/all/accept_source_route&lt;br /&gt; else&lt;br /&gt; $SYSCTL net.ipv4.conf.all.accept_source_route=”0″&lt;/p&gt; &lt;p&gt;fi&lt;/p&gt; &lt;p&gt;# However, we’ll ensure the secure_redirects option is on instead.&lt;br /&gt; if [ &quot;$SYSCTL&quot; = &quot;&quot; ]&lt;br /&gt; then&lt;br /&gt; echo “1″ &amp;gt; /proc/sys/net/ipv4/conf/all/secure_redirects&lt;br /&gt; else&lt;br /&gt; $SYSCTL net.ipv4.conf.all.secure_redirects=”1″&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;# This option logs packets from impossible addresses.&lt;br /&gt; if [ &quot;$SYSCTL&quot; = &quot;&quot; ]&lt;br /&gt; then&lt;br /&gt; echo “1″ &amp;gt; /proc/sys/net/ipv4/conf/all/log_martians&lt;br /&gt; else&lt;br /&gt; $SYSCTL net.ipv4.conf.all.log_martians=”1″&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;echo “Flushing Tables …”&lt;/p&gt; &lt;p&gt;# Reset Default Policies&lt;br /&gt; $IPT -P INPUT ACCEPT&lt;br /&gt; $IPT -P FORWARD ACCEPT&lt;br /&gt; $IPT -P OUTPUT ACCEPT&lt;/p&gt; &lt;p&gt;# Flush all rules&lt;br /&gt; $IPT -F&lt;/p&gt; &lt;p&gt;# Erase all non-default chains&lt;br /&gt; $IPT -X&lt;/p&gt; &lt;p&gt;if [ &quot;$1&quot; = &quot;stop&quot; ]&lt;br /&gt; then&lt;br /&gt; echo “Firewall completely flushed! Now running with no firewall.”&lt;br /&gt; exit 0&lt;br /&gt; fi&lt;/p&gt; &lt;p&gt;$IPT -P INPUT DROP&lt;br /&gt; $IPT -P OUTPUT DROP&lt;br /&gt; $IPT -P FORWARD DROP&lt;/p&gt; &lt;p&gt;echo “Create and populate custom rule chains …”&lt;/p&gt; &lt;p&gt;# Create a chain to filter INVALID packets&lt;/p&gt; &lt;p&gt;$IPT -N bad_packets&lt;/p&gt; &lt;p&gt;# Create another chain to filter bad tcp packets&lt;/p&gt; &lt;p&gt;$IPT -N bad_tcp_packets&lt;/p&gt; &lt;p&gt;# Create separate chains for icmp, tcp (incoming and outgoing),&lt;br /&gt; # and incoming udp packets.&lt;/p&gt; &lt;p&gt;$IPT -N icmp_packets&lt;/p&gt; &lt;p&gt;# Used for UDP packets inbound from the Internet&lt;br /&gt; $IPT -N udp_inbound&lt;/p&gt; &lt;p&gt;# Used to block outbound UDP services from internal network&lt;br /&gt; $IPT -N udp_outbound&lt;/p&gt; &lt;p&gt;# Used to allow inbound services if desired&lt;br /&gt; $IPT -N tcp_inbound&lt;/p&gt; &lt;p&gt;# Used to block outbound services from internal network&lt;br /&gt; $IPT -N tcp_outbound&lt;/p&gt; &lt;p&gt;# Drop INVALID packets immediately&lt;br /&gt; $IPT -A bad_packets -p ALL -m state –state INVALID -j LOG –log-prefix ‘fp=bad_packets:1 a=DROP’ –log-level 4&lt;/p&gt; &lt;p&gt;$IPT -A bad_packets -p ALL -m state –state INVALID -j DROP&lt;/p&gt; &lt;p&gt;# Then check the tcp packets for additional problems&lt;br /&gt; $IPT -A bad_packets -p tcp -j bad_tcp_packets&lt;/p&gt; &lt;p&gt;# All good, so return&lt;br /&gt; $IPT -A bad_packets -p ALL -j RETURN&lt;/p&gt; &lt;p&gt;# bad_tcp_packets chain&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-prefix ‘fp=bad_tcp_packets:1 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j LOG –log-prefix ‘fp=bad_tcp_packets:2 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j LOG –log-prefix ‘fp=bad_tcp_packets:3 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG –log-prefix ‘fp=bad_tcp_packets:4 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-prefix ‘fp=bad_tcp_packets:5 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-prefix ‘fp=bad_tcp_packets:6 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-prefix ‘fp=bad_tcp_packets:7 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP&lt;/p&gt; &lt;p&gt;# All good, so return&lt;br /&gt; $IPT -A bad_tcp_packets -p tcp -j RETURN&lt;/p&gt; &lt;p&gt;# icmp_packets chain&lt;/p&gt; &lt;p&gt;$IPT -A icmp_packets –fragment -p ICMP -j LOG –log-prefix ‘fp=icmp_packets:1 a=DROP’ –log-level 4&lt;br /&gt; $IPT -A icmp_packets –fragment -p ICMP -j DROP&lt;/p&gt; &lt;p&gt;$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP&lt;/p&gt; &lt;p&gt;# Time Exceeded&lt;br /&gt; $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT&lt;/p&gt; &lt;p&gt;# Not matched, so return so it will be logged&lt;br /&gt; $IPT -A icmp_packets -p ICMP -j RETURN&lt;/p&gt; &lt;p&gt;# Drop netbios calls&lt;br /&gt; $IPT -A udp_inbound -p UDP -s 0/0 –destination-port 137 -j DROP&lt;br /&gt; $IPT -A udp_inbound -p UDP -s 0/0 –destination-port 138 -j DROP&lt;/p&gt; &lt;p&gt;# Not matched, so return for logging&lt;br /&gt; $IPT -A udp_inbound -p UDP -j RETURN&lt;/p&gt; &lt;p&gt;# No match, so ACCEPT&lt;br /&gt; $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT&lt;/p&gt; &lt;p&gt;# Web Server&lt;/p&gt; &lt;p&gt;# HTTP&lt;br /&gt; $IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 80 -j ACCEPT&lt;/p&gt; &lt;p&gt;# HTTPS (Secure Web Server)&lt;br /&gt; $IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 443 -j ACCEPT&lt;/p&gt; &lt;p&gt;# sshd&lt;br /&gt; $IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 22 -j ACCEPT&lt;/p&gt; &lt;p&gt;# Not matched, so return so it will be logged&lt;br /&gt; $IPT -A tcp_inbound -p TCP -j RETURN&lt;/p&gt; &lt;p&gt;# No match, so ACCEPT&lt;br /&gt; $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT&lt;/p&gt; &lt;p&gt;echo “Process INPUT chain …”&lt;/p&gt; &lt;p&gt;# Allow all on localhost interface&lt;br /&gt; $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT&lt;/p&gt; &lt;p&gt;# Drop bad packets&lt;br /&gt; $IPT -A INPUT -p ALL -j bad_packets&lt;/p&gt; &lt;p&gt;# Accept Established Connections&lt;br /&gt; $IPT -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT&lt;/p&gt; &lt;p&gt;# Route the rest to the appropriate user chain&lt;br /&gt; $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound&lt;br /&gt; $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound&lt;br /&gt; $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets&lt;/p&gt; &lt;p&gt;# Drop without logging broadcasts that get this far.&lt;br /&gt; $IPT -A INPUT -m pkttype –pkt-type broadcast -j DROP&lt;/p&gt; &lt;p&gt;# Log packets that still don’t match&lt;br /&gt; $IPT -A INPUT -j LOG –log-prefix “fp=INPUT:99 a=DROP ”&lt;/p&gt; &lt;p&gt;echo “Process FORWARD chain …”&lt;/p&gt; &lt;p&gt;echo “Process OUTPUT chain …”&lt;/p&gt; &lt;p&gt;$IPT -A OUTPUT -m state -p icmp –state INVALID -j DROP&lt;/p&gt; &lt;p&gt;# Localhost&lt;br /&gt; $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT&lt;br /&gt; $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT&lt;/p&gt; &lt;p&gt;# To internet&lt;br /&gt; $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT&lt;/p&gt; &lt;p&gt;# Log packets that still don’t match&lt;br /&gt; $IPT -A OUTPUT -j LOG –log-prefix ‘fp=OUTPUT:99 a=DROP’ –log-level 4&lt;/p&gt; &lt;p&gt;echo “Load rules for mangle table …” &lt;/p&gt;&lt;/blockquote&gt; &lt;p&gt;&lt;strong&gt;Referências&lt;/strong&gt;&lt;/p&gt; &lt;p&gt;&lt;a href=&quot;http://svn.fedecarg.com/repo/Shell%20Scripts/ssh/iptables.sh&quot;&gt;Firewall Script&lt;/a&gt;&lt;/p&gt; &lt;p&gt;&lt;a href=&quot;http://groups.google.com/group/ossec-list/browse_thread/thread/c75a97559a43c389&quot;&gt;Portsentry decoders and rules issues&lt;/a&gt; &lt;/p&gt; &lt;div&gt;&lt;h3&gt;See:&lt;/h3&gt;&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=2650&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Ossec HIDS – Bloqueando o ZmEu bot e outros Web scanners&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=2180&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Nessus Viewer&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=1644&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Beta-Testing: Ossec 2.4 Beta&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=1345&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Habilitando o MSA ( submission ) no Postfix&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=2157&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt; H3ll0 2k11&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;
Fonte: http://blog.alexos.com.br/?p=2717&lang=pt-br

0sem comentários ainda

Enviar um comentário

Os campos são obrigatórios.

Se você é um usuário registrado, pode se identificar e ser reconhecido automaticamente.