<a href="http://blog.alexos.com.br/?p=2717&amp;lang=pt-br" title="Proteção contra portscans com Ossec HIDS e Portsentry"></a><p><a href="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning.jpg"><img class="alignright size-medium wp-image-2745" title="Binary man" src="http://blog.alexos.com.br/wp-content/uploads/2011/08/network-security-scanning-198x300.jpg" height="300" alt="" width="198" /></a>O <a href="http://www.ossec.net">Ossec HIDS</a> é sem sombra de dúvidas uma das maiores ferramentas de proteção de host, mas como nada é perfeito existe uma deficiência na detecção e bloqueio de portscans.</p>
<p>O próprio Daniel Cid, pai da criança, informou isso em resposta a um <a href="http://www.mail-archive.com/ossec-list@googlegroups.com/msg00889.html">questionamento</a> sobre o assunto na <a href="http://groups.google.com/group/ossec-list">lista</a> do Ossec. Vejo o trecho abaixo:</p>
<blockquote><p>“Ossec by itself does not detect portscans. However, if you send your firewall<br />
logs to ossec it can detect portscans by analyzing your fw logs…”</p></blockquote>
<p>Para ajudar neste tarefa Daniel <a href="http://www.ossec.net/wiki/Detecting_port_scan_with_Ossec_and_iplog">indica</a> o uso do <a href="http://ojnk.sourceforge.net/">iplog</a> em conjunto com o Ossec, mas a última versão é de 2001 e sem manutenção como informa seu desenvolvedor:</p>
<blockquote><p>“I am through working on this project. I will not be making any updates, and I will ignore just about all email about it. If anybody wants to take it over (for whatever reason), let me know.”</p></blockquote>
<p>Para atender está demanda podemos utilizar o <a href="http://sourceforge.net/projects/sentrytools/">Postsentry</a>, IDS responsável por detectar e bloquear tentativas de varredura de portas TCP/UDP.</p>
<p>Neste artigo irei apresentar como integrar o Ossec ao Portsentry tornando mais robusta a segurança do seu host. Estou levando em conta que você já possui o Ossec instalado e funcionando.</p>
<p>Instale e inicie o Portsentry</p>
<p>aptitude install portsentry &amp;&amp; portsentry -atcp &amp;&amp; portsentry -audp</p>
<p>Prepare o Ossec para trabalhar juntamente com o Portsentry adicionando algumas regras locais e do decoder[1].</p>
<p>[1] O <a href="http://www.ossec.net/doc/manual/rules-decoders/create-custom.html">decoder</a> é responsável por interpretar os logs de várias ferramentas e juntamente com as regras realizar alguma ação.</p>
<p>Primeiro remova a seguinte regra (linhas 2240-2257) do arquivo <em><strong>/var/ossec/etc/decoder.xml</strong></em></p>
<p>
</p><p class="c3"><span></span></p>
<table class="c1">
<tr>
<td class="c2">
<p class="c0"><span><!– Portsentry –&gt;</span></p>
<p class="c0"><span>&lt;decoder name="portsentry"&gt;</span></p>
<p class="c0"><span> &lt;program_name&gt;^portsentry&lt;/program_name&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
<p class="c0 c4"><span></span></p>
<p class="c0"><span>&lt;decoder name="portsentry-attackalert"&gt;</span></p>
<p class="c0"><span> &lt;parent&gt;portsentry&lt;/parent&gt;</span></p>
<p class="c0"><span> &lt;prematch&gt;attackalert: Connect from host: &lt;/prematch&gt;</span></p>
<p class="c0"><span> &lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt;</span></p>
<p class="c0"><span> &lt;order&gt;srcip,protocol,dstport&lt;/order&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
<p class="c0 c4"><span></span></p>
<p class="c0"><span>&lt;decoder name="portsentry-blocked"&gt;</span></p>
<p class="c0"><span> &lt;parent&gt;portsentry&lt;/parent&gt;</span></p>
<p class="c0"><span> &lt;prematch&gt;is already blocked. Ignoring$&lt;/prematch&gt;</span></p>
<p class="c0"><span> &lt;regex&gt;Host: (\S+) is&lt;/regex&gt;</span></p>
<p class="c0"><span> &lt;order&gt;srcip&lt;/order&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
</td>
</tr>
</table>
<p class="c3"><span></span></p>
<p></p>
<p>Adicione a seguinte regra no final do arquivo <em><strong>/var/ossec/etc/decoder.xml</strong></em>, antes da tag <strong>EOF</strong></p>
<p>
</p><p class="c3"><span></span></p>
<table class="c1">
<tr>
<td class="c4">
<p class="c0"><span>&lt;decoder name="portsentry"&gt;</span></p>
<p class="c0"><span> &lt;program_name&gt;^portsentry&lt;/program_name&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
<p class="c0"><span>&lt;decoder name="portsentry-attackalert"&gt;</span></p>
<p class="c0"><span> &lt;parent&gt;portsentry&lt;/parent&gt;</span></p>
<p class="c0"><span> &lt;prematch&gt;attackalert: TCP SYN/Normal scan from host: &lt;/prematch&gt;</span></p>
<p class="c0"><span> &lt;regex offset="after_prematch"&gt;(\S+)/\S+ to (\S+) port: (\d+)$&lt;/regex&gt;</span></p>
<p class="c0"><span> &lt;order&gt;srcip,protocol,dstport&lt;/order&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
<p class="c0"><span>&lt;decoder name="portsentry-blocked"&gt;</span></p>
<p class="c0"><span> &lt;parent&gt;portsentry&lt;/parent&gt;</span></p>
<p class="c0"><span> &lt;prematch&gt;is already blocked Ignoring$&lt;/prematch&gt;</span></p>
<p class="c0"><span> &lt;regex&gt;Host: (\S+)/\S+ is&lt;/regex&gt;</span></p>
<p class="c0"><span> &lt;order&gt;srcip&lt;/order&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
<p class="c0"><span>&lt;decoder name="portsentry-scan"&gt;</span></p>
<p class="c0"><span> &lt;parent&gt;portsentry&lt;/parent&gt;</span></p>
<p class="c0"><span> &lt;prematch&gt;^attackalert: &lt;/prematch&gt;</span></p>
<p class="c0"><span> &lt;regex offset="after_prematch"&gt;scan from host: (\S+)/\S+ to \S+ port: (\d+)$&lt;/regex&gt;</span></p>
<p class="c0"><span> &lt;order&gt;srcip, dstport&lt;/order&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt;</span></p>
<p class="c0"><span>&lt;decoder name="portsentry-host"&gt;</span></p>
<p class="c0"><span> &lt;parent&gt;portsentry&lt;/parent&gt;</span></p>
<p class="c0"><span> &lt;prematch offset="after_parent"&gt;^attackalert: Host: &lt;/prematch&gt;</span></p>
<p class="c0"><span> &lt;regex offset="after_prematch"&gt;^(\S+)/\S+ &lt;/regex&gt;</span></p>
<p class="c0"><span> &lt;order&gt;srcip&lt;/order&gt;</span></p>
<p class="c0"><span>&lt;/decoder&gt; </span></p>
</td>
</tr>
</table>
<p class="c1"><span></span></p>
<p></p>
<p>Apartir dai o OSSEC passará a interpretar os logs gerados pelo Postsentry. Agora adicione as seguintes linhas no final do arquivo <em><strong>/var/ossec/rules/local_rules.xml</strong></em>, antes da tag <strong>EOF</strong><br />
</p><p class="c3"><span>&lt;group name="syslog,portsentry,"&gt;</span></p>
<p class="c1"><span> &lt;rule id="160000" level="0" noalert="1"&gt;</span></p>
<p class="c0"><span> &lt;decoded_as&gt;portsentry&lt;/decoded_as&gt;</span></p>
<p class="c0"><span> &lt;description&gt;Grouping for the PortSentry rules&lt;/description&gt;</span></p>
<p class="c0"><span> &lt;/rule&gt;</span></p>
<p class="c0"><span> &lt;rule id="160002" level="3"&gt;</span></p>
<p class="c0"><span> &lt;if_sid&gt;160000&lt;/if_sid&gt;</span></p>
<p class="c0"><span> &lt;match&gt;attackalert:&lt;/match&gt;</span></p>
<p class="c0"><span> &lt;description&gt;Connection from a host.&lt;/description&gt;</span></p>
<p class="c0"><span> &lt;/rule&gt;</span></p>
<p class="c0"><span> &lt;rule id="160003" level="8" frequency="4" timeframe="180" ignore="60"&gt;</span></p>
<p class="c0"><span> &lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt;</span></p>
<p class="c0"><span> &lt;description&gt;Repeated connections from the same host.&lt;/description&gt;</span></p>
<p class="c0"><span> &lt;same_source_ip/&gt;</span></p>
<p class="c0"><span> &lt;group&gt;recon,&lt;/group&gt;</span></p>
<p class="c0"><span> &lt;/rule&gt;</span></p>
<p class="c0"><span> &lt;rule id="160004" level="10" frequency="8" timeframe="180" ignore="60"&gt;</span></p>
<p class="c0"><span> &lt;if_matched_sid&gt;160002&lt;/if_matched_sid&gt;</span></p>
<p class="c0"><span> &lt;description&gt;Host is still scanning&lt;/description&gt;</span></p>
<p class="c0"><span> &lt;same_source_ip /&gt;</span></p>
<p class="c0"><span> &lt;group&gt;recon,&lt;/group&gt;</span></p>
<p class="c0"><span> &lt;/rule&gt;</span></p>
<p class="c0"><span>&lt;/group&gt; </span></p>
<p></p>
<p>Reinicie o OSSEC</p>
<blockquote><p>
invoke-rc.d ossec restart
</p></blockquote>
<p>Após reiniciar o OSSEC qualquer tentativa de varredura usando NMAP ou qualquer outro portscan será bloqueada. Recomendo a utilização de um firewall local, segue o exemplo de um script bastante efetivo.</p>
<blockquote><p>
#!/bin/sh</p>
<p>SYSCTL=”/sbin/sysctl -w”</p>
<p>IPT=”/sbin/iptables”<br />
IPTS=”/sbin/iptables-save”<br />
IPTR=”/sbin/iptables-restore”</p>
<p>INET_IFACE=”eth0″</p>
<p>LO_IFACE=”lo”<br />
LO_IP=”127.0.0.1″</p>
<p># Save and Restore arguments handled here<br />
if [ "$1" = "save" ]<br />
then<br />
echo -n “Saving firewall to /etc/sysconfig/iptables … ”<br />
$IPTS &gt; /etc/sysconfig/iptables<br />
echo “done”<br />
exit 0<br />
elif [ "$1" = "restore" ]<br />
then<br />
echo -n “Restoring firewall from /etc/sysconfig/iptables … ”<br />
$IPTR &lt; /etc/sysconfig/iptables<br />
echo "done"<br />
exit 0<br />
fi</p>
<p>echo "Loading kernel modules ..."</p>
<p># This enables SYN flood protection.<br />
if [ "$SYSCTL" = "" ]<br />
then<br />
echo "1" &gt; /proc/sys/net/ipv4/tcp_syncookies<br />
else<br />
$SYSCTL net.ipv4.tcp_syncookies=”1″<br />
fi</p>
<p># This enables source validation by reversed path according to RFC1812.<br />
if [ "$SYSCTL" = "" ]<br />
then<br />
echo “1″ &gt; /proc/sys/net/ipv4/conf/all/rp_filter<br />
else<br />
$SYSCTL net.ipv4.conf.all.rp_filter=”1″<br />
fi</p>
<p># This kernel parameter instructs the kernel to ignore all ICMP<br />
if [ "$SYSCTL" = "" ]<br />
then<br />
echo “1″ &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br />
else<br />
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=”1″<br />
fi</p>
<p># This option can be used to accept or refuse source routed packets.<br />
if [ "$SYSCTL" = "" ]<br />
then<br />
echo “0″ &gt; /proc/sys/net/ipv4/conf/all/accept_source_route<br />
else<br />
$SYSCTL net.ipv4.conf.all.accept_source_route=”0″</p>
<p>fi</p>
<p># However, we’ll ensure the secure_redirects option is on instead.<br />
if [ "$SYSCTL" = "" ]<br />
then<br />
echo “1″ &gt; /proc/sys/net/ipv4/conf/all/secure_redirects<br />
else<br />
$SYSCTL net.ipv4.conf.all.secure_redirects=”1″<br />
fi</p>
<p># This option logs packets from impossible addresses.<br />
if [ "$SYSCTL" = "" ]<br />
then<br />
echo “1″ &gt; /proc/sys/net/ipv4/conf/all/log_martians<br />
else<br />
$SYSCTL net.ipv4.conf.all.log_martians=”1″<br />
fi</p>
<p>echo “Flushing Tables …”</p>
<p># Reset Default Policies<br />
$IPT -P INPUT ACCEPT<br />
$IPT -P FORWARD ACCEPT<br />
$IPT -P OUTPUT ACCEPT</p>
<p># Flush all rules<br />
$IPT -F</p>
<p># Erase all non-default chains<br />
$IPT -X</p>
<p>if [ "$1" = "stop" ]<br />
then<br />
echo “Firewall completely flushed! Now running with no firewall.”<br />
exit 0<br />
fi</p>
<p>$IPT -P INPUT DROP<br />
$IPT -P OUTPUT DROP<br />
$IPT -P FORWARD DROP</p>
<p>echo “Create and populate custom rule chains …”</p>
<p># Create a chain to filter INVALID packets</p>
<p>$IPT -N bad_packets</p>
<p># Create another chain to filter bad tcp packets</p>
<p>$IPT -N bad_tcp_packets</p>
<p># Create separate chains for icmp, tcp (incoming and outgoing),<br />
# and incoming udp packets.</p>
<p>$IPT -N icmp_packets</p>
<p># Used for UDP packets inbound from the Internet<br />
$IPT -N udp_inbound</p>
<p># Used to block outbound UDP services from internal network<br />
$IPT -N udp_outbound</p>
<p># Used to allow inbound services if desired<br />
$IPT -N tcp_inbound</p>
<p># Used to block outbound services from internal network<br />
$IPT -N tcp_outbound</p>
<p># Drop INVALID packets immediately<br />
$IPT -A bad_packets -p ALL -m state –state INVALID -j LOG –log-prefix ‘fp=bad_packets:1 a=DROP’ –log-level 4</p>
<p>$IPT -A bad_packets -p ALL -m state –state INVALID -j DROP</p>
<p># Then check the tcp packets for additional problems<br />
$IPT -A bad_packets -p tcp -j bad_tcp_packets</p>
<p># All good, so return<br />
$IPT -A bad_packets -p ALL -j RETURN</p>
<p># bad_tcp_packets chain</p>
<p>$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-prefix ‘fp=bad_tcp_packets:1 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP</p>
<p>$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j LOG –log-prefix ‘fp=bad_tcp_packets:2 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP</p>
<p>$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j LOG –log-prefix ‘fp=bad_tcp_packets:3 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP</p>
<p>$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG –log-prefix ‘fp=bad_tcp_packets:4 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP</p>
<p>$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-prefix ‘fp=bad_tcp_packets:5 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP</p>
<p>$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-prefix ‘fp=bad_tcp_packets:6 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j DROP</p>
<p>$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-prefix ‘fp=bad_tcp_packets:7 a=DROP’ –log-level 4<br />
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP</p>
<p># All good, so return<br />
$IPT -A bad_tcp_packets -p tcp -j RETURN</p>
<p># icmp_packets chain</p>
<p>$IPT -A icmp_packets –fragment -p ICMP -j LOG –log-prefix ‘fp=icmp_packets:1 a=DROP’ –log-level 4<br />
$IPT -A icmp_packets –fragment -p ICMP -j DROP</p>
<p>$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP</p>
<p># Time Exceeded<br />
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT</p>
<p># Not matched, so return so it will be logged<br />
$IPT -A icmp_packets -p ICMP -j RETURN</p>
<p># Drop netbios calls<br />
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 137 -j DROP<br />
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 138 -j DROP</p>
<p># Not matched, so return for logging<br />
$IPT -A udp_inbound -p UDP -j RETURN</p>
<p># No match, so ACCEPT<br />
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT</p>
<p># Web Server</p>
<p># HTTP<br />
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 80 -j ACCEPT</p>
<p># HTTPS (Secure Web Server)<br />
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 443 -j ACCEPT</p>
<p># sshd<br />
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 22 -j ACCEPT</p>
<p># Not matched, so return so it will be logged<br />
$IPT -A tcp_inbound -p TCP -j RETURN</p>
<p># No match, so ACCEPT<br />
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT</p>
<p>echo “Process INPUT chain …”</p>
<p># Allow all on localhost interface<br />
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT</p>
<p># Drop bad packets<br />
$IPT -A INPUT -p ALL -j bad_packets</p>
<p># Accept Established Connections<br />
$IPT -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT</p>
<p># Route the rest to the appropriate user chain<br />
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound<br />
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound<br />
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets</p>
<p># Drop without logging broadcasts that get this far.<br />
$IPT -A INPUT -m pkttype –pkt-type broadcast -j DROP</p>
<p># Log packets that still don’t match<br />
$IPT -A INPUT -j LOG –log-prefix “fp=INPUT:99 a=DROP ”</p>
<p>echo “Process FORWARD chain …”</p>
<p>echo “Process OUTPUT chain …”</p>
<p>$IPT -A OUTPUT -m state -p icmp –state INVALID -j DROP</p>
<p># Localhost<br />
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT<br />
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT</p>
<p># To internet<br />
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT</p>
<p># Log packets that still don’t match<br />
$IPT -A OUTPUT -j LOG –log-prefix ‘fp=OUTPUT:99 a=DROP’ –log-level 4</p>
<p>echo “Load rules for mangle table …”
</p></blockquote>
<p><strong>Referências</strong></p>
<p><a href="http://svn.fedecarg.com/repo/Shell%20Scripts/ssh/iptables.sh">Firewall Script</a></p>
<p><a href="http://groups.google.com/group/ossec-list/browse_thread/thread/c75a97559a43c389">Portsentry decoders and rules issues</a> </p>
<div><h3>See:</h3><ul><li><a href="http://blog.alexos.com.br/?p=2650&amp;lang=pt-br" class="crp_title">Ossec HIDS – Bloqueando o ZmEu bot e outros Web scanners</a></li><li><a href="http://blog.alexos.com.br/?p=2180&amp;lang=pt-br" class="crp_title">Nessus Viewer</a></li><li><a href="http://blog.alexos.com.br/?p=1644&amp;lang=pt-br" class="crp_title">Beta-Testing: Ossec 2.4 Beta</a></li><li><a href="http://blog.alexos.com.br/?p=1345&amp;lang=pt-br" class="crp_title">Habilitando o MSA ( submission ) no Postfix</a></li><li><a href="http://blog.alexos.com.br/?p=2157&amp;lang=pt-br" class="crp_title"> H3ll0 2k11</a></li></ul></div>
Alexandro Silva: Proteção contra portscans com Ossec HIDS e Portsentry
5 de Agosto de 2011, 0:00 - sem comentários ainda | Ninguém está seguindo este artigo ainda.
Visualizado 226 vezes
0sem comentários ainda