Ir para o conteúdo
ou

Software livre Brasil

 Voltar a Alexos Core ...
Tela cheia

Ossec HIDS – Bloqueando o ZmEu bot e outros Web scanners

13 de Junho de 2011, 0:00 , por Software Livre Brasil - 0sem comentários ainda | Ninguém está seguindo este artigo ainda.
Visualizado 372 vezes
&lt;p&gt;&lt;a href=&quot;http://blog.alexos.com.br/wp-content/uploads/2011/06/zmeu.jpg&quot;&gt;&lt;img class=&quot;alignleft size-thumbnail wp-image-2661&quot; title=&quot;zmeu&quot; src=&quot;http://blog.alexos.com.br/wp-content/uploads/2011/06/zmeu-150x150.jpg&quot; height=&quot;150&quot; alt=&quot;&quot; width=&quot;150&quot; /&gt;&lt;/a&gt;A &lt;a href=&quot;http://www.pentestit.com/2010/01/15/list-free-web-application-scanners/&quot;&gt;enchurrada de Web scanners&lt;/a&gt; disponíveis na internet e o infeliz do &lt;a href=&quot;http://linux.m2osw.com/zmeu-attack&quot;&gt;ZmEu bot&lt;/a&gt; acabam tornando a vida dos nossos servidores Web um inferno.&lt;/p&gt; &lt;p&gt;Geralmente o Apache responde a estas tentativas com sucessivos error 400 ( Bad Request ). Para acabar com essa apurrinhação podemos bloqueá-las usando o &lt;a href=&quot;http://www.ossec.net/&quot;&gt;Ossec HIDS&lt;/a&gt;.&lt;/p&gt; &lt;p&gt;Exemplo de um log do ZmEu bot&lt;/p&gt; &lt;blockquote&gt;&lt;p&gt; 82.145.xx.xx – &amp;#8211; [13/Aug/2010:07:19:36 -0300] “GET /phpadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”&lt;br /&gt; 82.145.xx.xx – &amp;#8211; [13/Aug/2010:07:19:35 -0300] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 198 “-” “ZmEu”&lt;br /&gt; 82.145.xx.xx – &amp;#8211; [13/Aug/2010:07:19:35 -0300] “GET /mysqladmin/scripts/setup.php HTTP/1.1″ 404 194 “-” “ZmEu”&lt;br /&gt; 82.145.xx.xx – &amp;#8211; [13/Aug/2010:07:19:34 -0300] “GET /myadmin/scripts/setup.php HTTP/1.1″ 404 192 “-” “ZmEu”&lt;br /&gt; 82.145.xx.xx – &amp;#8211; [13/Aug/2010:07:19:33 -0300] “GET /dbadmin/scripts/setup.php HTTP/1.1″ 404 191 “-” “ZmEu”&lt;br /&gt; 82.145.xx.xx – &amp;#8211; [13/Aug/2010:07:19:33 -0300] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1″ 404 196 “-” “ZmEu” &lt;/p&gt;&lt;/blockquote&gt; &lt;p&gt;Para isso adicione as linhas abaixo dentro da tag &lt;strong&gt;Active Response Config&lt;/strong&gt; localizada no arquivo &lt;em&gt;&lt;strong&gt;/var/ossec/etc/ossec.conf&lt;/strong&gt;&lt;/em&gt;&lt;/p&gt; &lt;div class=&quot;codecolorer-container xml geshi&quot; style=&quot;overflow: auto; white-space: nowrap;&quot;&gt; &lt;table&gt; &lt;tr&gt; &lt;td class=&quot;line-numbers&quot;&gt; &lt;div&gt;1&lt;br /&gt;2&lt;br /&gt;3&lt;br /&gt;4&lt;br /&gt;5&lt;br /&gt;6&lt;br /&gt;7&lt;br /&gt;8&lt;/div&gt; &lt;/td&gt; &lt;td&gt; &lt;div class=&quot;xml codecolorer&quot; style=&quot;white-space: nowrap;&quot;&gt;&lt;span style=&quot;color: #808080; font-style: italic;&quot;&gt;<!&amp;#8211; Active response to block http scanning &amp;#8211;&amp;gt;&lt;/span&gt; &lt;/p&gt; &lt;p&gt;&amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;active-response&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt; &lt;br /&gt; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;command&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;route-null&lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;/command&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt; &lt;br /&gt; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;location&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;all&lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;/location&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/p&gt; &lt;p&gt;&amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #808080; font-style: italic;&quot;&gt;<!&amp;#8211; Multiple web server 400 error codes from same source IP &amp;#8211;&amp;gt;&lt;/span&gt; &lt;br /&gt; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;rules_id&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;31151&lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;/rules_id&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt; &lt;br /&gt; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;timeout&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;600&lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;/timeout&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt; &lt;/p&gt; &lt;p&gt;&amp;nbsp; &amp;nbsp; &lt;span style=&quot;color: #009900;&quot;&gt;&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;lt;/active-response&lt;span style=&quot;color: #000000; font-weight: bold;&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/div&gt; &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt; &lt;/div&gt; &lt;p&gt;A configuração acima executará o script route-null sempre que a regra 31151 em web_rules.xml for detectada bloqueando o atacante por 10 min ( 600s ), isto significa que ocorrendo vários erros 400 no log do Apache o ip de origem será bloqueado por 10 min.&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Fonte:&lt;/strong&gt;&lt;/p&gt; &lt;p&gt;&lt;a href=&quot;http://itscblog.tamu.edu/protecting-web-servers-with-ossec/&quot;&gt;ITSC Blog&lt;/a&gt;&lt;/p&gt; &lt;div&gt;&lt;h3&gt;See:&lt;/h3&gt;&lt;ul&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=2180&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Nessus Viewer&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=1644&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Beta-Testing: Ossec 2.4 Beta&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=1345&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Habilitando o MSA ( submission ) no Postfix&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=2157&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt; H3ll0 2k11&lt;/a&gt;&lt;/li&gt;&lt;li&gt;&lt;a href=&quot;http://blog.alexos.com.br/?p=1630&amp;amp;lang=pt-br&quot; class=&quot;crp_title&quot;&gt;Novidades FLISOL 2010 Salvador&lt;/a&gt;&lt;/li&gt;&lt;/ul&gt;&lt;/div&gt;
Fonte: http://blog.alexos.com.br/?p=2650&lang=pt-br

0sem comentários ainda

Enviar um comentário

Os campos são obrigatórios.

Se você é um usuário registrado, pode se identificar e ser reconhecido automaticamente.