OSSIM5.2.1限制恶意IP扫描或者攻击

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OSSIM5.2.1限制恶意IP扫描或者攻击相关的知识,希望对你有一定的参考价值。

网络上经常有恶意的机器对比OSSIM进行扫描,端口暴力破解,怎么限制这些恶意的IP呢?可以在OSSIM上安装一个软件ipset来进行限制,下面是详细的操作方法:

alienvault:~# apt-get install ipset 

Reading package lists... Done

Building dependency tree       

Reading state information... Done

The following extra packages will be installed:

  libipset3

The following NEW packages will be installed:

  ipset libipset3

0 upgraded, 2 newly installed, 0 to remove and 9 not upgraded.

Need to get 101 kB of archives.

After this operation, 492 kB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://data.alienvault.com/alienvault5/mirror/jessie/ jessie/main libipset3 amd64 6.23-2 [55.3 kB]

Get:2 http://data.alienvault.com/alienvault5/mirror/jessie/ jessie/main ipset amd64 6.23-2 [45.9 kB]

Fetched 101 kB in 2s (41.9 kB/s) 

Selecting previously unselected package libipset3:amd64.

(Reading database ... 63617 files and directories currently installed.)

Preparing to unpack .../libipset3_6.23-2_amd64.deb ...

Unpacking libipset3:amd64 (6.23-2) ...

Selecting previously unselected package ipset.

Preparing to unpack .../ipset_6.23-2_amd64.deb ...

Unpacking ipset (6.23-2) ...

Processing triggers for man-db (2.7.0.2-5) ...

Setting up libipset3:amd64 (6.23-2) ...

Setting up ipset (6.23-2) ...

Processing triggers for libc-bin (2.19-18+deb8u1) ...

从日志上看,2016-2-25 13:50:22最后一条扫描登陆失败, 我要禁止60.173.14.142这个IP


alienvault:~# ipset create denyips hash:net

alienvault:~# ipset list

Name: denyips

Type: hash:net

Revision: 5

Header: family inet hashsize 1024 maxelem 65536

Size in memory: 16760

References: 0

Members:

alienvault:~# ipset add denyips 60.173.14.142/32

alienvault:~# ipset list

Name: denyips

Type: hash:net

Revision: 5

Header: family inet hashsize 1024 maxelem 65536

Size in memory: 16792

References: 0

Members:

60.173.14.142

alienvault:~# ll /etc/iptables

total 60

-rw-r--r-- 1 root root  71 Oct  7 01:24 aaaaa-header.iptables

-rw-r--r-- 1 root root 288 Oct  7 01:24 rules001-common.iptables

-rw-r--r-- 1 root root 191 Oct  7 01:24 rules002-common-ip6.iptables

-rw-r--r-- 1 root root  14 Feb  3 23:00 rules003-snmpd.iptables

-rw-r--r-- 1 root root  12 Feb  3 23:00 rules004-vpn.iptables

-rw-r--r-- 1 root root 172 Feb  3 23:28 rules006-mysql.iptables

-rw-r--r-- 1 root root 274 Oct  7 01:24 rules007-server.iptables

-rw-r--r-- 1 root root 131 Oct  7 01:24 rules008-apache2.iptables

-rw-r--r-- 1 root root 207 Oct  7 01:24 rules009-framework.iptables

-rw-r--r-- 1 root root  54 Oct  7 01:24 rules0090-ossec.iptables

-rw-r--r-- 1 root root 129 Feb  3 23:28 rules010-agent.iptables

-rw-r--r-- 1 root root  52 Feb  3 23:28 rules0100-nfsen.iptables

-rw-r--r-- 1 root root 185 Feb  3 23:00 rules0101-redis-server-otx.iptables

-rw-r--r-- 1 root root 110 Feb  4 14:33 rules012-custom.iptables

-rw-r--r-- 1 root root   7 Oct  7 01:24 zzzzz-footer.iptables

alienvault:~# cat /etc/iptables//rules012-custom.iptables 

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

alienvault:~# cat /etc/iptables//zzzzz-footer.iptables    

COMMIT

alienvault:~# cat /etc/iptables/zzzzz-footer.iptables  

COMMIT

alienvault:~# cat /etc/iptables/rules001-common.iptables 

-A INPUT -p ICMP --icmp-type timestamp-request -j DROP

-A OUTPUT -p ICMP --icmp-type timestamp-reply -j DROP

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT    

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 

alienvault:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       icmp --  anywhere             anywhere             icmp timestamp-request

ACCEPT     icmp --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

ACCEPT     tcp  --  alienvault.alienvault  anywhere             state NEW tcp dpt:mysql

ACCEPT     tcp  --  alienvault.alienvault  anywhere             state NEW tcp dpt:mysql

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40001

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40002

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40004

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40005

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40003

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40011

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:3128

ACCEPT     udp  --  anywhere             anywhere             udp dpt:1514

ACCEPT     udp  --  anywhere             anywhere             udp dpt:syslog

ACCEPT     tcp  --  alienvault.alienvault  anywhere             state NEW tcp dpt:9390

ACCEPT     udp  --  anywhere             anywhere             udp dpt:555

ACCEPT     tcp  --  localhost            anywhere             state NEW tcp dpt:6380

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       icmp --  anywhere             anywhere             icmp timestamp-reply

alienvault:~# vim /etc/iptables/rules001-common.iptables 

alienvault:~# 

-A INPUT -p ICMP --icmp-type timestamp-request -j DROP

-A OUTPUT -p ICMP --icmp-type timestamp-reply -j DROP

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -m set --match-set denyips src -p tcp --dport 22 -j DROP

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

alienvault:~# iptables -S    

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40001 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40002 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40004 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40005 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40003 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40011 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

-A INPUT -p udp -m udp --dport 1514 -j ACCEPT

-A INPUT -p udp -m udp --dport 514 -j ACCEPT

-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 9390 -j ACCEPT

-A INPUT -p udp -m udp --dport 555 -j ACCEPT

-A INPUT -s 127.0.0.1/32 -p tcp -m state --state NEW -m tcp --dport 6380 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT

-reject-with icmp-host-prohibited

-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP

alienvault:~# ali

alias                       alienvault-doctor           alienvault-reconfig         alienvault-system-id        alienvault_aptitude

alienvault-api              alienvault-firewall-reload  alienvault-rhythm           alienvault-update           alienvault_dpkg

alienvault-aptget           alienvault-passvulnscan     alienvault-setup            alienvault_apt-get          

alienvault:~# alienvault-firewall-reload 

Processing triggers for alienvault-firewall (5.2.1-116) ...

alienvault:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       icmp --  anywhere             anywhere             icmp timestamp-request

ACCEPT     icmp --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

DROP       tcp  --  anywhere             anywhere             match-set denyips src tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

ACCEPT     tcp  --  alienvault.alienvault  anywhere             state NEW tcp dpt:mysql

ACCEPT     tcp  --  alienvault.alienvault  anywhere             state NEW tcp dpt:mysql

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40001

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40002

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40004

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40005

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40003

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:40011

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:3128

ACCEPT     udp  --  anywhere             anywhere             udp dpt:1514

ACCEPT     udp  --  anywhere             anywhere             udp dpt:syslog

ACCEPT     tcp  --  alienvault.alienvault  anywhere             state NEW tcp dpt:9390

ACCEPT     udp  --  anywhere             anywhere             udp dpt:555

ACCEPT     tcp  --  localhost            anywhere             state NEW tcp dpt:6380

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       icmp --  anywhere             anywhere             icmp timestamp-reply

alienvault:~# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m set --match-set denyips src -m tcp --dport 22 -j DROP

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40001 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40002 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40004 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40005 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40003 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 40011 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

-A INPUT -p udp -m udp --dport 1514 -j ACCEPT

-A INPUT -p udp -m udp --dport 514 -j ACCEPT

-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 9390 -j ACCEPT

-A INPUT -p udp -m udp --dport 555 -j ACCEPT

-A INPUT -s 127.0.0.1/32 -p tcp -m state --state NEW -m tcp --dport 6380 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP

alienvault:~#

以上是关于OSSIM5.2.1限制恶意IP扫描或者攻击的主要内容,如果未能解决你的问题,请参考以下文章

防止恶意攻击短信验证码接口方法

网站nginx配置限制单个IP访问频率,预防DDOS恶意攻击

[转]nginx限制某个IP同一时间段的访问次数

shell脚本自动加黑恶意攻击IP

shell脚本自动加黑恶意攻击IP

第一次登陆OSSIM5.2.1