OSSIM5.2.1限制恶意IP扫描或者攻击
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OSSIM5.2.1限制恶意IP扫描或者攻击相关的知识,希望对你有一定的参考价值。
网络上经常有恶意的机器对比OSSIM进行扫描,端口暴力破解,怎么限制这些恶意的IP呢?可以在OSSIM上安装一个软件ipset来进行限制,下面是详细的操作方法:
alienvault:~# apt-get install ipset
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libipset3
The following NEW packages will be installed:
ipset libipset3
0 upgraded, 2 newly installed, 0 to remove and 9 not upgraded.
Need to get 101 kB of archives.
After this operation, 492 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://data.alienvault.com/alienvault5/mirror/jessie/ jessie/main libipset3 amd64 6.23-2 [55.3 kB]
Get:2 http://data.alienvault.com/alienvault5/mirror/jessie/ jessie/main ipset amd64 6.23-2 [45.9 kB]
Fetched 101 kB in 2s (41.9 kB/s)
Selecting previously unselected package libipset3:amd64.
(Reading database ... 63617 files and directories currently installed.)
Preparing to unpack .../libipset3_6.23-2_amd64.deb ...
Unpacking libipset3:amd64 (6.23-2) ...
Selecting previously unselected package ipset.
Preparing to unpack .../ipset_6.23-2_amd64.deb ...
Unpacking ipset (6.23-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libipset3:amd64 (6.23-2) ...
Setting up ipset (6.23-2) ...
Processing triggers for libc-bin (2.19-18+deb8u1) ...
从日志上看,2016-2-25 13:50:22最后一条扫描登陆失败, 我要禁止60.173.14.142这个IP
alienvault:~# ipset create denyips hash:net
alienvault:~# ipset list
Name: denyips
Type: hash:net
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16760
References: 0
Members:
alienvault:~# ipset add denyips 60.173.14.142/32
alienvault:~# ipset list
Name: denyips
Type: hash:net
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16792
References: 0
Members:
60.173.14.142
alienvault:~# ll /etc/iptables
total 60
-rw-r--r-- 1 root root 71 Oct 7 01:24 aaaaa-header.iptables
-rw-r--r-- 1 root root 288 Oct 7 01:24 rules001-common.iptables
-rw-r--r-- 1 root root 191 Oct 7 01:24 rules002-common-ip6.iptables
-rw-r--r-- 1 root root 14 Feb 3 23:00 rules003-snmpd.iptables
-rw-r--r-- 1 root root 12 Feb 3 23:00 rules004-vpn.iptables
-rw-r--r-- 1 root root 172 Feb 3 23:28 rules006-mysql.iptables
-rw-r--r-- 1 root root 274 Oct 7 01:24 rules007-server.iptables
-rw-r--r-- 1 root root 131 Oct 7 01:24 rules008-apache2.iptables
-rw-r--r-- 1 root root 207 Oct 7 01:24 rules009-framework.iptables
-rw-r--r-- 1 root root 54 Oct 7 01:24 rules0090-ossec.iptables
-rw-r--r-- 1 root root 129 Feb 3 23:28 rules010-agent.iptables
-rw-r--r-- 1 root root 52 Feb 3 23:28 rules0100-nfsen.iptables
-rw-r--r-- 1 root root 185 Feb 3 23:00 rules0101-redis-server-otx.iptables
-rw-r--r-- 1 root root 110 Feb 4 14:33 rules012-custom.iptables
-rw-r--r-- 1 root root 7 Oct 7 01:24 zzzzz-footer.iptables
alienvault:~# cat /etc/iptables//rules012-custom.iptables
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
alienvault:~# cat /etc/iptables//zzzzz-footer.iptables
COMMIT
alienvault:~# cat /etc/iptables/zzzzz-footer.iptables
COMMIT
alienvault:~# cat /etc/iptables/rules001-common.iptables
-A INPUT -p ICMP --icmp-type timestamp-request -j DROP
-A OUTPUT -p ICMP --icmp-type timestamp-reply -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
alienvault:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- alienvault.alienvault anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- alienvault.alienvault anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40001
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40002
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40004
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40005
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40003
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40011
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3128
ACCEPT udp -- anywhere anywhere udp dpt:1514
ACCEPT udp -- anywhere anywhere udp dpt:syslog
ACCEPT tcp -- alienvault.alienvault anywhere state NEW tcp dpt:9390
ACCEPT udp -- anywhere anywhere udp dpt:555
ACCEPT tcp -- localhost anywhere state NEW tcp dpt:6380
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp timestamp-reply
alienvault:~# vim /etc/iptables/rules001-common.iptables
alienvault:~#
-A INPUT -p ICMP --icmp-type timestamp-request -j DROP
-A OUTPUT -p ICMP --icmp-type timestamp-reply -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m set --match-set denyips src -p tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
alienvault:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40002 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40004 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40005 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40003 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40011 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -p udp -m udp --dport 1514 -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 9390 -j ACCEPT
-A INPUT -p udp -m udp --dport 555 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m state --state NEW -m tcp --dport 6380 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT
-reject-with icmp-host-prohibited
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
alienvault:~# ali
alias alienvault-doctor alienvault-reconfig alienvault-system-id alienvault_aptitude
alienvault-api alienvault-firewall-reload alienvault-rhythm alienvault-update alienvault_dpkg
alienvault-aptget alienvault-passvulnscan alienvault-setup alienvault_apt-get
alienvault:~# alienvault-firewall-reload
Processing triggers for alienvault-firewall (5.2.1-116) ...
alienvault:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere match-set denyips src tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- alienvault.alienvault anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- alienvault.alienvault anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40001
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40002
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40004
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40005
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40003
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:40011
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3128
ACCEPT udp -- anywhere anywhere udp dpt:1514
ACCEPT udp -- anywhere anywhere udp dpt:syslog
ACCEPT tcp -- alienvault.alienvault anywhere state NEW tcp dpt:9390
ACCEPT udp -- anywhere anywhere udp dpt:555
ACCEPT tcp -- localhost anywhere state NEW tcp dpt:6380
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp timestamp-reply
alienvault:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m set --match-set denyips src -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40002 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40004 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40005 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40003 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40011 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -p udp -m udp --dport 1514 -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 211.151.20.204/32 -p tcp -m state --state NEW -m tcp --dport 9390 -j ACCEPT
-A INPUT -p udp -m udp --dport 555 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m state --state NEW -m tcp --dport 6380 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
alienvault:~#
以上是关于OSSIM5.2.1限制恶意IP扫描或者攻击的主要内容,如果未能解决你的问题,请参考以下文章