-
-
[原创][安全运维向]模拟搭建小型企业内网
-
发表于: 2022-8-5 22:18
-
根据小型企业实际情况,模拟搭建小型局域网,针对常见内网渗透攻击手段(如ddos、ssh爆破等)做相应配置。实验目标是提高运维新手的安全运维能力。
局域网下含有物理机、proxy server主机。物理机即普通客户主机,proxy server即企业提供的代理,此网络模拟的是公网环境。
Nat网络下含有HTTP server、Backup server、nis server、Client主机。此网络模拟的是公司内网环境。
物理机:设置浏览器代理为同一网段下的192.168.1.10,可访问192.168.56.102门户网站。
Proxy server:关停一切不必要的端口,伪装ssh端口为1022,需要重点考虑防火墙的设置,检测日志信息,短时间内登录ssh超过一定失败次数则给root用户发邮件提醒,提供squid代理服务。
Http server:架设由https协议保护的门户网站,并提供rsync服务,需要考虑防火墙的设置,设置iptables,仅仅让proxy server访问80、443端口。
Backup server:rsync保存http server的日志信息。
Nis server:为client、backup server这两个服务器提供账号管理服务。
client:配置简易防火墙。
在192.168.56.0/24这个网段下,除了proxy server这个服务器可以被物理机访问,其他主机需要设置不能被局域网以外的其他ip访问。这个可以通过设置iptables实现:
1.防火墙配置
并设置/etc/crontab文件
开启内核管理功能:
设置完毕之后可以重启查看防火墙设置是否生效。
2.关停一切不必要的端口
查看开启的端口发现这一项:
根据鸟哥的书中提示,我利用systemctl命令关闭了cups服务systemctl disable cups.service
也可以使用ntsysv命令查看、关闭不必要的服务。
3.伪装ssh端口为1022
/etc/ssh/sshd_config:
在selinux中添加 1022端口作为ssh服务端口的权限。
4.检测日志信息,短时间内超过一定失败测试则给root用户发邮件提醒
使用kali测试爆破ssh端口
平均每秒1.7个失败登录
可以看出一分钟内ssh登录次数超过60次,说明极有可能正在被黑客暴力破解账户密码。
编写自动化工具智能探测是否被爆破ssh密码,立即封禁可疑ip、发邮件给系统管理员。
具体功能:定时检测lastb命令的输出,如果发现1分钟内某ip登录失败次数超过60次则用mail命令通知root用户,并将立即使用iptables封禁该ip。(将封禁嫌疑ip的命令加入/home/dc/iptables.mysettings)
脚本内容:
/etc/crontab 文件的内容:
分别在两台主机上使用hydra爆破1022端口date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
完成后在本机查看root邮箱
脚本发现了攻击行为之后,马上拉黑了两台正在攻击的主机。
再看看攻击机的输出:
本来是要测试完五千条密码,由于脚本的存在,只测试了不到三四百条条就被ban了:
再查看本机iptables配置:
5.搭建squid代理
安装squid:
取消配置文件中一行注释:
启动服务并设置开机自启:
最后别忘了重新设置一下防火墙,因为物理机还需要访问proxy server:
配置防火墙:
允许接受来自lo网卡的数据包,允许接受来自56网段、以及和自身发出的数据包相关的数据包。ban掉56.1这个ip(物理机),以及其他所有数据包。
写入计划任务:
1.防火墙配置
保存配置并且安排上定时任务:
2.安装httpd服务,启动该服务,并设置开机启动:
简单设置网站首页:
安排上https:
在这个服务器上设置定时备份http服务器的网站内容。
1.首先做免密登录http服务器的设置:
在http server上添加相关公钥信息:
回到备份服务器测试下:
2.做完免密登录后,直接以root身份添加系统定时任务,每隔一小时同步备份http server的网站内容到本地/tmp下。
添加计划任务:
可以监视脚本的输出、以及crontab的日志文件来观察运行情况。主要是这两个日志文件:
1.安装nis
2.设置nis域名。
这里参考鸟哥的书,配置如下:
编辑/etc/sysconfig/network,设置域名,并配置nis启动在固定的端口上:
在两台客户机上也做同样的设置。
3.设置主要配置文件:
4.设置主机名与ip的对应
配置对应文件:
使用hostname查看主机名,发现没有设置成功,用hostnamectl命令重新设置:
5.启动所有相关服务
检查看看是否有异常:
6.处理账号并建立数据库
7.防火墙设置
保存配置并且安排上定时任务:
8.客户端配置
安装必须软件:
可以使用setup命令快速设置配置文件。
使用yptest命令验证数据库
使用ypwhich检查数据库数量
使用su - nisuser1 切换身份。
# ban 物理机iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
# 只允许同网段的ip连接iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
# ban 物理机iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
# 只允许同网段的ip连接iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
# 清空原有配置iptables -F
iptables -X
iptables -Z
# input 表默认策略 丢弃iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议# --dport 目标端口,--sport 源端口#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
# 清空原有配置iptables -F
iptables -X
iptables -Z
# input 表默认策略 丢弃iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议# --dport 目标端口,--sport 源端口#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed# apply my iptables from file per minute. * * * * * root /sbin/iptables-restore /home/dc/iptables.mysettings
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed# apply my iptables from file per minute. * * * * * root /sbin/iptables-restore /home/dc/iptables.mysettings
[root@localhost dc]# vim /etc/sysctl.conf
[root@localhost dc]# cat /etc/sysctl.conf
# sysctl settings are defined through files in# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.## Vendors settings live in /usr/lib/sysctl.d/.# To override a whole file, create a new file with the same in# /etc/sysctl.d/ and put new settings there. To override# only specific settings, add a file with a lexically later# name in /etc/sysctl.d/ and put new settings there.## For more information, see sysctl.conf(5) and sysctl.d(5).# Turn on syncookies for SYN flood attack protection#net.ipv4.tcp_syncookies = 1
# Avoid a smurf attack#net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on reverse path filtering#net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp0s8.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
# Turn on and log spoofed, source routed, and redirect packetsnet.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.enp0s8.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
# Make sure no one can alter the routing tables#net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp0s8.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
# redirects projectnet.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp0s8.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
[root@localhost dc]# sysctl -p
[root@localhost dc]# vim /etc/sysctl.conf
[root@localhost dc]# cat /etc/sysctl.conf
# sysctl settings are defined through files in# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.## Vendors settings live in /usr/lib/sysctl.d/.# To override a whole file, create a new file with the same in# /etc/sysctl.d/ and put new settings there. To override# only specific settings, add a file with a lexically later# name in /etc/sysctl.d/ and put new settings there.## For more information, see sysctl.conf(5) and sysctl.d(5).# Turn on syncookies for SYN flood attack protection#net.ipv4.tcp_syncookies = 1
# Avoid a smurf attack#net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on reverse path filtering#net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp0s8.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
# Turn on and log spoofed, source routed, and redirect packetsnet.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.enp0s8.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
# Make sure no one can alter the routing tables#net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp0s8.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
# redirects projectnet.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp0s8.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
[root@localhost dc]# sysctl -p
[root@localhost dc]# netstat -tulnp
tcp6 0 0 ::1:631 :::* LISTEN 1267/cupsd
[root@localhost dc]# netstat -tulnp
tcp6 0 0 ::1:631 :::* LISTEN 1267/cupsd
```Port 1022
#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying#RekeyLimit default none# Logging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2mPermitRootLogin no#StrictModes yes#MaxAuthTries 6#MaxSessions 10``````Port 1022
#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying#RekeyLimit default none# Logging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2mPermitRootLogin no#StrictModes yes#MaxAuthTries 6#MaxSessions 10```[root@localhost dc]# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]#
[root@localhost dc]# semanage port -l | grep ssh
ssh_port_t tcp 1022, 22
[root@localhost dc]# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]#
[root@localhost dc]# semanage port -l | grep ssh
ssh_port_t tcp 1022, 22
date ; hydra -l dc -P /usr/share/wordlists/fasttrack.txt -v ssh://192.168.1.10:1022 ; date
2022年 07月 29日 星期五 22:23:15 CST
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
[ERROR] ssh protocol error
2022年 07月 29日 星期五 22:25:26 CST
cat /usr/share/wordlists/fasttrack.txt | wc -l
222
>>> (222/(2*60+10))
1.7076923076923076
date ; hydra -l dc -P /usr/share/wordlists/fasttrack.txt -v ssh://192.168.1.10:1022 ; date
2022年 07月 29日 星期五 22:23:15 CST
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
[ERROR] ssh protocol error
2022年 07月 29日 星期五 22:25:26 CST
cat /usr/share/wordlists/fasttrack.txt | wc -l
222
>>> (222/(2*60+10))
1.7076923076923076
import os,datetime
def is_this_ip_in_field(ip,field):
in_field = False
for element in field:
if element[0] == ip:
in_field = True
return in_field
return in_field
def compose_time_str(date_time_t):
month_str = date_time_t.strftime("%b")
day_str = date_time_t.strftime("%d").replace('0','')
time_str = date_time_t.strftime("%H:%M")
date_str = month_str+'-'+day_str+'-'+time_str
return date_str
now_time = datetime.datetime.now()
month_str = now_time.strftime("%b")
current_time_1_min_ago = now_time-datetime.timedelta(minutes=1)
current_time_2_min_ago = now_time-datetime.timedelta(minutes=2)
current_time_3_min_ago = now_time-datetime.timedelta(minutes=3)
current_time_1_min_ago_str = compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str = compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str = compose_time_str(current_time_3_min_ago)
time_str_list = [current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)cmdline = "lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
a = os.popen(cmdline)
login_failed_infomation = a.read().split('\n')
suspect_ip_and_attack_time_dict = {}
# { time:{ip:number,ip2:number},time2:{ip:number} }for line in login_failed_infomation:
if not line.startswith(month_str):
continue
detail_time,ip = line.split(' ')
#print(detail_time)
if detail_time in time_str_list:
# has detail time segemnt.
if suspect_ip_and_attack_time_dict.has_key(detail_time):
time_dict = suspect_ip_and_attack_time_dict[detail_time]
if time_dict.has_key(ip):
time_dict[ip] += 1
else:
time_dict[ip] = 1
else:
# add ip
tmp_dict = {}
tmp_dict[ip] = 1
suspect_ip_and_attack_time_dict[detail_time] = tmp_dict
report_message = ""
black_list = []
message = ""
for keys,values in suspect_ip_and_attack_time_dict.items():
for ip,failed_times in values.items():
if failed_times > 60:
black_list.append(ip)
format_str = "{} attacked {} times at {}\n"
message += format_str.format(ip,failed_times,keys)
#print(message)
black_list = list(set(black_list))
ban_ip_list = []
tmp_list = []
f = open("black_list.txt","r")
for line in f:
ban_ip_list.append(line)
f.close()for element in black_list:
if element not in ban_ip_list:
tmp_list.append(element)
black_list = tmp_list
f = open("black_list.txt","a")
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROPfor ip in black_list:
ban_cmd = "iptables -I INPUT 3 -i enp0s3 -s " + ip + " -j DROP"
f.write(ip+'\n')
os.popen(ban_cmd)
f.close()os.popen("iptables-save > /home/dc/iptables.mysettings")
if message != "":
mail_cmd = "echo \"" + message + "\" | mail -s \"security report\" root@localhost"
os.system(mail_cmd)
import os,datetime
def is_this_ip_in_field(ip,field):
in_field = False
for element in field:
if element[0] == ip:
in_field = True
return in_field
return in_field
def compose_time_str(date_time_t):
month_str = date_time_t.strftime("%b")
day_str = date_time_t.strftime("%d").replace('0','')
time_str = date_time_t.strftime("%H:%M")
date_str = month_str+'-'+day_str+'-'+time_str
return date_str
now_time = datetime.datetime.now()
month_str = now_time.strftime("%b")
current_time_1_min_ago = now_time-datetime.timedelta(minutes=1)
current_time_2_min_ago = now_time-datetime.timedelta(minutes=2)
current_time_3_min_ago = now_time-datetime.timedelta(minutes=3)
current_time_1_min_ago_str = compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str = compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str = compose_time_str(current_time_3_min_ago)
time_str_list = [current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)cmdline = "lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
a = os.popen(cmdline)
login_failed_infomation = a.read().split('\n')
suspect_ip_and_attack_time_dict = {}
# { time:{ip:number,ip2:number},time2:{ip:number} }for line in login_failed_infomation:
if not line.startswith(month_str):
continue
detail_time,ip = line.split(' ')
#print(detail_time)
if detail_time in time_str_list:
# has detail time segemnt.
if suspect_ip_and_attack_time_dict.has_key(detail_time):
time_dict = suspect_ip_and_attack_time_dict[detail_time]
if time_dict.has_key(ip):
time_dict[ip] += 1
else:
time_dict[ip] = 1
else:
# add ip
tmp_dict = {}
tmp_dict[ip] = 1
suspect_ip_and_attack_time_dict[detail_time] = tmp_dict
report_message = ""
black_list = []
message = ""
for keys,values in suspect_ip_and_attack_time_dict.items():
for ip,failed_times in values.items():
if failed_times > 60:
black_list.append(ip)
format_str = "{} attacked {} times at {}\n"
message += format_str.format(ip,failed_times,keys)
#print(message)
black_list = list(set(black_list))
ban_ip_list = []
tmp_list = []
f = open("black_list.txt","r")
for line in f:
ban_ip_list.append(line)
f.close()for element in black_list:
if element not in ban_ip_list:
tmp_list.append(element)
black_list = tmp_list
f = open("black_list.txt","a")
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROPfor ip in black_list:
ban_cmd = "iptables -I INPUT 3 -i enp0s3 -s " + ip + " -j DROP"
f.write(ip+'\n')
os.popen(ban_cmd)
f.close()os.popen("iptables-save > /home/dc/iptables.mysettings")
if message != "":
mail_cmd = "echo \"" + message + "\" | mail -s \"security report\" root@localhost"
os.system(mail_cmd)
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed# apply my iptables from file per minute. * * * * * root /sbin/iptables-restore /home/dc/iptables.mysettings
# detect attack beheviour every 3 minutes. */3 * * * * root /usr/bin/python /root/detect_ssh_port_hacking.py
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed# apply my iptables from file per minute. * * * * * root /sbin/iptables-restore /home/dc/iptables.mysettings
# detect attack beheviour every 3 minutes. */3 * * * * root /usr/bin/python /root/detect_ssh_port_hacking.py
[root@localhost ~]# cat /var/spool/mail/root
From root@localhost.localdomain Thu Aug 4 10:33:02 2022
Return-Path: <root@localhost.localdomain>
X-Original-To: root@localhost
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
id 130BE12010FD; Thu, 4 Aug 2022 10:33:02 -0400 (EDT)
Date: Thu, 04 Aug 2022 10:33:02 -0400
To: root@localhost.localdomainSubject: security reportUser-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20220804143302.130BE12010FD@localhost.localdomain>
From: root@localhost.localdomain (root)192.168.1.3 attacked 142 times at Aug-4-10:30
192.168.1.16 attacked 142 times at Aug-4-10:30
192.168.1.3 attacked 146 times at Aug-4-10:31
192.168.1.16 attacked 96 times at Aug-4-10:31
192.168.1.3 attacked 64 times at Aug-4-10:32
[root@localhost ~]# cat /var/spool/mail/root
From root@localhost.localdomain Thu Aug 4 10:33:02 2022
Return-Path: <root@localhost.localdomain>
X-Original-To: root@localhost
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
id 130BE12010FD; Thu, 4 Aug 2022 10:33:02 -0400 (EDT)
Date: Thu, 04 Aug 2022 10:33:02 -0400
To: root@localhost.localdomainSubject: security reportUser-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20220804143302.130BE12010FD@localhost.localdomain>
From: root@localhost.localdomain (root)192.168.1.3 attacked 142 times at Aug-4-10:30
192.168.1.16 attacked 142 times at Aug-4-10:30
192.168.1.3 attacked 146 times at Aug-4-10:31
192.168.1.16 attacked 96 times at Aug-4-10:31
192.168.1.3 attacked 64 times at Aug-4-10:32
┌──(root㉿kali)-[/usr/share/nmap/nselib/data]
└─# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
2022年 08月 04日 星期四 22:32:55 CST
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-04 22:32:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5010 login tries (l:1/p:5010), ~314 tries per task
[DATA] attacking ssh://192.168.1.10:1022/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done[INFO] Testing if password authentication is supported by ssh://dc@192.168.1.10:1022
[ERROR] could not connect to ssh://192.168.1.10:1022 - Timeout connecting to 192.168.1.10
2022年 08月 04日 星期四 22:33:37 CST
┌──(root㉿kali)-[/usr/share/nmap/nselib/data]
└─# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
2022年 08月 04日 星期四 22:32:55 CST
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-04 22:32:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5010 login tries (l:1/p:5010), ~314 tries per task
[DATA] attacking ssh://192.168.1.10:1022/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done[INFO] Testing if password authentication is supported by ssh://dc@192.168.1.10:1022
[ERROR] could not connect to ssh://192.168.1.10:1022 - Timeout connecting to 192.168.1.10
2022年 08月 04日 星期四 22:33:37 CST
dc@LAPTOP-J3UJRUOC:/usr/share/nmap/nselib/data$ wc -l /usr/share/nmap/nselib/data/passwords.lst
5084 /usr/share/nmap/nselib/data/passwords.lst
dc@LAPTOP-J3UJRUOC:/usr/share/nmap/nselib/data$ wc -l /usr/share/nmap/nselib/data/passwords.lst
5084 /usr/share/nmap/nselib/data/passwords.lst
[root@localhost ~]# iptables -L --line-number
Chain INPUT (policy DROP)
num target prot opt source destination 1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
3 DROP all -- 192.168.1.16 anywhere
4 DROP all -- 192.168.1.3 anywhere
5 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65534 dpt:sunrpc
6 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65534 dpt:exp2
7 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65534 dpt:squid
Chain FORWARD (policy ACCEPT)num target prot opt source destination Chain OUTPUT (policy ACCEPT)num target prot opt source destination [root@localhost ~]#
[root@localhost ~]# iptables -L --line-number
Chain INPUT (policy DROP)
num target prot opt source destination 1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
3 DROP all -- 192.168.1.16 anywhere
4 DROP all -- 192.168.1.3 anywhere
5 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65534 dpt:sunrpc
6 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65534 dpt:exp2
7 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65534 dpt:squid
Chain FORWARD (policy ACCEPT)num target prot opt source destination Chain OUTPUT (policy ACCEPT)num target prot opt source destination [root@localhost ~]#
yum install squidyum install squidvim /etc/squid/squid.conf:
Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
vim /etc/squid/squid.conf:
Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
[root@localhost ~]# systemctl start squid.service
[root@localhost ~]# systemctl enable squid.service
[root@localhost ~]# systemctl start squid.service
[root@localhost ~]# systemctl enable squid.service
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables -L --line-number
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables -L --line-number
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
[root@localhost dc]# vim /etc/crontab
[root@localhost dc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed * * * * * root /sbin/iptables-restore /home/dc/iptables.mysettings
[root@localhost dc]# vim /etc/crontab
[root@localhost dc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed * * * * * root /sbin/iptables-restore /home/dc/iptables.mysettings
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 80 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 443 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 631 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 80 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 443 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 631 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /root/my_iptables_seetings.rule
/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
[root@localhost html]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed * * * * * root /usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
iptables-save > /root/my_iptables_seetings.rule
/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
[root@localhost html]# cat /etc/crontab
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
最后于 2022-8-5 22:41
被顾言庭编辑
,原因:
|
|
|---|---|
