-
-
[原创][安全运维向]模拟搭建小型企业内网
-
发表于: 2022-8-5 22:18 14369
-
根据小型企业实际情况,模拟搭建小型局域网,针对常见内网渗透攻击手段(如ddos、ssh爆破等)做相应配置。实验目标是提高运维新手的安全运维能力。
局域网下含有物理机、proxy server主机。物理机即普通客户主机,proxy server即企业提供的代理,此网络模拟的是公网环境。
Nat网络下含有HTTP server、Backup server、nis server、Client主机。此网络模拟的是公司内网环境。
物理机:设置浏览器代理为同一网段下的192.168.1.10,可访问192.168.56.102门户网站。
Proxy server:关停一切不必要的端口,伪装ssh端口为1022,需要重点考虑防火墙的设置,检测日志信息,短时间内登录ssh超过一定失败次数则给root用户发邮件提醒,提供squid代理服务。
Http server:架设由https协议保护的门户网站,并提供rsync服务,需要考虑防火墙的设置,设置iptables,仅仅让proxy server访问80、443端口。
Backup server:rsync保存http server的日志信息。
Nis server:为client、backup server这两个服务器提供账号管理服务。
client:配置简易防火墙。
在192.168.56.0/24这个网段下,除了proxy server这个服务器可以被物理机访问,其他主机需要设置不能被局域网以外的其他ip访问。这个可以通过设置iptables实现:
1.防火墙配置
并设置/etc/crontab文件
开启内核管理功能:
设置完毕之后可以重启查看防火墙设置是否生效。
2.关停一切不必要的端口
查看开启的端口发现这一项:
根据鸟哥的书中提示,我利用systemctl命令关闭了cups服务systemctl disable cups.service
也可以使用ntsysv命令查看、关闭不必要的服务。
3.伪装ssh端口为1022
/etc/ssh/sshd_config:
在selinux中添加 1022端口作为ssh服务端口的权限。
4.检测日志信息,短时间内超过一定失败测试则给root用户发邮件提醒
使用kali测试爆破ssh端口
平均每秒1.7个失败登录
可以看出一分钟内ssh登录次数超过60次,说明极有可能正在被黑客暴力破解账户密码。
编写自动化工具智能探测是否被爆破ssh密码,立即封禁可疑ip、发邮件给系统管理员。
具体功能:定时检测lastb命令的输出,如果发现1分钟内某ip登录失败次数超过60次则用mail命令通知root用户,并将立即使用iptables封禁该ip。(将封禁嫌疑ip的命令加入/home/dc/iptables.mysettings)
脚本内容:
/etc/crontab 文件的内容:
分别在两台主机上使用hydra爆破1022端口date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
完成后在本机查看root邮箱
脚本发现了攻击行为之后,马上拉黑了两台正在攻击的主机。
再看看攻击机的输出:
本来是要测试完五千条密码,由于脚本的存在,只测试了不到三四百条条就被ban了:
再查看本机iptables配置:
5.搭建squid代理
安装squid:
取消配置文件中一行注释:
启动服务并设置开机自启:
最后别忘了重新设置一下防火墙,因为物理机还需要访问proxy server:
配置防火墙:
允许接受来自lo网卡的数据包,允许接受来自56网段、以及和自身发出的数据包相关的数据包。ban掉56.1这个ip(物理机),以及其他所有数据包。
写入计划任务:
1.防火墙配置
保存配置并且安排上定时任务:
2.安装httpd服务,启动该服务,并设置开机启动:
简单设置网站首页:
安排上https:
在这个服务器上设置定时备份http服务器的网站内容。
1.首先做免密登录http服务器的设置:
在http server上添加相关公钥信息:
回到备份服务器测试下:
2.做完免密登录后,直接以root身份添加系统定时任务,每隔一小时同步备份http server的网站内容到本地/tmp下。
添加计划任务:
可以监视脚本的输出、以及crontab的日志文件来观察运行情况。主要是这两个日志文件:
1.安装nis
2.设置nis域名。
这里参考鸟哥的书,配置如下:
编辑/etc/sysconfig/network,设置域名,并配置nis启动在固定的端口上:
在两台客户机上也做同样的设置。
3.设置主要配置文件:
4.设置主机名与ip的对应
配置对应文件:
使用hostname查看主机名,发现没有设置成功,用hostnamectl命令重新设置:
5.启动所有相关服务
检查看看是否有异常:
6.处理账号并建立数据库
7.防火墙设置
保存配置并且安排上定时任务:
8.客户端配置
安装必须软件:
可以使用setup命令快速设置配置文件。
使用yptest命令验证数据库
使用ypwhich检查数据库数量
使用su - nisuser1 切换身份。
# ban 物理机
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.1
-
j DROP
# 只允许同网段的ip连接
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.0
/
24
-
j ACCEPT
# ban 物理机
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.1
-
j DROP
# 只允许同网段的ip连接
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.0
/
24
-
j ACCEPT
# 清空原有配置
iptables
-
F
iptables
-
X
iptables
-
Z
# input 表默认策略 丢弃
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议
# --dport 目标端口,--sport 源端口
#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
111
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
1022
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
3128
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
save >
/
home
/
dc
/
iptables.mysettings
# 清空原有配置
iptables
-
F
iptables
-
X
iptables
-
Z
# input 表默认策略 丢弃
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议
# --dport 目标端口,--sport 源端口
#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
111
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
1022
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
3128
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
save >
/
home
/
dc
/
iptables.mysettings
ELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# apply my iptables from file per minute.
*
*
*
*
*
root
/
sbin
/
iptables
-
restore
/
home
/
dc
/
iptables.mysettings
ELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# apply my iptables from file per minute.
*
*
*
*
*
root
/
sbin
/
iptables
-
restore
/
home
/
dc
/
iptables.mysettings
[root@localhost dc]
# vim /etc/sysctl.conf
[root@localhost dc]
# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Turn on syncookies for SYN flood attack protection
#
net.ipv4.tcp_syncookies
=
1
# Avoid a smurf attack
#
net.ipv4.icmp_echo_ignore_broadcasts
=
1
# Turn on reverse path filtering
#
net.ipv4.conf.
all
.rp_filter
=
1
net.ipv4.conf.default.rp_filter
=
1
net.ipv4.conf.enp0s8.rp_filter
=
1
net.ipv4.conf.lo.rp_filter
=
1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.
all
.log_martians
=
1
net.ipv4.conf.default.log_martians
=
1
net.ipv4.conf.enp0s8.log_martians
=
1
net.ipv4.conf.lo.log_martians
=
1
# Make sure no one can alter the routing tables
#
net.ipv4.conf.
all
.accept_redirects
=
0
net.ipv4.conf.default.accept_redirects
=
0
net.ipv4.conf.enp0s8.accept_redirects
=
0
net.ipv4.conf.lo.accept_redirects
=
0
# redirects project
net.ipv4.conf.
all
.send_redirects
=
0
net.ipv4.conf.default.send_redirects
=
0
net.ipv4.conf.enp0s8.send_redirects
=
0
net.ipv4.conf.lo.send_redirects
=
0
[root@localhost dc]
# sysctl -p
[root@localhost dc]
# vim /etc/sysctl.conf
[root@localhost dc]
# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Turn on syncookies for SYN flood attack protection
#
net.ipv4.tcp_syncookies
=
1
# Avoid a smurf attack
#
net.ipv4.icmp_echo_ignore_broadcasts
=
1
# Turn on reverse path filtering
#
net.ipv4.conf.
all
.rp_filter
=
1
net.ipv4.conf.default.rp_filter
=
1
net.ipv4.conf.enp0s8.rp_filter
=
1
net.ipv4.conf.lo.rp_filter
=
1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.
all
.log_martians
=
1
net.ipv4.conf.default.log_martians
=
1
net.ipv4.conf.enp0s8.log_martians
=
1
net.ipv4.conf.lo.log_martians
=
1
# Make sure no one can alter the routing tables
#
net.ipv4.conf.
all
.accept_redirects
=
0
net.ipv4.conf.default.accept_redirects
=
0
net.ipv4.conf.enp0s8.accept_redirects
=
0
net.ipv4.conf.lo.accept_redirects
=
0
# redirects project
net.ipv4.conf.
all
.send_redirects
=
0
net.ipv4.conf.default.send_redirects
=
0
net.ipv4.conf.enp0s8.send_redirects
=
0
net.ipv4.conf.lo.send_redirects
=
0
[root@localhost dc]
# sysctl -p
[root@localhost dc]
# netstat -tulnp
tcp6
0
0
::
1
:
631
:::
*
LISTEN
1267
/
cupsd
[root@localhost dc]
# netstat -tulnp
tcp6
0
0
::
1
:
631
:::
*
LISTEN
1267
/
cupsd
```
Port
1022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey
/
etc
/
ssh
/
ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey
/
etc
/
ssh
/
ssh_host_ecdsa_key
HostKey
/
etc
/
ssh
/
ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
```
```
Port
1022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey
/
etc
/
ssh
/
ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey
/
etc
/
ssh
/
ssh_host_ecdsa_key
HostKey
/
etc
/
ssh
/
ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
```
[root@localhost dc]
# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]
#
[root@localhost dc]
# semanage port -l | grep ssh
ssh_port_t tcp
1022
,
22
[root@localhost dc]
# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]
#
[root@localhost dc]
# semanage port -l | grep ssh
ssh_port_t tcp
1022
,
22
date ; hydra
-
l dc
-
P
/
usr
/
share
/
wordlists
/
fasttrack.txt
-
v ssh:
/
/
192.168
.
1.10
:
1022
; date
2022
年
07
月
29
日 星期五
22
:
23
:
15
CST
[WARNING] Many SSH configurations limit the number of parallel tasks, it
is
recommended to
reduce
the tasks: use
-
t
4
[ERROR] could
not
connect to target port
1022
: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could
not
connect to target port
1022
: Socket error: Connection reset by peer
[ERROR] ssh protocol error
2022
年
07
月
29
日 星期五
22
:
25
:
26
CST
cat
/
usr
/
share
/
wordlists
/
fasttrack.txt | wc
-
l
222
>>> (
222
/
(
2
*
60
+
10
))
1.7076923076923076
date ; hydra
-
l dc
-
P
/
usr
/
share
/
wordlists
/
fasttrack.txt
-
v ssh:
/
/
192.168
.
1.10
:
1022
; date
2022
年
07
月
29
日 星期五
22
:
23
:
15
CST
[WARNING] Many SSH configurations limit the number of parallel tasks, it
is
recommended to
reduce
the tasks: use
-
t
4
[ERROR] could
not
connect to target port
1022
: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could
not
connect to target port
1022
: Socket error: Connection reset by peer
[ERROR] ssh protocol error
2022
年
07
月
29
日 星期五
22
:
25
:
26
CST
cat
/
usr
/
share
/
wordlists
/
fasttrack.txt | wc
-
l
222
>>> (
222
/
(
2
*
60
+
10
))
1.7076923076923076
import
os,datetime
def
is_this_ip_in_field(ip,field):
in_field
=
False
for
element
in
field:
if
element[
0
]
=
=
ip:
in_field
=
True
return
in_field
return
in_field
def
compose_time_str(date_time_t):
month_str
=
date_time_t.strftime(
"%b"
)
day_str
=
date_time_t.strftime(
"%d"
).replace(
'0'
,'')
time_str
=
date_time_t.strftime(
"%H:%M"
)
date_str
=
month_str
+
'-'
+
day_str
+
'-'
+
time_str
return
date_str
now_time
=
datetime.datetime.now()
month_str
=
now_time.strftime(
"%b"
)
current_time_1_min_ago
=
now_time
-
datetime.timedelta(minutes
=
1
)
current_time_2_min_ago
=
now_time
-
datetime.timedelta(minutes
=
2
)
current_time_3_min_ago
=
now_time
-
datetime.timedelta(minutes
=
3
)
current_time_1_min_ago_str
=
compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str
=
compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str
=
compose_time_str(current_time_3_min_ago)
time_str_list
=
[current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)
cmdline
=
"lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
a
=
os.popen(cmdline)
login_failed_infomation
=
a.read().split(
'\n'
)
suspect_ip_and_attack_time_dict
=
{}
# { time:{ip:number,ip2:number},time2:{ip:number} }
for
line
in
login_failed_infomation:
if
not
line.startswith(month_str):
continue
detail_time,ip
=
line.split(
' '
)
#print(detail_time)
if
detail_time
in
time_str_list:
# has detail time segemnt.
if
suspect_ip_and_attack_time_dict.has_key(detail_time):
time_dict
=
suspect_ip_and_attack_time_dict[detail_time]
if
time_dict.has_key(ip):
time_dict[ip]
+
=
1
else
:
time_dict[ip]
=
1
else
:
# add ip
tmp_dict
=
{}
tmp_dict[ip]
=
1
suspect_ip_and_attack_time_dict[detail_time]
=
tmp_dict
report_message
=
""
black_list
=
[]
message
=
""
for
keys,values
in
suspect_ip_and_attack_time_dict.items():
for
ip,failed_times
in
values.items():
if
failed_times >
60
:
black_list.append(ip)
format_str
=
"{} attacked {} times at {}\n"
message
+
=
format_str.
format
(ip,failed_times,keys)
#print(message)
black_list
=
list
(
set
(black_list))
ban_ip_list
=
[]
tmp_list
=
[]
f
=
open
(
"black_list.txt"
,
"r"
)
for
line
in
f:
ban_ip_list.append(line)
f.close()
for
element
in
black_list:
if
element
not
in
ban_ip_list:
tmp_list.append(element)
black_list
=
tmp_list
f
=
open
(
"black_list.txt"
,
"a"
)
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROP
for
ip
in
black_list:
ban_cmd
=
"iptables -I INPUT 3 -i enp0s3 -s "
+
ip
+
" -j DROP"
f.write(ip
+
'\n'
)
os.popen(ban_cmd)
f.close()
os.popen(
"iptables-save > /home/dc/iptables.mysettings"
)
if
message !
=
"":
mail_cmd
=
"echo \""
+
message
+
"\" | mail -s \"security report\" root@localhost"
os.system(mail_cmd)
import
os,datetime
def
is_this_ip_in_field(ip,field):
in_field
=
False
for
element
in
field:
if
element[
0
]
=
=
ip:
in_field
=
True
return
in_field
return
in_field
def
compose_time_str(date_time_t):
month_str
=
date_time_t.strftime(
"%b"
)
day_str
=
date_time_t.strftime(
"%d"
).replace(
'0'
,'')
time_str
=
date_time_t.strftime(
"%H:%M"
)
date_str
=
month_str
+
'-'
+
day_str
+
'-'
+
time_str
return
date_str
now_time
=
datetime.datetime.now()
month_str
=
now_time.strftime(
"%b"
)
current_time_1_min_ago
=
now_time
-
datetime.timedelta(minutes
=
1
)
current_time_2_min_ago
=
now_time
-
datetime.timedelta(minutes
=
2
)
current_time_3_min_ago
=
now_time
-
datetime.timedelta(minutes
=
3
)
current_time_1_min_ago_str
=
compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str
=
compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str
=
compose_time_str(current_time_3_min_ago)
time_str_list
=
[current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)
cmdline
=
"lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
a
=
os.popen(cmdline)
login_failed_infomation
=
a.read().split(
'\n'
)
suspect_ip_and_attack_time_dict
=
{}
# { time:{ip:number,ip2:number},time2:{ip:number} }
for
line
in
login_failed_infomation:
if
not
line.startswith(month_str):
continue
detail_time,ip
=
line.split(
' '
)
#print(detail_time)
if
detail_time
in
time_str_list:
# has detail time segemnt.
if
suspect_ip_and_attack_time_dict.has_key(detail_time):
time_dict
=
suspect_ip_and_attack_time_dict[detail_time]
if
time_dict.has_key(ip):
time_dict[ip]
+
=
1
else
:
time_dict[ip]
=
1
else
:
# add ip
tmp_dict
=
{}
tmp_dict[ip]
=
1
suspect_ip_and_attack_time_dict[detail_time]
=
tmp_dict
report_message
=
""
black_list
=
[]
message
=
""
for
keys,values
in
suspect_ip_and_attack_time_dict.items():
for
ip,failed_times
in
values.items():
if
failed_times >
60
:
black_list.append(ip)
format_str
=
"{} attacked {} times at {}\n"
message
+
=
format_str.
format
(ip,failed_times,keys)
#print(message)
black_list
=
list
(
set
(black_list))
ban_ip_list
=
[]
tmp_list
=
[]
f
=
open
(
"black_list.txt"
,
"r"
)
for
line
in
f:
ban_ip_list.append(line)
f.close()
for
element
in
black_list:
if
element
not
in
ban_ip_list:
tmp_list.append(element)
black_list
=
tmp_list
f
=
open
(
"black_list.txt"
,
"a"
)
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROP
for
ip
in
black_list:
ban_cmd
=
"iptables -I INPUT 3 -i enp0s3 -s "
+
ip
+
" -j DROP"
f.write(ip
+
'\n'
)
os.popen(ban_cmd)
f.close()
os.popen(
"iptables-save > /home/dc/iptables.mysettings"
)
if
message !
=
"":
mail_cmd
=
"echo \""
+
message
+
"\" | mail -s \"security report\" root@localhost"
os.system(mail_cmd)
ELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# apply my iptables from file per minute.
*
*
*
*
*
root
/
sbin
/
iptables
-
restore
/
home
/
dc
/
iptables.mysettings
# detect attack beheviour every 3 minutes.
*
/
3
*
*
*
*
root
/
usr
/
bin
/
python
/
root
/
detect_ssh_port_hacking.py
ELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
# apply my iptables from file per minute.
*
*
*
*
*
root
/
sbin
/
iptables
-
restore
/
home
/
dc
/
iptables.mysettings
# detect attack beheviour every 3 minutes.
*
/
3
*
*
*
*
root
/
usr
/
bin
/
python
/
root
/
detect_ssh_port_hacking.py
[root@localhost ~]
# cat /var/spool/mail/root
From root@localhost.localdomain Thu Aug
4
10
:
33
:
02
2022
Return
-
Path: <root@localhost.localdomain>
X
-
Original
-
To: root@localhost
Delivered
-
To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix,
from
userid
0
)
id
130BE12010FD
; Thu,
4
Aug
2022
10
:
33
:
02
-
0400
(EDT)
Date: Thu,
04
Aug
2022
10
:
33
:
02
-
0400
To: root@localhost.localdomain
Subject: security report
User
-
Agent: Heirloom mailx
12.5
7
/
5
/
10
MIME
-
Version:
1.0
Content
-
Type
: text
/
plain; charset
=
us
-
ascii
Content
-
Transfer
-
Encoding:
7bit
Message
-
Id
: <
20220804143302.130BE12010FD
@localhost.localdomain>
From: root@localhost.localdomain (root)
192.168
.
1.3
attacked
142
times at Aug
-
4
-
10
:
30
192.168
.
1.16
attacked
142
times at Aug
-
4
-
10
:
30
192.168
.
1.3
attacked
146
times at Aug
-
4
-
10
:
31
192.168
.
1.16
attacked
96
times at Aug
-
4
-
10
:
31
192.168
.
1.3
attacked
64
times at Aug
-
4
-
10
:
32
[root@localhost ~]
# cat /var/spool/mail/root
From root@localhost.localdomain Thu Aug
4
10
:
33
:
02
2022
Return
-
Path: <root@localhost.localdomain>
X
-
Original
-
To: root@localhost
Delivered
-
To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix,
from
userid
0
)
id
130BE12010FD
; Thu,
4
Aug
2022
10
:
33
:
02
-
0400
(EDT)
Date: Thu,
04
Aug
2022
10
:
33
:
02
-
0400
To: root@localhost.localdomain
Subject: security report
User
-
Agent: Heirloom mailx
12.5
7
/
5
/
10
MIME
-
Version:
1.0
Content
-
Type
: text
/
plain; charset
=
us
-
ascii
Content
-
Transfer
-
Encoding:
7bit
Message
-
Id
: <
20220804143302.130BE12010FD
@localhost.localdomain>
From: root@localhost.localdomain (root)
192.168
.
1.3
attacked
142
times at Aug
-
4
-
10
:
30
192.168
.
1.16
attacked
142
times at Aug
-
4
-
10
:
30
192.168
.
1.3
attacked
146
times at Aug
-
4
-
10
:
31
192.168
.
1.16
attacked
96
times at Aug
-
4
-
10
:
31
192.168
.
1.3
attacked
64
times at Aug
-
4
-
10
:
32
┌──(root㉿kali)
-
[
/
usr
/
share
/
nmap
/
nselib
/
data]
└─
# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
2022
年
08
月
04
日 星期四
22
:
32
:
55
CST
Hydra v9.
2
(c)
2021
by van Hauser
/
THC & David Maciejak
-
Please do
not
use
in
military
or
secret service organizations,
or
for
illegal purposes (this
is
non
-
binding, these
*
*
*
ignore laws
and
ethics anyway).
Hydra (https:
/
/
github.com
/
vanhauser
-
thc
/
thc
-
hydra) starting at
2022
-
08
-
04
22
:
32
:
55
[WARNING] Many SSH configurations limit the number of parallel tasks, it
is
recommended to
reduce
the tasks: use
-
t
4
[WARNING] Restorefile (you have
10
seconds to abort... (use option
-
I to skip waiting))
from
a previous session found, to prevent overwriting, .
/
hydra.restore
[DATA]
max
16
tasks per
1
server, overall
16
tasks,
5010
login tries (l:
1
/
p:
5010
), ~
314
tries per task
[DATA] attacking ssh:
/
/
192.168
.
1.10
:
1022
/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing
if
password authentication
is
supported by ssh:
/
/
dc@
192.168
.
1.10
:
1022
[ERROR] could
not
connect to ssh:
/
/
192.168
.
1.10
:
1022
-
Timeout connecting to
192.168
.
1.10
2022
年
08
月
04
日 星期四
22
:
33
:
37
CST
┌──(root㉿kali)
-
[
/
usr
/
share
/
nmap
/
nselib
/
data]
└─
# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
2022
年
08
月
04
日 星期四
22
:
32
:
55
CST
Hydra v9.
2
(c)
2021
by van Hauser
/
THC & David Maciejak
-
Please do
not
use
in
military
or
secret service organizations,
or
for
illegal purposes (this
is
non
-
binding, these
*
*
*
ignore laws
and
ethics anyway).
Hydra (https:
/
/
github.com
/
vanhauser
-
thc
/
thc
-
hydra) starting at
2022
-
08
-
04
22
:
32
:
55
[WARNING] Many SSH configurations limit the number of parallel tasks, it
is
recommended to
reduce
the tasks: use
-
t
4
[WARNING] Restorefile (you have
10
seconds to abort... (use option
-
I to skip waiting))
from
a previous session found, to prevent overwriting, .
/
hydra.restore
[DATA]
max
16
tasks per
1
server, overall
16
tasks,
5010
login tries (l:
1
/
p:
5010
), ~
314
tries per task
[DATA] attacking ssh:
/
/
192.168
.
1.10
:
1022
/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing
if
password authentication
is
supported by ssh:
/
/
dc@
192.168
.
1.10
:
1022
[ERROR] could
not
connect to ssh:
/
/
192.168
.
1.10
:
1022
-
Timeout connecting to
192.168
.
1.10
2022
年
08
月
04
日 星期四
22
:
33
:
37
CST
dc@LAPTOP
-
J3UJRUOC:
/
usr
/
share
/
nmap
/
nselib
/
data$ wc
-
l
/
usr
/
share
/
nmap
/
nselib
/
data
/
passwords.lst
5084
/
usr
/
share
/
nmap
/
nselib
/
data
/
passwords.lst
dc@LAPTOP
-
J3UJRUOC:
/
usr
/
share
/
nmap
/
nselib
/
data$ wc
-
l
/
usr
/
share
/
nmap
/
nselib
/
data
/
passwords.lst
5084
/
usr
/
share
/
nmap
/
nselib
/
data
/
passwords.lst
[root@localhost ~]
# iptables -L --line-number
Chain
INPUT
(policy DROP)
num target prot opt source destination
1
ACCEPT
all
-
-
anywhere anywhere
2
ACCEPT
all
-
-
anywhere anywhere state RELATED,ESTABLISHED
3
DROP
all
-
-
192.168
.
1.16
anywhere
4
DROP
all
-
-
192.168
.
1.3
anywhere
5
ACCEPT tcp
-
-
anywhere anywhere tcp spts:
1024
:
65534
dpt:sunrpc
6
ACCEPT tcp
-
-
anywhere anywhere tcp spts:
1024
:
65534
dpt:exp2
7
ACCEPT tcp
-
-
anywhere anywhere tcp spts:
1024
:
65534
dpt:squid
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]
#
[root@localhost ~]
# iptables -L --line-number
Chain
INPUT
(policy DROP)
num target prot opt source destination
1
ACCEPT
all
-
-
anywhere anywhere
2
ACCEPT
all
-
-
anywhere anywhere state RELATED,ESTABLISHED
3
DROP
all
-
-
192.168
.
1.16
anywhere
4
DROP
all
-
-
192.168
.
1.3
anywhere
5
ACCEPT tcp
-
-
anywhere anywhere tcp spts:
1024
:
65534
dpt:sunrpc
6
ACCEPT tcp
-
-
anywhere anywhere tcp spts:
1024
:
65534
dpt:exp2
7
ACCEPT tcp
-
-
anywhere anywhere tcp spts:
1024
:
65534
dpt:squid
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@localhost ~]
#
yum install squid
yum install squid
vim
/
etc
/
squid
/
squid.conf:
Uncomment
and
adjust the following to add a disk cache directory.
cache_dir ufs
/
var
/
spool
/
squid
100
16
256
vim
/
etc
/
squid
/
squid.conf:
Uncomment
and
adjust the following to add a disk cache directory.
cache_dir ufs
/
var
/
spool
/
squid
100
16
256
[root@localhost ~]
# systemctl start squid.service
[root@localhost ~]
# systemctl enable squid.service
[root@localhost ~]
# systemctl start squid.service
[root@localhost ~]
# systemctl enable squid.service
iptables
-
F
iptables
-
X
iptables
-
Z
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
111
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
1022
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
3128
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
save >
/
home
/
dc
/
iptables.mysettings
iptables
-
L
-
-
line
-
number
iptables
-
F
iptables
-
X
iptables
-
Z
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
111
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
1022
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s3
-
-
dport
3128
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
save >
/
home
/
dc
/
iptables.mysettings
iptables
-
L
-
-
line
-
number
iptables
-
F
iptables
-
X
iptables
-
Z
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.1
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.0
/
24
-
j ACCEPT
iptables
-
save >
/
home
/
dc
/
iptables.mysettings
iptables
-
F
iptables
-
X
iptables
-
Z
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.1
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.0
/
24
-
j ACCEPT
iptables
-
save >
/
home
/
dc
/
iptables.mysettings
[root@localhost dc]
# vim /etc/crontab
[root@localhost dc]
# cat /etc/crontab
SHELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*
*
*
*
*
root
/
sbin
/
iptables
-
restore
/
home
/
dc
/
iptables.mysettings
[root@localhost dc]
# vim /etc/crontab
[root@localhost dc]
# cat /etc/crontab
SHELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*
*
*
*
*
root
/
sbin
/
iptables
-
restore
/
home
/
dc
/
iptables.mysettings
iptables
-
F
iptables
-
X
iptables
-
Z
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.1
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.106
-
-
dport
80
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.106
-
-
dport
443
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
80
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
443
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
111
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
22
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
631
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
25
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.0
/
24
-
j ACCEPT
iptables
-
F
iptables
-
X
iptables
-
Z
iptables
-
P
INPUT
DROP
iptables
-
P OUTPUT ACCEPT
iptables
-
P FORWARD ACCEPT
iptables
-
A
INPUT
-
i lo
-
j ACCEPT
iptables
-
A
INPUT
-
m state
-
-
state RELATED,ESTABLISHED
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.1
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.106
-
-
dport
80
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.106
-
-
dport
443
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
80
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
443
-
j DROP
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
111
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
22
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
631
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
-
dport
25
-
-
sport
1024
:
65534
-
j ACCEPT
iptables
-
A
INPUT
-
p TCP
-
i enp0s8
-
s
192.168
.
56.0
/
24
-
j ACCEPT
iptables
-
save >
/
root
/
my_iptables_seetings.rule
/
usr
/
sbin
/
iptables
-
restore <
/
root
/
my_iptables_seetings.rule
[root@localhost html]
# cat /etc/crontab
SHELL
=
/
bin
/
bash
PATH
=
/
sbin:
/
bin
:
/
usr
/
sbin:
/
usr
/
bin
MAILTO
=
root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*
*
*
*
*
root
/
usr
/
sbin
/
iptables
-
restore <
/
root
/
my_iptables_seetings.rule
iptables
-
save >
/
root
/
my_iptables_seetings.rule
/
usr
/
sbin
/
iptables
-
restore <
/
root
/
my_iptables_seetings.rule
[root@localhost html]
# cat /etc/crontab
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创][安全运维向]模拟搭建小型企业内网 14370
- 攻防世界-PWN-高手进阶区-难度3到4-全部题解 18981
- [原创]攻击格式化字符串在.bss段的程序(bugku-pwn6) 15324
- [原创]XCTF攻防世界-pwn新手练习区全部十题解析 14570
- [原创]KCTF2021 第二题 write up 5563