首页
社区
课程
招聘
[原创][安全运维向]模拟搭建小型企业内网
发表于: 2022-8-5 22:18 14369

[原创][安全运维向]模拟搭建小型企业内网

2022-8-5 22:18
14369

根据小型企业实际情况,模拟搭建小型局域网,针对常见内网渗透攻击手段(如ddos、ssh爆破等)做相应配置。实验目标是提高运维新手的安全运维能力。

局域网下含有物理机、proxy server主机。物理机即普通客户主机,proxy server即企业提供的代理,此网络模拟的是公网环境。
Nat网络下含有HTTP server、Backup server、nis server、Client主机。此网络模拟的是公司内网环境。

物理机:设置浏览器代理为同一网段下的192.168.1.10,可访问192.168.56.102门户网站。
Proxy server:关停一切不必要的端口,伪装ssh端口为1022,需要重点考虑防火墙的设置,检测日志信息,短时间内登录ssh超过一定失败次数则给root用户发邮件提醒,提供squid代理服务。
Http server:架设由https协议保护的门户网站,并提供rsync服务,需要考虑防火墙的设置,设置iptables,仅仅让proxy server访问80、443端口。
Backup server:rsync保存http server的日志信息。
Nis server:为client、backup server这两个服务器提供账号管理服务。
client:配置简易防火墙。

在192.168.56.0/24这个网段下,除了proxy server这个服务器可以被物理机访问,其他主机需要设置不能被局域网以外的其他ip访问。这个可以通过设置iptables实现:

1.防火墙配置

并设置/etc/crontab文件

开启内核管理功能:

设置完毕之后可以重启查看防火墙设置是否生效。

2.关停一切不必要的端口
查看开启的端口发现这一项:

根据鸟哥的书中提示,我利用systemctl命令关闭了cups服务
systemctl disable cups.service
也可以使用ntsysv命令查看、关闭不必要的服务。

3.伪装ssh端口为1022
/etc/ssh/sshd_config:

在selinux中添加 1022端口作为ssh服务端口的权限。

4.检测日志信息,短时间内超过一定失败测试则给root用户发邮件提醒
使用kali测试爆破ssh端口

平均每秒1.7个失败登录

可以看出一分钟内ssh登录次数超过60次,说明极有可能正在被黑客暴力破解账户密码。
编写自动化工具智能探测是否被爆破ssh密码,立即封禁可疑ip、发邮件给系统管理员。

具体功能:定时检测lastb命令的输出,如果发现1分钟内某ip登录失败次数超过60次则用mail命令通知root用户,并将立即使用iptables封禁该ip。(将封禁嫌疑ip的命令加入/home/dc/iptables.mysettings)

脚本内容:

/etc/crontab 文件的内容:

分别在两台主机上使用hydra爆破1022端口
date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
完成后在本机查看root邮箱

脚本发现了攻击行为之后,马上拉黑了两台正在攻击的主机。
再看看攻击机的输出:

本来是要测试完五千条密码,由于脚本的存在,只测试了不到三四百条条就被ban了:

再查看本机iptables配置:

5.搭建squid代理
安装squid:

取消配置文件中一行注释:

启动服务并设置开机自启:

最后别忘了重新设置一下防火墙,因为物理机还需要访问proxy server:

配置防火墙:

允许接受来自lo网卡的数据包,允许接受来自56网段、以及和自身发出的数据包相关的数据包。ban掉56.1这个ip(物理机),以及其他所有数据包。

写入计划任务:

1.防火墙配置

保存配置并且安排上定时任务:

2.安装httpd服务,启动该服务,并设置开机启动:

简单设置网站首页:

安排上https:

在这个服务器上设置定时备份http服务器的网站内容。
1.首先做免密登录http服务器的设置:

在http server上添加相关公钥信息:

回到备份服务器测试下:

2.做完免密登录后,直接以root身份添加系统定时任务,每隔一小时同步备份http server的网站内容到本地/tmp下。

添加计划任务:

可以监视脚本的输出、以及crontab的日志文件来观察运行情况。主要是这两个日志文件:

1.安装nis

2.设置nis域名。
这里参考鸟哥的书,配置如下:

编辑/etc/sysconfig/network,设置域名,并配置nis启动在固定的端口上:

在两台客户机上也做同样的设置。

3.设置主要配置文件:

4.设置主机名与ip的对应
配置对应文件:

使用hostname查看主机名,发现没有设置成功,用hostnamectl命令重新设置:

5.启动所有相关服务

检查看看是否有异常:

6.处理账号并建立数据库

7.防火墙设置

保存配置并且安排上定时任务:

8.客户端配置
安装必须软件:

可以使用setup命令快速设置配置文件。
使用yptest命令验证数据库
使用ypwhich检查数据库数量
使用su - nisuser1 切换身份。

# ban 物理机
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
# 只允许同网段的ip连接
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
# ban 物理机
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
# 只允许同网段的ip连接
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
# 清空原有配置
iptables -F
iptables -X
iptables -Z
 
# input 表默认策略 丢弃
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
 
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议
# --dport 目标端口,--sport 源端口
#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
# 清空原有配置
iptables -F
iptables -X
iptables -Z
 
# input 表默认策略 丢弃
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
 
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议
# --dport 目标端口,--sport 源端口
#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# apply my iptables from file per minute.
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# apply my iptables from file per minute.
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
[root@localhost dc]# vim /etc/sysctl.conf
[root@localhost dc]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
 
# Turn on syncookies for SYN flood attack protection
#
net.ipv4.tcp_syncookies = 1
 
# Avoid a smurf attack
#
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Turn on reverse path filtering
#
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp0s8.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.enp0s8.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
 
# Make sure no one can alter the routing tables
#
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp0s8.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
 
# redirects project
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp0s8.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
[root@localhost dc]# sysctl -p
[root@localhost dc]# vim /etc/sysctl.conf
[root@localhost dc]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
 
# Turn on syncookies for SYN flood attack protection
#
net.ipv4.tcp_syncookies = 1
 
# Avoid a smurf attack
#
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Turn on reverse path filtering
#
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp0s8.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.enp0s8.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
 
# Make sure no one can alter the routing tables
#
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp0s8.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
 
# redirects project
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp0s8.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
[root@localhost dc]# sysctl -p
 
[root@localhost dc]# netstat -tulnp
tcp6       0      0 ::1:631                 :::*                    LISTEN      1267/cupsd
[root@localhost dc]# netstat -tulnp
tcp6       0      0 ::1:631                 :::*                    LISTEN      1267/cupsd
 
```
Port 1022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
 
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
 
# Ciphers and keying
#RekeyLimit default none
 
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
 
# Authentication:
 
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
```
```
Port 1022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
 
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
 
# Ciphers and keying
#RekeyLimit default none
 
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
 
# Authentication:
 
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
```
[root@localhost dc]# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]#
[root@localhost dc]# semanage port -l | grep ssh
ssh_port_t                     tcp      1022, 22
[root@localhost dc]# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]#
[root@localhost dc]# semanage port -l | grep ssh
ssh_port_t                     tcp      1022, 22
date ; hydra -l dc -P /usr/share/wordlists/fasttrack.txt -v ssh://192.168.1.10:1022 ; date
 
 
    20220729日 星期五 22:23:15 CST
    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
    [ERROR] ssh protocol error
    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
    [ERROR] ssh protocol error
    20220729日 星期五 22:25:26 CST
 
    cat /usr/share/wordlists/fasttrack.txt | wc -l
    222
 
    >>> (222/(2*60+10))
    1.7076923076923076
date ; hydra -l dc -P /usr/share/wordlists/fasttrack.txt -v ssh://192.168.1.10:1022 ; date
 
 
    20220729日 星期五 22:23:15 CST
    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
    [ERROR] ssh protocol error
    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
    [ERROR] ssh protocol error
    20220729日 星期五 22:25:26 CST
 
    cat /usr/share/wordlists/fasttrack.txt | wc -l
    222
 
    >>> (222/(2*60+10))
    1.7076923076923076
 
 
 
import os,datetime
 
def is_this_ip_in_field(ip,field):
    in_field = False
    for element in field:
        if element[0] == ip:
            in_field = True
            return in_field
 
    return in_field
 
def compose_time_str(date_time_t):
    month_str = date_time_t.strftime("%b")
    day_str = date_time_t.strftime("%d").replace('0','')
    time_str = date_time_t.strftime("%H:%M")
    date_str = month_str+'-'+day_str+'-'+time_str
    return date_str
 
now_time = datetime.datetime.now()
month_str = now_time.strftime("%b")
 
current_time_1_min_ago = now_time-datetime.timedelta(minutes=1)
current_time_2_min_ago = now_time-datetime.timedelta(minutes=2)
current_time_3_min_ago = now_time-datetime.timedelta(minutes=3)
 
current_time_1_min_ago_str = compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str = compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str = compose_time_str(current_time_3_min_ago)
 
time_str_list = [current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)
 
cmdline = "lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
 
a = os.popen(cmdline)
login_failed_infomation = a.read().split('\n')
suspect_ip_and_attack_time_dict = {}
 
# { time:{ip:number,ip2:number},time2:{ip:number} }
for line in login_failed_infomation:
    if not line.startswith(month_str):
        continue
 
    detail_time,ip = line.split(' ')
 
    #print(detail_time)
 
    if detail_time in time_str_list:
        # has detail time segemnt.
        if suspect_ip_and_attack_time_dict.has_key(detail_time):
            time_dict = suspect_ip_and_attack_time_dict[detail_time]
            if time_dict.has_key(ip):
                time_dict[ip] += 1
            else:
                time_dict[ip] = 1
        else:
            # add ip
            tmp_dict = {}
            tmp_dict[ip] = 1
            suspect_ip_and_attack_time_dict[detail_time] = tmp_dict
 
report_message = ""
black_list = []
message = ""
 
for keys,values in suspect_ip_and_attack_time_dict.items():
    for ip,failed_times in values.items():
        if failed_times > 60:
            black_list.append(ip)
            format_str = "{} attacked {} times at {}\n"
            message += format_str.format(ip,failed_times,keys)
            #print(message)
 
black_list = list(set(black_list))
ban_ip_list = []
tmp_list = []
 
f = open("black_list.txt","r")
for line in f:
    ban_ip_list.append(line)
f.close()
 
for element in black_list:
    if element not in ban_ip_list:
        tmp_list.append(element)
 
black_list = tmp_list
f = open("black_list.txt","a")
 
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROP
for ip in black_list:
    ban_cmd = "iptables -I INPUT 3 -i enp0s3 -s " + ip + " -j DROP"
    f.write(ip+'\n')
    os.popen(ban_cmd)
f.close()
 
os.popen("iptables-save > /home/dc/iptables.mysettings")
 
if message != "":
    mail_cmd = "echo \"" + message + "\" | mail -s \"security report\" root@localhost"
    os.system(mail_cmd)
import os,datetime
 
def is_this_ip_in_field(ip,field):
    in_field = False
    for element in field:
        if element[0] == ip:
            in_field = True
            return in_field
 
    return in_field
 
def compose_time_str(date_time_t):
    month_str = date_time_t.strftime("%b")
    day_str = date_time_t.strftime("%d").replace('0','')
    time_str = date_time_t.strftime("%H:%M")
    date_str = month_str+'-'+day_str+'-'+time_str
    return date_str
 
now_time = datetime.datetime.now()
month_str = now_time.strftime("%b")
 
current_time_1_min_ago = now_time-datetime.timedelta(minutes=1)
current_time_2_min_ago = now_time-datetime.timedelta(minutes=2)
current_time_3_min_ago = now_time-datetime.timedelta(minutes=3)
 
current_time_1_min_ago_str = compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str = compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str = compose_time_str(current_time_3_min_ago)
 
time_str_list = [current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)
 
cmdline = "lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
 
a = os.popen(cmdline)
login_failed_infomation = a.read().split('\n')
suspect_ip_and_attack_time_dict = {}
 
# { time:{ip:number,ip2:number},time2:{ip:number} }
for line in login_failed_infomation:
    if not line.startswith(month_str):
        continue
 
    detail_time,ip = line.split(' ')
 
    #print(detail_time)
 
    if detail_time in time_str_list:
        # has detail time segemnt.
        if suspect_ip_and_attack_time_dict.has_key(detail_time):
            time_dict = suspect_ip_and_attack_time_dict[detail_time]
            if time_dict.has_key(ip):
                time_dict[ip] += 1
            else:
                time_dict[ip] = 1
        else:
            # add ip
            tmp_dict = {}
            tmp_dict[ip] = 1
            suspect_ip_and_attack_time_dict[detail_time] = tmp_dict
 
report_message = ""
black_list = []
message = ""
 
for keys,values in suspect_ip_and_attack_time_dict.items():
    for ip,failed_times in values.items():
        if failed_times > 60:
            black_list.append(ip)
            format_str = "{} attacked {} times at {}\n"
            message += format_str.format(ip,failed_times,keys)
            #print(message)
 
black_list = list(set(black_list))
ban_ip_list = []
tmp_list = []
 
f = open("black_list.txt","r")
for line in f:
    ban_ip_list.append(line)
f.close()
 
for element in black_list:
    if element not in ban_ip_list:
        tmp_list.append(element)
 
black_list = tmp_list
f = open("black_list.txt","a")
 
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROP
for ip in black_list:
    ban_cmd = "iptables -I INPUT 3 -i enp0s3 -s " + ip + " -j DROP"
    f.write(ip+'\n')
    os.popen(ban_cmd)
f.close()
 
os.popen("iptables-save > /home/dc/iptables.mysettings")
 
if message != "":
    mail_cmd = "echo \"" + message + "\" | mail -s \"security report\" root@localhost"
    os.system(mail_cmd)
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# apply my iptables from file per minute.
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
# detect attack beheviour every 3 minutes.
  */3  *  *  *  * root           /usr/bin/python /root/detect_ssh_port_hacking.py
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# apply my iptables from file per minute.
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
# detect attack beheviour every 3 minutes.
  */3  *  *  *  * root           /usr/bin/python /root/detect_ssh_port_hacking.py
[root@localhost ~]# cat /var/spool/mail/root
 
From root@localhost.localdomain  Thu Aug  4 10:33:02 2022
Return-Path: <root@localhost.localdomain>
X-Original-To: root@localhost
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
    id 130BE12010FD; Thu,  4 Aug 2022 10:33:02 -0400 (EDT)
Date: Thu, 04 Aug 2022 10:33:02 -0400
To: root@localhost.localdomain
Subject: security report
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20220804143302.130BE12010FD@localhost.localdomain>
From: root@localhost.localdomain (root)
 
192.168.1.3 attacked 142 times at Aug-4-10:30
192.168.1.16 attacked 142 times at Aug-4-10:30
192.168.1.3 attacked 146 times at Aug-4-10:31
192.168.1.16 attacked 96 times at Aug-4-10:31
192.168.1.3 attacked 64 times at Aug-4-10:32
[root@localhost ~]# cat /var/spool/mail/root
 
From root@localhost.localdomain  Thu Aug  4 10:33:02 2022
Return-Path: <root@localhost.localdomain>
X-Original-To: root@localhost
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
    id 130BE12010FD; Thu,  4 Aug 2022 10:33:02 -0400 (EDT)
Date: Thu, 04 Aug 2022 10:33:02 -0400
To: root@localhost.localdomain
Subject: security report
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20220804143302.130BE12010FD@localhost.localdomain>
From: root@localhost.localdomain (root)
 
192.168.1.3 attacked 142 times at Aug-4-10:30
192.168.1.16 attacked 142 times at Aug-4-10:30
192.168.1.3 attacked 146 times at Aug-4-10:31
192.168.1.16 attacked 96 times at Aug-4-10:31
192.168.1.3 attacked 64 times at Aug-4-10:32
┌──(root㉿kali)-[/usr/share/nmap/nselib/data]
└─# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
20220804日 星期四 22:32:55 CST
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-04 22:32:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5010 login tries (l:1/p:5010), ~314 tries per task
[DATA] attacking ssh://192.168.1.10:1022/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://dc@192.168.1.10:1022
[ERROR] could not connect to ssh://192.168.1.10:1022 - Timeout connecting to 192.168.1.10
20220804日 星期四 22:33:37 CST
┌──(root㉿kali)-[/usr/share/nmap/nselib/data]
└─# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
20220804日 星期四 22:32:55 CST
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-04 22:32:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5010 login tries (l:1/p:5010), ~314 tries per task
[DATA] attacking ssh://192.168.1.10:1022/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://dc@192.168.1.10:1022
[ERROR] could not connect to ssh://192.168.1.10:1022 - Timeout connecting to 192.168.1.10
20220804日 星期四 22:33:37 CST
dc@LAPTOP-J3UJRUOC:/usr/share/nmap/nselib/data$ wc -l /usr/share/nmap/nselib/data/passwords.lst
5084 /usr/share/nmap/nselib/data/passwords.lst
dc@LAPTOP-J3UJRUOC:/usr/share/nmap/nselib/data$ wc -l /usr/share/nmap/nselib/data/passwords.lst
5084 /usr/share/nmap/nselib/data/passwords.lst
[root@localhost ~]# iptables -L  --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination        
1    ACCEPT     all  --  anywhere             anywhere           
2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
3    DROP       all  --  192.168.1.16         anywhere           
4    DROP       all  --  192.168.1.3          anywhere           
5    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:sunrpc
6    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:exp2
7    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:squid
 
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        
[root@localhost ~]#
[root@localhost ~]# iptables -L  --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination        
1    ACCEPT     all  --  anywhere             anywhere           
2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
3    DROP       all  --  192.168.1.16         anywhere           
4    DROP       all  --  192.168.1.3          anywhere           
5    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:sunrpc
6    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:exp2
7    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:squid
 
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        
[root@localhost ~]#
yum install squid
yum install squid
vim /etc/squid/squid.conf:
 Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
vim /etc/squid/squid.conf:
 Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
[root@localhost ~]# systemctl start squid.service
[root@localhost ~]# systemctl enable squid.service
[root@localhost ~]# systemctl start squid.service
[root@localhost ~]# systemctl enable squid.service
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables ---line-number
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables ---line-number
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
 
[root@localhost dc]# vim /etc/crontab
[root@localhost dc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
[root@localhost dc]# vim /etc/crontab
[root@localhost dc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 80 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 443 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 631 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 80 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 443 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 631 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /root/my_iptables_seetings.rule
/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
[root@localhost html]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root /usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
iptables-save > /root/my_iptables_seetings.rule
/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
[root@localhost html]# cat /etc/crontab

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-8-5 22:41 被顾言庭编辑 ,原因:
收藏
免费 6
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//