Article Title: Linux Secure log Record server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Environment RedHat 7.3
The emergence of more and more hackers on the Internet and the emergence of more and more experts. How can we ensure that we can save a complete log? Hacker knows that the first thing that comes into the system is to clean up logs. The simplest and most direct way to detect intrusions is to view system records. Now let's talk about how to set up a secure log server.
Think about how to change your log if intruders cannot connect to your log server? Now let's learn how to set up a log server without ip addresses.
Now we will introduce how to use Snort to do three things:
Stealth sniffer
Stealth NIDS porbe
Stealth logger
All of this is used on a server without an ip address. NIDS is short for Network Intrusion Dectection Server, that is, the Intrusion detection Server.
Why stealth?
Running any service on the internet is dangerous. Whether it is http or ftp or telnet, there will be a chance of hack intrusion. The uniqueness of stealth logger allows us to receive data without sending any data. In this way, external computers (computers infiltrated by hack) cannot modify the information received by the loger server. That is to say, it ensures the integrity and originality of our information. To ensure the security of the log server, it is best not to connect the log server to the network. That is to say, when you need to check what is on the logger server, you need to go to the computer and open the screen. Instead of the remote login. However, if you must connect to the network, use two interfaces. That is to say, two NICs, and note that, first, IP forwarding must be disabled. Second, the interface used for stealth logger is a network card without an ip address. This network card must not be in the same network with another network card with an ip address.
Settings:
First of all, make sure that your Nic is correctly installed and can be caught by the kernel. Then, write the module required by the NIC to the/etc/modules. conf file.
Now let's set up a NIC interface without ip addresses.
Edit file/etc/sysconfig/network-scripts/ifcfg-eth0
Vim/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE = eth0
USERCTL = no
ONBOOT = yes
BOOTPROTO =
BROADCAST =
NETWORK =
NETMASK =
IPADDR =
After archiving, use ifconfig to activate our eth0 interface.
Stealth
Here we use the snort program. If you do not have this program on your computer, you can download it at www.snort.org.
Now we run
Snort-dvi eth0
Here, the-d option tells snort to decode the data)
-V tells snort to display the result on the screen
-I indicates the required interface.
You can use the-C option to tell snort to display only the ASCII part. Ignore hexadecimal data.
? $ Snort-dviC eth0
Log directory =/var/log/snort
Initializing Network Interface eth0
Kernel filter, protocol ALL, TURBO mode
(63 frames), raw packet socket
-- = Initializing Snort = --
Decoding Ethernet on interface eth0
-- = Initialization Complate = --
-*> Snort! <*-
Version 1.8.4 (Build 99)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
......
......
......
NIDS (Intrusion Detection) intrusion detection is a complex task. Snort also provides powerful intrusion detection functions. Here I will only make a brief introduction so that you can have a concept. If the real object is used as an NIDS. More complex actions are required. For example, set a more comprehensive rules and regularly update the rules defined in snort. conf (when a new attack method appears, it should be updated in a timely manner)
[1] [2] [3] Next page