Environment RedHat 7.3
The emergence of more and more hackers on the Internet and the emergence of more and more experts. How can we ensure that we can save a complete log? Hacker knows that the first thing that comes into the system is to clean up logs. The simplest and most direct way to detect intrusions is to view system records. Now let's talk about how to set up a secure log server.
Think about how to change your log if intruders cannot connect to your log server? Now let's learn how to set up a log server without ip addresses.
Now, let's introduce how to useSnort does three things:
Stealth sniffer
Stealth NIDS porbe
Stealth logger
All of this is used on a server without an ip address. NIDS is short for Network Intrusion Dectection Server, that is, the Intrusion detection Server.
Why stealth?
Running any service on the internet is dangerous. Whether it is http or ftp or telnet, there will be a chance of hack intrusion. The uniqueness of stealth logger allows us to receive data without sending any data. In this way, external computers (computers infiltrated by hack) cannot modify the information received by the loger server. That is to say, it ensures the integrity and originality of our information. To ensure the security of the log server, it is best not to connect the log server to the network. That is to say, when you need to check what is on the logger server, you need to go to the computer and open the screen. Instead of the remote login. However, if you must connect to the network, use two interfaces. That is to say, two NICs, and note that, first, IP forwarding must be disabled. Second, the interface used for stealth logger is a network card without an ip address. This network card must not be in the same network with another network card with an ip address.
Settings:
First of all, make sure that your Nic is correctly installed and can be caught by the kernel. Then, write the module required by the NIC to the/etc/modules. conf file.
Now let's set up a NIC interface without ip addresses.
Edit file/etc/sysconfig/network-scripts/ifcfg-eth0
| Vim/etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE = eth0 USERCTL = no ONBOOT = yes BOOTPROTO = BROADCAST = NETWORK = NETMASK = IPADDR = |
Stealth
Here we use the snort program. If you do not have this program on your computer, you can download it at www.snort.org.
Now we run
Snort-dvi eth0
Here, the-d option tells snort to decode the data)
-V tells snort to display the result on the screen
-I indicates the required interface.
You can use the-C option to tell snort to display only the ASCII part. Ignore hexadecimal data.
| ? $ Snort-dviC eth0 Log directory =/var/log/snort Initializing Network Interface eth0 Kernel filter, protocol ALL, TURBO mode (63 frames), raw packet socket -- = Initializing Snort = -- Decoding Ethernet on interface eth0 -- = Initialization Complate = -- -*> Snort! <*- Version 1.8.4 (Build 99) By Martin Roesch (roesch@sourcefire.com, www.snort.org) ...... ...... ...... |
[1] [2] [3] Next page
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
