Use an intrusion test system + Active firewall-> snort + guardian (zt)

[Original] we recommend that you use an intrusion test system + Active firewall --> snort + guardian

--------------------------------------------------------------------------------

Snort is an open-source lightweight intrusion monitoring system that monitors network exceptions and provides reports;
Guardian is an active Firewall Based on Snort + iptables. It analyzes snort log files and automatically adds some malicious IP addresses to the iptables input chain based on certain criteria to discard their datagram.
Since I used snort + guardian, I am very happy to see that many malicious behaviors have been terminated every day!

We recommend that you use it!

Installation steps:
1) install snort:
* Currently, Snort & Guardian is:
Http://www.snort.org/dl/snort-2.3.0RC2.tar.gz
Http://www.snort.org/dl/contrib/... guardian-1.6.tar.gz

* Copy the above file to/tmp
* Tar zxvf *. tgz
* CD snort-2.3.0RC2
*./Configure
* Make
* Make install
* Mkdir/etc/snort
* CD/etc/snort
* Wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
* Tar zxvf snortrules-snapshot-CURRENT.tar.gz
* Mkdir/var/log/snort
* CD/etc
* VI snort. conf
The modified key settings are as follows:
VaR home_net yournetwork
VaR rule_path/etc/snort/Rules
Preprocessor http_inspect: Global/
Iis_unicode_map/etc/snort/RULES/Unicode. Map 1252
Include/etc/snort/RULES/reference. config
Include/etc/snort/RULES/classification. config

For example, yournetwork 220.8.0.0/16

At the same time, you can choose
Include $ rule_path/local. Rules
And so on. Remove the # sign and set your own rule set.

*/Usr/local/bin/snort-D-l/var/log/snort-C/etc/snort. conf

* Write the previous command to/etc/rc. d/rc. Local.

2) install guardian --- Perl support required
* CD/tmp
* Tar zxvf guardian-1.6.tar.gz
* CD guaredan-1.6
* Echo>/etc/guardian. Ignore
* CP guardian. pl/usr/local/bin /.
* CP scripts/iptables_block.sh/usr/local/bin/guardian_block.sh
* CP scripts/iptables_unblock.sh/usr/local/bin/guardian_unblock.sh
* CP guardian. CONF/etc /.
* VI/etc/guardian. conf
As follows:
Hostgatewaybyte 1
# Guardian log files
Logfile/var/log/guardian. Log

# Where does guardian read snort logs
Alertfile/var/log/snort/Alert

# Store the IP address you want to ignore in this file
Ignorefile/etc/guardian. Ignore

# The maximum time for IP address blocking, 99999999 is no time limit
Timelimit 86400

*/Usr/bin/perl/usr/local/bin/guardian. pl-C/etc/guardian. conf
* Add the previous command to/etc/rc. d/rc. Local.

Now, the settings are complete.

Note:
1) The rule files of Snort are updated frequently and can be automatically updated using the following script:
#! /Bin/sh
CD/etc/snort
Wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
Tar zxvf snortrules-snapshot-CURRENT.tar.gz
Exit 0

* Save the above script as snortupdate and place it under/etc/cron. daily/. It can be updated once a day;

2) guardian sometimes exits automatically. You can use the following script to solve the problem:
#! /Usr/bin/perl
Use proc: processtable;

$ Found = 0;
$ T = new proc: processtable;
$ G = "Guardian. pl ";
Foreach $ P (@ {$ T-> table }){
$ F = ($ p-> cmndline = ~ M/guardian /);
If ($ F = 1)
{$ Found = 1;
Last;
}
}
If ($ found = 1)
{
Print "Guardian is alive! /N ";
}
Else
{
Print "Guardian is dead! /N ";
Print "restart guardian now.../N ";
System "/usr/local/bin/guardian. pl-C/etc/guardian. conf ";
}
Save the above script as testguardian and place it under/etc/cron. Hourly, which means: Check whether guardian is alive every hour. If it is already dead, restart guardian.

Chmod + x/etc/cron. Hourly/testguardian

Edit/etc/crontab
Add/usr/local/bin to a path row

Script: killguardian
#! /Usr/bin/perl
# To kill the current guardian. pl process, install the Perl module proc: processtable
# Access the http://www.cpan.org to get the above Module
Use proc: processtable;

$ T = new proc: processtable;

Foreach $ P (@ {$ T-> table })
{

Kill 9, $ p-> PID if $ p-> cmndline = ~ 'Guardian. pl ';

}