[Original] we recommend that you use an intrusion test system + Active firewall --> snort + guardian
--------------------------------------------------------------------------------
Snort is an open-source lightweight intrusion monitoring system that monitors network exceptions and provides reports;
Guardian is an active Firewall Based on Snort + iptables. It analyzes snort log files and automatically adds some malicious IP addresses to the iptables input chain based on certain criteria to discard their datagram.
Since I used snort + guardian, I am very happy to see that many malicious behaviors have been terminated every day!
We recommend that you use it!
Installation steps:
1) install snort:
* Currently, Snort & Guardian is:
Http://www.snort.org/dl/snort-2.3.0RC2.tar.gz
Http://www.snort.org/dl/contrib/... guardian-1.6.tar.gz
* Copy the above file to/tmp
* Tar zxvf *. tgz
* CD snort-2.3.0RC2
*./Configure
* Make
* Make install
* Mkdir/etc/snort
* CD/etc/snort
* Wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
* Tar zxvf snortrules-snapshot-CURRENT.tar.gz
* Mkdir/var/log/snort
* CD/etc
* VI snort. conf
The modified key settings are as follows:
VaR home_net yournetwork
VaR rule_path/etc/snort/Rules
Preprocessor http_inspect: Global/
Iis_unicode_map/etc/snort/RULES/Unicode. Map 1252
Include/etc/snort/RULES/reference. config
Include/etc/snort/RULES/classification. config
For example, yournetwork 220.8.0.0/16
At the same time, you can choose
Include $ rule_path/local. Rules
And so on. Remove the # sign and set your own rule set.
*/Usr/local/bin/snort-D-l/var/log/snort-C/etc/snort. conf
* Write the previous command to/etc/rc. d/rc. Local.
2) install guardian --- Perl support required
* CD/tmp
* Tar zxvf guardian-1.6.tar.gz
* CD guaredan-1.6
* Echo>/etc/guardian. Ignore
* CP guardian. pl/usr/local/bin /.
* CP scripts/iptables_block.sh/usr/local/bin/guardian_block.sh
* CP scripts/iptables_unblock.sh/usr/local/bin/guardian_unblock.sh
* CP guardian. CONF/etc /.
* VI/etc/guardian. conf
As follows:
Hostgatewaybyte 1
# Guardian log files
Logfile/var/log/guardian. Log
# Where does guardian read snort logs
Alertfile/var/log/snort/Alert
# Store the IP address you want to ignore in this file
Ignorefile/etc/guardian. Ignore
# The maximum time for IP address blocking, 99999999 is no time limit
Timelimit 86400
*/Usr/bin/perl/usr/local/bin/guardian. pl-C/etc/guardian. conf
* Add the previous command to/etc/rc. d/rc. Local.
Now, the settings are complete.
Note:
1) The rule files of Snort are updated frequently and can be automatically updated using the following script:
#! /Bin/sh
CD/etc/snort
Wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
Tar zxvf snortrules-snapshot-CURRENT.tar.gz
Exit 0
* Save the above script as snortupdate and place it under/etc/cron. daily/. It can be updated once a day;
2) guardian sometimes exits automatically. You can use the following script to solve the problem:
#! /Usr/bin/perl
Use proc: processtable;
$ Found = 0;
$ T = new proc: processtable;
$ G = "Guardian. pl ";
Foreach $ P (@ {$ T-> table }){
$ F = ($ p-> cmndline = ~ M/guardian /);
If ($ F = 1)
{$ Found = 1;
Last;
}
}
If ($ found = 1)
{
Print "Guardian is alive! /N ";
}
Else
{
Print "Guardian is dead! /N ";
Print "restart guardian now.../N ";
System "/usr/local/bin/guardian. pl-C/etc/guardian. conf ";
}
Save the above script as testguardian and place it under/etc/cron. Hourly, which means: Check whether guardian is alive every hour. If it is already dead, restart guardian.
Chmod + x/etc/cron. Hourly/testguardian
Edit/etc/crontab
Add/usr/local/bin to a path row
Script: killguardian
#! /Usr/bin/perl
# To kill the current guardian. pl process, install the Perl module proc: processtable
# Access the http://www.cpan.org to get the above Module
Use proc: processtable;
$ T = new proc: processtable;
Foreach $ P (@ {$ T-> table })
{
Kill 9, $ p-> PID if $ p-> cmndline = ~ 'Guardian. pl ';
}