Use an intrusion test system + Active firewall-> snort + guardian (zt)

Source: Internet
Author: User
[Original] we recommend that you use an intrusion test system + Active firewall --> snort + guardian

--------------------------------------------------------------------------------

Snort is an open-source lightweight intrusion monitoring system that monitors network exceptions and provides reports;
Guardian is an active Firewall Based on Snort + iptables. It analyzes snort log files and automatically adds some malicious IP addresses to the iptables input chain based on certain criteria to discard their datagram.
Since I used snort + guardian, I am very happy to see that many malicious behaviors have been terminated every day!

We recommend that you use it!

Installation steps:
1) install snort:
* Currently, Snort & Guardian is:
Http://www.snort.org/dl/snort-2.3.0RC2.tar.gz
Http://www.snort.org/dl/contrib/... guardian-1.6.tar.gz

* Copy the above file to/tmp
* Tar zxvf *. tgz
* CD snort-2.3.0RC2
*./Configure
* Make
* Make install
* Mkdir/etc/snort
* CD/etc/snort
* Wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
* Tar zxvf snortrules-snapshot-CURRENT.tar.gz
* Mkdir/var/log/snort
* CD/etc
* VI snort. conf
The modified key settings are as follows:
VaR home_net yournetwork
VaR rule_path/etc/snort/Rules
Preprocessor http_inspect: Global/
Iis_unicode_map/etc/snort/RULES/Unicode. Map 1252
Include/etc/snort/RULES/reference. config
Include/etc/snort/RULES/classification. config

For example, yournetwork 220.8.0.0/16

At the same time, you can choose
Include $ rule_path/local. Rules
And so on. Remove the # sign and set your own rule set.

*/Usr/local/bin/snort-D-l/var/log/snort-C/etc/snort. conf

* Write the previous command to/etc/rc. d/rc. Local.

2) install guardian --- Perl support required
* CD/tmp
* Tar zxvf guardian-1.6.tar.gz
* CD guaredan-1.6
* Echo>/etc/guardian. Ignore
* CP guardian. pl/usr/local/bin /.
* CP scripts/iptables_block.sh/usr/local/bin/guardian_block.sh
* CP scripts/iptables_unblock.sh/usr/local/bin/guardian_unblock.sh
* CP guardian. CONF/etc /.
* VI/etc/guardian. conf
As follows:
Hostgatewaybyte 1
# Guardian log files
Logfile/var/log/guardian. Log

# Where does guardian read snort logs
Alertfile/var/log/snort/Alert

# Store the IP address you want to ignore in this file
Ignorefile/etc/guardian. Ignore

# The maximum time for IP address blocking, 99999999 is no time limit
Timelimit 86400

*/Usr/bin/perl/usr/local/bin/guardian. pl-C/etc/guardian. conf
* Add the previous command to/etc/rc. d/rc. Local.

Now, the settings are complete.

Note:
1) The rule files of Snort are updated frequently and can be automatically updated using the following script:
#! /Bin/sh
CD/etc/snort
Wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
Tar zxvf snortrules-snapshot-CURRENT.tar.gz
Exit 0

* Save the above script as snortupdate and place it under/etc/cron. daily/. It can be updated once a day;

2) guardian sometimes exits automatically. You can use the following script to solve the problem:
#! /Usr/bin/perl
Use proc: processtable;

$ Found = 0;
$ T = new proc: processtable;
$ G = "Guardian. pl ";
Foreach $ P (@ {$ T-> table }){
$ F = ($ p-> cmndline = ~ M/guardian /);
If ($ F = 1)
{$ Found = 1;
Last;
}
}
If ($ found = 1)
{
Print "Guardian is alive! /N ";
}
Else
{
Print "Guardian is dead! /N ";
Print "restart guardian now.../N ";
System "/usr/local/bin/guardian. pl-C/etc/guardian. conf ";
}
Save the above script as testguardian and place it under/etc/cron. Hourly, which means: Check whether guardian is alive every hour. If it is already dead, restart guardian.

Chmod + x/etc/cron. Hourly/testguardian

Edit/etc/crontab
Add/usr/local/bin to a path row

Script: killguardian
#! /Usr/bin/perl
# To kill the current guardian. pl process, install the Perl module proc: processtable
# Access the http://www.cpan.org to get the above Module
Use proc: processtable;

$ T = new proc: processtable;

Foreach $ P (@ {$ T-> table })
{

Kill 9, $ p-> PID if $ p-> cmndline = ~ 'Guardian. pl ';

}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.