From: "Шигапов Ринат" <srk@nevod.ru>
To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
Subject: Re: [Sysadmins] snort и автоблокировка с помощью iptables
Date: Mon, 28 Sep 2009 10:06:20 +0600
Message-ID: <4AC0363C.4000506@nevod.ru> (raw)
In-Reply-To: <99785b730909252353s6ac41f24l8dbef555ce11b1fc@mail.gmail.com>
Yury Konovalov пишет:
> Здравствуйте, как дистрибутивно блокировть какие-либо действия из вне?
> Установил
>
> snort-inline+flexresp - Snort с чтением трафика через IPTables и автоблокировкой
>
>
>
> Добавил правило:
>
> #Submitted by Matt Jonkman
> alert tcp $EXTERNAL_NET any -> $HOME_NET 2222 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: attempted-recon; reference:url,en.wikipedia.org/wiki/Brute_force_attack <http://en.wikipedia.org/wiki/Brute_force_attack>; sid: 2001219; rev:14;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 2222 (msg: "BLEEDING-EDGE Potential SSH Scan OUTBOUND"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: attempted-recon; reference:url,en.wikipedia.org/wiki/Brute_force_attack <http://en.wikipedia.org/wiki/Brute_force_attack>; sid: 2003068; rev:2;)
>
>
>
> С другого адреса начинаю брутофорсить ssh, правило срабатывает:
>
> [**] [1:2003068:2] BLEEDING-EDGE Potential SSH Scan OUTBOUND [**]
>
> [Classification: Attempted Information Leak] [Priority: 2]
> 09/23-08:29:31.467122 82.219.201.133:41256 <http://82.219.201.133:41256> -> 82.219.201.130:2222 <http://82.219.201.130:2222>
> TCP TTL:62 TOS:0x0 ID:14265 IpLen:20 DgmLen:52 DF
>
> ******S* Seq: 0xD0CF4A74 Ack: 0x0 Win: 0x16D0 TcpLen: 32
> TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 4
> [Xref => http://en.wikipedia.org/wiki/Brute_force_attack]
>
>
>
> Но не блокируется, как правильно сделать что-бы добавлялось правило
> iptables для блокировки?
> В бранче не нашел ничего вроде SnortSam, Guardian, Hogwash.
>
Одна из альтернатив - использовать модуль recent для iptables. См., к
примеру,
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
--
С уважением,
Шигапов Ринат
инженер-программист ООО "Невод"
тел. (342)2196960
JabberID: dxist эт ya.ru
parent reply other threads:[~2009-09-28 4:06 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <99785b730909252353s6ac41f24l8dbef555ce11b1fc@mail.gmail.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AC0363C.4000506@nevod.ru \
--to=srk@nevod.ru \
--cc=sysadmins@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git