Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Guardian

    Încărcat de

    Daniel Syalienz
    44 vizualizări3 pagini
    jm

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    TXT, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    jm

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca TXT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    44 vizualizări3 pagini

    Guardian

    Încărcat de

    Daniel Syalienz
    jm

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca TXT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 3

    Step 1:Install IDS as http://conheotiensinh.blogspot.com/2009/12/install-ids-incentos-with-5-minutes.html Step 2:IPS Guardian Snort to automati address of the at alert.

    machines, such as

    Guardian is a security program which works in conjunction with cly update firewall rules based on alerts generated by Snort. The updated firewall rules block all incoming data from the IP tacking machine (the machine which caused Snort to generate an There is also logic in place which pervents blocking important DNS servers, gateways, and whatever else you want. Step 3:

    Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7. #wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz #tar -xzvf guardian-1.7.tar.gz #cd guardian-1.7 #cp guardian.pl /usr/local/bin/ #cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh #cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh #cp guardian.conf /etc/snort/ #touch /etc/snort/guardian.ignore #touch /etc/snort/guardian.target #touch /var/log/snort/guardian.log Step 4: edit /etc/snort/guardian.conf change some variables HostIpAddr xxx.xxx.xxx.xxx (IP snort monitor) Interface ETH01 (interface snort monitor) HostGatewayByte 75 Logfile /var/log/snort/guardian.log AlertFile /var/log/messages IgnoreFile /etc/snort/guardian.ignore TargetFile /etc/snort/guardian.target TimeLimit 86400 Step 5: Edit /usr/local/bin/guardian_block.sh change some variables(this shell will bloc k ip attacker and alert mail to test@conheotiensinh.co.cc ) source=$1 interface=$2 /sbin/iptables -I INPUT -s $source -i $interface -j DROP /sbin/iptables -I FORWARD -s $source -i $interface -j DROP echo "$source is blocked!" | mail -s "Snort alert is blocked" test@conheotiensin h.co.cc Step 6: Edit /usr/local/bin/guardian_unblock.sh change some variables(this shell will de lete ip attaker from block ip and alert mail to test@conheotiensinh.co.cc)

    source=$1 interface=$2 /sbin/iptables -D INPUT -s $source -i $interface -j DROP /sbin/iptables -D FORWARD -s $source -i $interface -j DROP echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert i s released" test@conheotiensinh.co.cc Step 7: Edit /etc/snort/guardian.target add ip (snort monitor) Step 8: Edit /etc/snort/guardian.ignore add ip 127.0.0.1 Step 9: Edit /etc/snort/snort.conf uncomment output alert_syslog: LOG_AUTH LOG_ALERT service snort restart Step 10:create file shell guardian.sh # CUT HERE #!/bin/bash #

    start() { export PATH=$PATH:/usr/local/bin /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf } stop() { ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null if [ $? -eq 0 ]; then kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'` else echo "Guardian is not running ....." fi } status() { ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null if [ $? -eq 0 ]; then echo "Guardian is Running ....." else echo "Guardian is not Running ...." fi } case "$1" in

    start) start ;; stop) stop ;; restart) stop start ;; status) status;; *) echo $"Usage: $0 {start|stop|restart|status}" esac Step 11: chmod +x guardian.sh cp guardian.sh /usr/local/bin/guardian.sh /usr/local/bin/guardian.sh start Step 12:test use nmap test #nmap -v -sS xxx.xxx.xxx.xxx

    Beside you can use Easy IDS as IPS with other Firewall:FreeBSD using IPFW,Checkp oint, PIX....use SSH copy rule to firewall

    S-ar putea să vă placă și