2. 首页 > Linux教程 > 正文

Linux教程FG275-入侵防御系统

教程整理:风哥教程  |  更新时间:2026-01-25  |  教程分类:Linux教程  |  文档学习:17

内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。

本文档详细

风哥提示:

介绍Linux入侵防御系统的配置和使用方法。

Part01-Suricata配置

1.1 安装和配置Suricata

# 安装Suricata
$ sudo dnf install -y suricata

# 初始化配置
$ sudo suricata-update

# 配置Suricata
$ sudo tee /etc/suricata/suricata.yaml << 'EOF' %YAML 1.1 --- suricata: default-log-dir: /var/log/suricata stats: enabled: yes interval: 8 outputs: - console: enabled: yes - file: enabled: yes level: info filename: suricata.log af-packet: - interface: eth0 cluster-id: 99 cluster-type: cluster_flow defrag: yes use-mmap: yes threads: auto capture: - mode: af-packet interface: eth0 detect: - profile: medium - sgh-mpm-context: full app-layer: protocols: http: enabled: yes tls: enabled: yes ssh: enabled: yes rule-files: - /var/lib/suricata/rules/suricata.rules EOF # 更新规则 $ sudo suricata-update # 启动Suricata $ sudo systemctl start suricata $ sudo systemctl enable suricata # 查看日志 $ sudo tail -f /var/log/suricata/fast.log

Part02-Snort配置

2.1 安装和配置Snort

# 安装Snort
$ sudo dnf install -y snort

# 配置Snort
$ sudo tee /etc/snort/snort.conf << 'EOF' var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules config logdir: /var/log/snort config daq: afpacket config daq_mode: read-inline output alert_fast: alert.fast include $RULE_PATH/classification.config include $RULE_PATH/reference.config include $RULE_PATH/local.rules EOF # 创建规则目录 $ sudo mkdir -p /etc/snort/rules # 创建自定义规则 $ sudo tee /etc/snort/rules/local.rules << 'EOF' alert tcp any any -> $HOME_NET 22 (msg:”SSH Connection Attempt”; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:”HTTP Connection Attempt”; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 443 (msg:”HTTPS Connection Attempt”; sid:1000003; rev:1;)
alert icmp any any -> $HOME_NET any (msg:”ICMP Packet Detected”; sid:1000004; rev:1;)
EOF

# 测试配置
$ sudo snort -T -c /etc/snort/snort.conf

# 启动Snort
$ sudo snort -A fast -c /etc/snort/snort.conf -i eth0 -D

# 查看日志
$ sudo tail -f /var/log/snort/alert.fast

Part03-OSSEC配置

3.1 安装和配置OSSEC

# 安装OSSEC
$ sudo dnf install -y ossec-hids-server

# 配置OSSEC
$ sudo tee /var/ossec/etc/ossec.conf << 'EOF'

yes
admin@fgedu.net.cn
smtp.fgedu.net.cn
ossec@fgedu.net.cn


rules_config.xml
sshd_rules.xml
syslog_rules.xml
apache_rules.xml


36更多学习教程公众号风哥教程itpux_com00
/etc,/usr/bin,/usr/sbin
/etc/mtab
/etc/hosts.deny


/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/rootkit_trojans.txt


syslog
/var/log/messages


syslog
/var/log/secure


apache
/var/log/httpd/access_log


EOF

# 启动OSSEC
$ sudo /var/ossec/bin/ossec-control start

# 查看日志
$ sudo tail -f /var/ossec/logs/alerts/alerts.log

Part04-主动防御

4.1 配置主动防御

# 创建主动防御脚本
$ cat > /usr/local/bin/active-defense.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/active-defense.log" BLOCK_LIST="/etc/firewall/blocked-ips.txt" log() { echo "$(date): $1" >> $LOG_FILE
}

block_ip() {
local ip=$1
if ! grep -q “$ip” $BLOCK_LIST; then
echo “$ip” >> $BLOCK_LIST
firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=’$ip’ reject”
firewall-cmd –reload
log “Blocked IP: $ip”
fi
}

unblock_ip() {
local ip=$1
if grep -q “$ip” $BLOCK_LIST; then
sed -i “/$ip/d” $BLOCK_LIST
firewall-cmd –permanent –remove-rich-rule=”rule family=’ipv4′ source address=’$ip’ reject”
firewall-cmd –reload
log “Unblocked IP: $ip”
fi
}

detect_attack() {
local failed_logins=$(grep “Failed password” /var/log/secure | tail -100 | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -1)
local count=$(echo $failed_logins | awk ‘{print $1}’)
local ip=$(echo $failed_logins | awk ‘{print $2}’)

if [ “$count” -gt 10 ]; then
block_ip $ip
log “Detected brute force attack from $ip with $count failed attempts”
fi
}

detect_scan() {
local scan_attempts=$(ss -tunap | grep TIME_WAIT | wc -l)

if [ “$scan_attempts” -gt 100 ]; then
log “Detected possible port scan with $scan_attempts connections”
fi
}

main() {
mkdir -p /etc/firewall
touch $BLOCK_LIST

detect_attack
detect_scan
}

main
EOF

chmod +x /usr/local/bin/active-defense.sh

# 创建定时任务
$ cat > /etc/cron.d/active-defense << 'EOF' */5 * * * * root /usr/local/bin/active-defense.sh EOF

风哥针对入侵防御建议:
1. 部署多层防御系统
2. 定期更新规则库
3. 配置主动防御
4. 监控系统日志
5. 及时响应告警

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html

相关推荐

联系我们

在线咨询:点击这里给我发消息

微信号:itpux-com

工作日:9:30-18:30,节假日休息