Professional Documents
Culture Documents
Do An CN Firewall Iptable Va Snort
Do An CN Firewall Iptable Va Snort
Do An CN Firewall Iptable Va Snort
-----------o0o-----------
N CHUYN NGNH
ti
Xy dng h thng pht hin chng xm nhp da
vo Firewall Iptables v IPS Snort
09C1020136
09C1020159
09C1020059
-0-
LI NI U
Trc ht, chng em xin chn thnh gi li cm n n trng i Hc K
Thut Cng Ngh Tp.H Ch Minh o o, trau di cho chng em nhng kin
thc tht b ch trong thi gian hc ti trng.
Chng em xin cm n thy Vn Thin Hong hng dn chng em hon
thnh n chuyn ngnh. Cm n thy nh hng, hng dn, truyn t li
nhng kin thc rt b ch, cng nh cung cp nhng ti liu cn thit chng em
hon thnh c n. Cm n s nhit tnh, tn tm ca thy i vi chng em.
Chng em xin cm n tt c thy c trng i Hc K Thut Cng Ngh
cng nh thy c trong khoa Cng Ngh Thng Tin o to, to iu kin v cung
cp cho chng em nhng kin thc hu ch, lm hnh trang bc vo tng lai.
Chng em knh chc thy Vn Thin Hong cng nh tt c thy c trong khoa
Cng Ngh Thng Tin trng i Hc K Thut Cng Ngh Thnh Ph H Ch Minh
di do sc khe, gt hi nhiu thnh trong s nghip trng ngi m thy c chn.
Phan Vn Th
Nguyn Quc Tin
Dng Quang Minh Huy
-1-
MC LC
MC LC
M U
Chng 1 .
1.1
Gii thiu
1.2
11
11
11
11
12
16
16
17
17
20
21
23
1.6
1.6.1 Intrust 23
1.6.2 ELM 23
-2-
19
18
17
1.6.3 SNORT
24
25
1.6.5 Dragon
25
Chng 2 .
2.1
2.2
27
28
28
32
34
36
38
40
40
42
43
44
46
-3-
40
37
36
27
2.8.2 B Preprocessor
46
47
49
51
3.1
M t thc nghim 51
3.2
3.3
53
57
59
59
66
-4-
67
65
58
M U
1.
Gii thiu
Ngy nay, thi k kinh t ha lun m rng trn ton cu. pht trin kinh t,
nm bt thng tin kp thi th ngnh cng ngh thng tin l mt trong ngnh rt cn
thit. Chnh v th m cng ngh thng tin pht trin rt nhanh, mang li nhng li ch
thit thc v nhiu mt nh: kinh t, x hi, chnh tr, y t, qun s nhng cuc hp
trong t chc, c quan, cng ty hay nhng bui hi tho xuyn quc gia, xuyn lc a
(Video Conference).
Mng Internet ngy cng ng vai tr quan trng trong cc hot ng ca con
ngi. Vi lng thng tin ngy cng phong ph v a dng. Khng ch c ngha l
ni tra cu tin tc s kin ang din ra trong i sng hng ngy, Internet cn ng
vai tr cu ni lin kt con ngi vi nhau mi vng a l. Cc khong cch v a
l hu nh khng cn ngha, khi con ngi cch nhau na vng tri t h vn c
th trao i thng tin, chia s d liu cho nhau nh nhng ngi trong cng mt vn
phng.
Internet cn gp phn lm thay i phng thc hot ng kinh doanh ca cc
doanh nghip. Ngoi cc hot ng kinh doanh truyn thng, gi y cc doanh
nghip c thm mt phng thc kinh doanh hiu qu, l thng mi in t.
Trong nhng nm gn y, thng mi in t tr thnh mt b phn quan trng
trong s tng trng, pht trin ca x hi, mang li nhng li ch rt ln cho cc
doanh nghip, ng thi thc y x hi ha thng tin cho cc ngnh ngh khc, gp
phn mang li tnh hiu qu cho nn kinh t ca doanh nghip ni ring v cho ton x
hi ni chung.
Chnh s a dng thng tin trn internet, li l cu ni chung cho ton cu nn d
xy ra tiu cc trn mng nh : ly trm thng tin, lm nhiu thng tin, thay i thng
tin, i i vi s pht trin cng ngh th bo mt mng ang l mt nhu cu cp
thit nhm bo v h thng mng bn trong, chng li nhng tn cng xm nhp v
thc hin cc trao i thng tin, giao dch qua mng c an ton. V nhng gi tr
-5-
li ch ca cng ngh thng tin mang li, nhng k xu cng li dng cng ngh ny
gy ra khng t nhng kh khn cho t chc, c quan cng nh nhng ngi p dng
cng ngh thng tin vo cuc sng.
Cng ngh no cng c u im v nhc im. Ngi tn cng (Attacker) chng
li dng nhng l hng ca h thng truy xut bt hp pht vo khai thc nhng
thng tin quan trng, nhng d liu c tnh cht bo mt, nhy cm, thng tin mt ca
quc phng V vy chng ta cn phi c bin php, phng php pht hin s
truy nhp tri php . pht hin s truy nhp tri php , hin nay cng ngh
pht hin chng xm nhp hiu qu c nhiu t chc, c quan, doanh nghip trin
khai v p dng vo trong h thng mng ca mnh l cng ngh Snort IPS.
Cc nghin cu v h thng pht hin xm nhp c nghin cu chnh thc
cch y khong 32 nm v cho ti nay c p dng rng ri cc t chc, doanh
nghip trn ton th gii.
2.
Nhim v ti
S dng cng ngh IPS (Intrusion Prevention System) kt hp tng la Firewall
Iptable phng chng v t ng ngn chn cc cuc tn cng h thng mng cng
vi s h tr cnh bo c lc ca Snort inline.
C s h tng cng ngh thng tin cng pht trin, th vn pht trin mng li
cng quan trng, m trong vic pht trin mng th vic m bo an ninh mng l mt
vn rt quan trng. Sau hn chc nm pht trin, vn an ninh mng ti Vit Nam
dn c quan tm ng mc hn. Trc khi c mt gii php ton din th mi
mt mng phi t thit lp mt h thng tch hp IPS ca ring mnh. Trong lun vn
ny, chng em s tm hiu v cu trc mt h thng IPS, v i su tm hiu pht trin
h thng IPS mm s dng m ngun m c th p dng trong h thng mng ca
mnh thay th cho cc IPS cng t tin. Vi s kt hp ca cc phn mm ngun m
Iptables v Snort inline. To ra mt h thng gim st mng, c kh nng pht hin
nhng xm nhp, phng chng tn cng mng.
-6-
Chng 1 .
1.1
Gii thiu
-7-
Cc bc tn cng thng gp
Bc 1: Kho st, thu thp thng tin. K tn cng thu thp thng tin v ni tn
cng nh pht hin cc my ch, a ch IP, cc dch v mng
Bc 2: D tm. K tn cng s dng cc thng tin thu thp c t bc mt
tm kim thm thng tin v l hng, im yu ca h thng mng. Cc cng c thng
c s dng cho qu trnh ny l cc cng c qut cng (scanport), qut IP, d tm l
hng
Buc 3: Xm nhp. Cc l hng c tm thy trong bc hai c k tn cng s
dng, khai thc xm nhp vo h thng. bc ny, k tn cng c th dng cc
k thut nh: Trn b m, t chi dch v (DoS)
Buc 4: Duy tr xm nhp. Mt khi k tn cng xm nhp c vo h thng,
bc tip theo l lm sao duy tr cc xm nhp ny nhm khai thc v xm nhp
tip trong tng lai. Mt vi k thut nh backboors, trojans c s dng bc
ny. Mt khi k tn cng lm ch h thng, chng c th gy ra nhng nguy hi
cho h thng hoc nh cp thng tin. Ngoi ra, chng c th s dng h thng ny
tn cng vo cc h thng khc nh loi tn cng DDoS.
Bc 5: Che y, xa du vt. Mt khi k tn cng xm nhp v c gng duy tr
xm nhp. Bc tip theo l chng phi lm sao xa ht du vt khng cn chng
c php l xm nhp. K tn cng phi xa cc tp tin log, xa cc cnh bo t h
thng pht hin xm nhp.
-8-
-9-
- 10 -
Ping of Death:
Kiu DoS attack ny, ta ch cn gi mt gi d liu c kch thc ln thng qua
lnh ping n my ch th h thng ca h s b treo.
VD: ping l 65000
Tn cng t chi dch v DNS
Hacker c th i mt li vo trn Domain Name Server A ca h thng nn nhn
ri ch n mt website B no ca hacker. Khi my khch truy cp n Server A
vo trang Web, th cc nn nhn s vo trang Web do chnh hacker to ra.
Gii php phng chng:
- Thng xuyn cp nht cc bn v li v update h thng.
- Trin khai nhng dch v h thng mng cn thit.
- Xy dng h thng IDS/IPS.
- Tng la (Firewall).
- Chng virus.
- Chnh sch s dng, qun l password.
- 11 -
Hin nay mt s loi h thng pht hin xm nhp, c phn bit bi cch thc
theo di v phn tch. Mi phng php c nhng li im v nhng hn ch nht
nh. Tuy nhin, mi phng php u c th m t thng qua mt m hnh tin trnh
chung tng qut cho h thng pht hin xm nhp. Error! No index entries found.
1.3.1 Nhn bit qua tp s kin
H thng ny lm vic trn mt tp cc nguyn tc c nh ngha t trc
miu t cc tn cng. Tt c cc s kin c lin quan n bo mt u c kt hp
vo cuc kim nh v c dch di dng nguyn tc if-then-else. Ly v d
Wisdom v Sense v Computer Watch (c pht trin ti AT&T).
1.3.2 Pht hin da trn tp lut (Rule-Based )
Ging nh phng php h thng Expert, phng php ny da trn nhng hiu
bit v tn cng. Chng bin i s m t ca mi tn cng thnh nh dng kim
nh thch hp. Nh vy, du hiu tn cng c th c tm thy trong cc bn ghi
(record). Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim
nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc
kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim
nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi
cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc
h thng thng mi (v d nh: Cisco Secure IDS, Emerald eXpert-BSM (Solaris)).
1.3.3 Phn bit nh ngi dng (User intention identification)
K thut ny m hnh ha cc hnh vi thng thng ca ngi dng bng mt tp
nhim v mc cao m h c th thc hin c trn h thng (lin quan n chc
nng ngi dng). Cc nhim v thng cn n mt s hot ng c iu
chnh sao cho hp vi d liu kim nh thch hp. B phn tch gi mt tp hp
- 12 -
- 13 -
- 14 -
1.4
- 15 -
- 16 -
Pht hin nh qu trnh t hc: K thut ny bao gm hai bc. Khi bt u thit
lp, h thng pht hin tn cng s chy ch t hc v to ra mt h s v cch
c x ca mng vi cc hot ng bnh thng. Sau thi gian khi to, h thng s
chy ch lm vic, tin hnh theo di, pht hin cc hot ng bt thng ca
mng bng cch so snh vi h s thit lp. Ch t hc c th chy song song
vi ch lm vic cp nht h s ca mnh nhng nu d ra c tn hiu tn cng
th ch t hc phi dng li cho ti khi cuc tn cng kt thc.
Pht hin s khng bnh thng ca cc giao thc: K thut ny cn c vo hot
ng ca cc giao thc, cc dch v ca h thng tm ra cc gi tin khng hp l,
cc hot ng bt thng vn l du hiu ca s xm nhp, tn cng. K thut ny rt
hiu qu trong vic ngn chn cc hnh thc qut mng, qut cng thu thp thng
tin ca cc tin tc.
Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht
hin cc cuc tn cng kiu t chi dch v. u im ca phng php ny l c th
pht hin ra cc kiu tn cng mi, cung cp cc thng tin hu ch b sung cho
phng php d s lm dng, tuy nhin chng c nhc im thng to ra mt s
lng cc cnh bo sai lm gim hiu sut hot ng ca mng. Phng php ny s
l hng c nghin cu nhiu hn, khc phc cc nhc im cn gp, gim s ln
cnh
bo
sai
h
thng
chy
chun
xc
hn.
1.4.3
Module phn ng
Khi c du hiu ca s tn cng hoc thm nhp, module pht hin tn cng s gi
tn hiu bo hiu c s tn cng hoc thm nhp n module phn ng. Lc
module phn ng s kch hot tng la thc hin chc nng ngn chn cuc tn cng
hay cnh bo ti ngi qun tr. Ti module ny, nu ch a ra cc cnh bo ti cc
ngi qun tr v dng li th h thng ny c gi l h thng phng th b
ng. Module phn ng ny ty theo h thng m c cc chc nng v phng php
ngn chn khc nhau. Di y l mt s k thut ngn chn:
- 17 -
C hai kiu kin trc IPS chnh l IPS ngoi lung v IPS trong lung.
1.5.1 IPS ngoi lung
- 18 -
H thng IPS ngoi lung khng can thip trc tip vo lung d liu. Lung d
liu vo h thng mng s cng i qua tng la v IPS. IPS c th kim sot lung
d liu vo, phn tch v pht hin cc du hiu ca s xm nhp, tn cng. Vi v tr
ny, IPS c th qun l bc tng la, ch dn n chn li cc hnh ng nghi ng m
khng lm nh hng n tc lu thng ca mng.
- 19 -
1.5.2
V tr IPS nm trc bc tng la, lung d liu phi i qua IPS trc khi ti bc
tng la. im khc chnh so vi IPS ngoi lung l c thm chc nng chn lu
thng. iu lm cho IPS c th ngn chn lung giao thng nguy him nhanh hn
so vi IPS ngoi lung. Tuy nhin, v tr ny s lm cho tc lung thng tin ra vo
mng chm hn.
1.6
1.6.1
Intrust
- 21 -
H tr m un qun l tp trung
H tr vic cnh bo v pht hin xm nhp
C cc gi bn ghi
Pht hin tn cng ton din
Cc m un u ra tinh vi cung cp kh nng ghi chp ton din
H tr ngi dng trn cc danh sch mail v qua s tng tc email
1.6.4 Cisco IDS
Gii php ny l ca Cisco, vi gii php ny chng ta thy c cht lng, cm
nhn cng nh danh ting truyn thng ca n. Di y l nhng tnh nng v thit
b ny:
Cc tnh nng pht hin chnh xc lm gim ng kt cc cnh bo sai
Kh nng nng cp hot ng kinh doanh ging nh cc sn phm ca
Cisco
H thng pht hin xm phm thi gian thc, bo co v ngn chn cc
hnh ng tri php
Vic phn tch mu dng pht hin c thc hin nhiu mc khc
nhau
Cho hiu sut mng cao
Qun l danh sch truy cp nh tuyn ng thch nghi kp thi vi hnh vi
ca k xm nhp
Qun l GUI tp trung
Qun l t xa
Email thng bo s kin
1.6.5
Dragon
Mt gii php ton din cho hot ng kinh doanh. Sn phm ny rt a nng v c
cc yu cu bo mt cn thit trong mi trng hot ng kinh doanh. N cng h tr
NIDS, qun l my ch, qun l s kin, kim tra tn cng. y l mt gii pht IDS
- 22 -
ton din, c thit k hon ho cng vi vic kim tra tch hp. Tuy nhin im yu
ca sn phm ny l ch gi c ca n. Di y l nhng tnh nng v Dragon :
Dragon h tr c NIDS v HIDS
H tr trn mt lot nn tng Windows, Linux, Solaris v AIX
c m un ha v c th m rng
Kim tra qun l tp trung
Phn tch v bo co ton din
Kh nng tng thch cao vi cc chi tit k thut trong hot ng kinh
doanh
Kim tra bo mt hiu qu, tch hp cc switch, firewall v router
Qun l bin dch bo co
C chu k cp nht ch k hon ho
- 23 -
Chng 2 .
2.1
- 24 -
2.2
Packet Filtering
- 26 -
2.2.2
Application-proxy firewall
- 27 -
- 28 -
2.3
- 29 -
Chc nng
Queue
Lc gi
Lc gi i n firewall
Lc gi d liu i n cc
server khc kt ni trn cc
Output
Network
Address
Prerouting
i a ch ch s gip gi
d liu ph hp
Bin
vi bng
dch a ch
nh tuyn ca firewall. S
mng )
Chnh sa
Mangle
Forward
Translation
NAT
Quy tc x l
gi (Chain)
Input
TCP
header.
Postrouting
Output
Prerouting
Postrouting
Output
dn ng.
Input
Forward
Bng 2-1 Bng cc chc nng ca queue v chain
Mangle table: Chu trch nhim thay i cc bits cht lng dch v trong TCP
header nh: TOS (type of service), TTL (time to live), v MARK.
- 30 -
M t
command
-t <-table->
Ch nh a ch ngun
Ch nh a ch ch
Ch nh input interface nhn packet
name>
-o<interface-
name>
Bng 2-2 Bng m t v Iptables command switch
2.4
M t
c xy dng trong INPUT chain trong bng iptables
c xy dng trong OUTPUT chain trong bng iptables
Input chain tch ring bit h tr cho nhng giao thc
c bit v chuyn cc gi n nhng protocol specific chains.
Output chain tch ring bit h tr cho nhng giao thc
c bit v chuyn cc gi n nhng protocol specific chains.
lnh output tch ring cho giao thc ICMP
Bng 2-3 Bng danh sch cc lnh (Queue)
2.4.3
- 33 -
- 34 -
-A RH Firewall 1-1 INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT: Cho php tt c nhng ngi bn ngoi truy xut vo port 443 ng dng
https.
2.5
Syslog protocol l phng thc cung cp message nhc nh trong h thng mng.
nh ngha trong RFC 3164, s dng giao thc UDP port 514. Vi UDP, syslog c
nhiu thun li v l kt ni khng lu trng thi (khng yu cu nhiu ti nguyn) do
i khi kt qu syslog khng ng tin cy, thng mt message. ci thin vn
trn, nhiu thit b h tr syslog chy trn TCP nhm m bo gi tin khng b mt.
Logging
code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
facility
17
18
19
20
21
22
23
- 36 -
2.6
- 37 -
- 38 -
- 39 -
Snort inline ch yu l mt IPS da trn lut, tuy nhin cc input plug-in cng tn
ti pht hin s bt thng trong cc header ca giao thc. Snort s dng cc lut
c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut
c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc
nhau. File cu hnh chnh ca Snort inline l snort.conf. Snort inline c nhng lut
ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi d
liu. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh
t, v chng ta cng s dng nhiu lut th nng lc x l cng c i hi thu
thp d liu trong thc t. Snort inline c mt tp hp cc lut c nh ngha trc
pht hin cc hnh ng xm nhp. Cc lut trn Snort inline c tnh m, cho php
ngi qun tr mng to ra cc lut mi v chng ta c th thm vo cc lut ca
chnh mnh. Chng ta cng c th xa mt vi lut c to trc trnh vic bo
ng sai.
Cc c im chnh ca Snort inline:
- H tr nhiu platform: Linux, OpenBSD, FreeBSD, Solaris, Windows,
- C kh nng pht hin mt s lng ln cc kiu thm d, xm nhp khc nhau
nh: Buffer overflow, CGI-attack, d tm h iu hnh, ICMP, virus,
- Pht hin nhanh cc xm nhp theo thi gian thc.
- Cung cp cho nh qun tr cc thng tin cn thit x l cc s c khi b xm
nhp.
- Gip ngi qun tr t t ra cc du hiu xm nhp mi mt cch d dng.
- L phn mm m ngun m (Open Source) v khng tn km chi ph u t.
- 40 -
2.7.3
Cc trng thi
snort -b l /usr/local/log/snort/temp.log
Khi bt c gi, chng ta c th c li file va to vi c -r v phn hin th
ging nh mode sniffer.
snort -r /usr/local/log/snort/temp.log
+ NIDS Mode: Snort pht hin xm nhp ch yu da vo mt b lut m ngi
qun tr mng nh ngha trong file snort.cfg. Hu ht cc hnh vi xm nhp u c
mt vi du hiu. Thng tin v cc du hiu ny c s dng to ra cc lut ca
Snort. Cc du hiu c th tn ti trong header ca cc gi tin. Cc lut ca Snort c
th kim tra nhiu phn ca gi tin pht hin ra cc du hiu ny.
m ch ny, s dng c php:
snort -dve -l /usr/local/log -h 192.168.0. 0/24 -c snort.cfg
2.8
- 42 -
2.8.1
B packet sniffer
B Preprocessor
- 43 -
2.8.3
Sau khi cc gi tin i qua b tin x l, chng c chuyn n b phn pht hin
xm nhp. Nu mt gi tin ging vi bt k lut no, chng s c gi n b x l
cnh bo.
B phn pht hin xm nhp v cc b lut chim mt phn rt ln trong s nhng
kin thc phi bit hiu c Snort. Snort c nhng c php lnh ring s dng
vi cc b lut. Cc c php ny c th lin quan n giao thc mng, ni dung, chiu
di, phn header v rt nhiu nhng thnh phn khc, bao gm c nhng c im
nhn dng buffer overflow.
Snort dng cc rules pht hin ra cc xm nhp trn mng. Xem rules sau:
alert tcp !192.168.0.0/24 any -> any any (flags: SF; msg: SYN-FIN
Scan;)
Mt rules c hai thnh phn: Header v Option
Header: alert tcp !192.168.0.0/24 any -> any any
Option: (flags: SF; msg: SYN-FIN Scan;)
- 44 -
thnh phn t thay i ca nhng rules c vit cho cng mt kiu pht hin xm
nhp v Option l thnh phn d c sa i nht.
V d: chng ta c 60 rules c vit cho kiu thm d CGI-BIN, thc cht cc
rules ny c chung IP source, IP ch, port source, port ch, ngha l c chung
Header. Mi packet s c so trng ln lt trong cc dy cho n khi tm thy
mu u tin th hnh ng tng ng s c thc hin.
2.8.4
Cc dng alerting:
- Ghi alert vo syslog
- 45 -
Cu trc ca mt lut
-> 192.168.0.0/24
80 (content:"/cgi-bin/phf";
Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert s
c to ra cng vi vic ghi nhn li ton b gi d liu.
Vng a ch IP trong cc rules c vit di dng CIDR block netmask, cc
port c th c xc nh ring l hoc theo vng, port bt u v port kt thc
c ngn cch bi du :
alert tcp any any -> 192.168. 0. 0/24 6000:6010 (msg: "X traffic";)
- 46 -
- 47 -
Chng 3 .
3.1
M t thc nghim
Thi k kinh t, cc c quan, cng ty hay tp on ng dng cng ngh thng tin
ngy cng nhiu. Cng vi quy m pht trin cc c quan, cng ty, tp on l s
lng cc my tnh, router, cc server ngy cng nhiu. H thng my tnh c
trin khai sao cho ph hp vi mc ch s dng ca cc c quan, doanh nghip
Cc h thng mng ny v cng phc tp, i hi cc k thut, cc cng ngh bo mt
cao. Ty theo nhu cu tng c quan, cng ty m cc k thut hay cng ngh c s
dng cng khc nhau. Tuy nhin, hai thnh phn c bn m bt k h thng no cng
s dng l h thng firewall v h thng pht hin xm nhp - IDS.
Trong m hnh thc nghim l a ra mt m hnh mng tht ang c ng dng
trong thc t nhm phn tch nh gi cc hot ng ca mt mng my tnh cng nh
c ch hot ng ca h thng Firewall v IPS, kh nng pht hin v ngn chn ca
IPS cng nh Firewall trong mng my tnh. C s h tng tt v h thng my tnh
mnh c kh nng x l cho h thng c tt hn.
m phng theo m hnh thc nghim yu cu v phn mm phi c cc phn
mm xy dng ln h thng nh: Firewall, my tnh o, IPS, my o Vmware.
Chng ta ci my o Vmware trn my tht Windows 7 v t my o Vmware chng
ta xy dng hai my o CentOS, mt my dng lm Firewall v IPS, my cn li xy
dng web server, ftp server yu cu cu hnh my tnh nh lm m phng l RAM
ti thiu 2Gb my c cu hnh cng cao cng tt.
Trong m hnh ny nu hacker tn cng t bn ngoi vo th trc tin chng
phi i qua Firewall v h thng phn tch cc gi tin IPS. Vn quan trng hn,
nguy him hn chnh l nhng k tn cng t bn trong. Vi h thng ny chng ta
tin hnh tn cng gi lp t bn ngoi vo h thng Firewall v IPS, kt qu thu c
ta s ln lt c trnh by bn di.
- 48 -
3.2
- 49 -
3.3
3.3.1
############################
Cu hnh iptables:
C hai cch cu hnh iptables l dng lnh v sa file /etc/sysconfig/iptables.
Cu hnh iptables cm truy cp ssh, ping v truy cp http:
*filter
-A INPUT -p icmp --icmp-type any -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP
-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- /
sport 1024:65535 --dport 80 -j DROP
-A FORWARD -s 0/0 -i eth0 -d 192.168.211.131 -o eth1 -p tcp -- /
sport 1024:65535 --dport 22 -j DROP
*nat
-A PREROUTING -d 192.168.0.38 -i eth0 -p tcp --dport 80 -j DNAT -- /
to-destination 192.168.211.131:80
-A PREROUTING -d 192.168.0.38 -i eth0 -p tcp --dport 22 -j DNAT --/
to-destination 192.168.211.131:22
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.38
3.3.3
Ci t v cu hnh Snort
- 51 -
- 52 -
# ln s /usr/local/bin/snort /usr/sbin/snort
# cd /etc/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.5.3
# cp * /usr/local/lib/snort_dynamicrules/
Cu hnh Snort
Sa file cu hnh t /etc/snort/snort.conf
Var HOME_NET 192.168.0.0/24
Var RULE_PATH /etc/snort/rules
Var SO_RULE_PATH /etc/snort/so_rules
Var PREPROC_RULE_PATH /etc/snort/preproc_rules
tcp
any
any
->
192.168.0.0/24
any
(msg:"SYN-FIN=>scan
detected"; sid:1000002;)
alert icmp any any -> 192.168.0.0/24 any (flags: A; ack: 0; msg:"TCP
ping detected"; sid:100003;)
alert
tcp
any
any
->
any
22
(msg:"ssh
connection=>Attempt";
sid:1000004;)
/usr/local/bin/snort
-Dq
-u
snort
-g
snort
-c
/etc/snort/snort.conf
Kim tra xem Snort hot ng ghi log c cha:
# cd /var/log/snort
# ls l
Total 12144
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.alert
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.log
Ci Barnyard
Barnyard l mt ng dng c s dng offload ti vic xut ra file log v
cnh bo cho Snort. Do , Snort dnh ti nguyn cho chc nng ca n.
# wget http://snort.org/dl/barnyanrd2-1.8.tar.gz
# cd /usr/local/
# tar zxvf /Download/Barnyard2-1.8.tar.gz
# cd barnayrd2-1.8/
- 53 -
#./configure with-mysql
# make && make install
# cd etc/
# cp barnyard.conf /etc/snort
3.3.4
3.3.5
# vi /etc/snort/snort.conf
- Khi ng li snort v kim tra xem Snort v Barnyard2 tng tc ghi log vo
database hay cha:
# mysql usnort -p"123456" -D snort -e "select count(*) from event"
Count(*)
280278
Ti ADODB ti http://nchc.dl.sourceforge.net/sourceforge/adodb/
# cd /var/www/html/
# tar zxvf /Download/adodb4991.tgz
3.3.6
Snort alert
# cd /var/www/html
# tar zxvf /Download/base-1.4.5.tgr.gz
# mv base-1.4.5 base
# chmod 777 base
# cd base
# cp base_conf.php.dist base_conf.php
Cu hnh base:
# vi base_conf.php
Sa cc dng sau:
$BASE_urlpath=/base;
$Dblib_path=/var/www/html/adodb;
$alert_dbname=snort;
$alert_password=123456;
$archive_exists=1; # set this to 1 if you have an archive DB
$archive_dbname=snort;
$archive_user=snort;
$archive_password=123456;
$external_whois_link=index.php;
$external_dns_link=index.php;
$external_all_link=index.php;
- 55 -
Sau khi Snort kim tra tt c nhng thng tin cn thit snort hot ng th chng
ta s thy xut hin dng sau:
Not Using PCAP_FRANES
Lc ny Snort ang hot ng v ghi li tt c nhng g m Snort pht hin, c du
hiu kh nghi.
dng s hot ng ca Snort, bm Ctrl_C
3.4
3.4.1
192.168.0.38/24
+ Netmask:
255.255.255.0
+ Network:
192.168.0.0/24
+ Broadcast:
192.168.0.255
+ Gateway:
192.168.0.254
- 56 -
- Cc phn mm ci t:
+ Iptables
+ Snort 2.8.5.3
+ MySQL Server
+ PHP
+ Barnyard2
+ Basic Analysis and Security Engine 1.4.5
3.4.2
/var/log/snort/
- 57 -
Kim tra ssh: Sang mt my khc c ci phn mm putty kim tra truy cp
bng ssh hoc vo cmd s dng lnh: telnet 192.168.0.38 22
C:\> telnet 192.168.0.38 22
Conneting To 192.168.0.38. Could not open connection to the host,
on port 22: Connect failed
- 58 -
- 59 -
Hnh 3-18 Snort pht hin Nmap ang scanport, truy cp ssh
- 60 -
Tnh nng ny c bit rt hu ch, cho php IDS admin review li c ton b
gi tin to ra alert, gip cho qu trnh tinh chnh cc rules chnh xc hn.
Graph Alert Detection Time
- 61 -
Ti trang chnh, click vo "Grap Alert Detection Time" xem biu th hin
tn sut cc alert theo gi, ngy hoc theo thng.
Dng biu ny rt hu ch, cho php xc nh nhng thi im bt thng,
qua gip nh hng ngi qun tr tp trung vo nhng im quan trng.
Biu di thng k s pht hin xm nhp theo ngy, gi.
3.5
Khi h thng IDS pht hin c k ang tin hnh ping gy ngp lt, ngi qun tr
kim tra trn h thng c IDS pht hin v lu li tt c nhng s kin xy ra v
thy rng, trn h thng ca mnh ang c k tn cng gy ngp lt. Ngi qun tr
phi c trch nhim thit lp lut trn firewall hn ch vic attacker tn cng vo
h thng ca mnh.
- 63 -
- 64 -
- 65 -
KT LUN
Nhng iu t c:
Thng qua lun vn ny, nhng vic thc hin c cn hn ch, phn no
nm bt c nguyn l c bn, cch hot ng ca Firewall v IDS, cch ci t,
trin khai Firewall Iptables v IDS Snort. Trin khai h thng Firewall v IDS trong
mng LAN, pht hin v ghi nhn cc cuc tn cng.
Nhng iu cha t:
Cng vi nhng iu t c, cng xy ra nhiu kh khn, dn n nhng vic
cha thc hin c:
V kin thc cn hn ch nn cha thc hin c nhiu cuc tn cng vo h
thng, cha tht s xy dng c mt h thng mng LAN hon chnh, hn ch v
thi gian v ti chnh nn cha thc hin xy dng c h thng mng tht, vic
hon thin cc module gn thm cho h thng IDS l cha c, cng nh trin khai h
thng ny hot ng ng b, cch phi hp gia Firewall Iptables v IDS Snort cha
c cht ch, cha t ng gi cnh bo n ngi qun tr thng qua email v
SMS.
Hng pht trin:
Trong tng lai, cc k thut phng chng s cn pht trin. V vy quy m ca
lun vn s khng dng li vic ci t, vn hnh Firewall v IDS mc c bn m
s pht trin ln mt tm cao hn. C th nh ci t thm h thng pht hin v ngn
chn xm nhp FWSnort, iu chnh cc rule ca Snort v Firewall hot ng mt
cch linh hot v ng b hn, nhm ti u ha v tn dng ti a ton b h thng
thc hin vic ngn chn xm nhp hay tn cng mt cch hiu qu nht. Nu tip tc
pht trin, ta hon ton c th tch hp h thng IDS tng tc vi cc phn cn li
ca mng, khi c tn cng xy ra, IDS s t ng bo tin n ngi qun tr
thng qua email, SMS v t ng a ra phng n thch hp v hiu ho tn
cng .
- 66 -
Systems (IDPS)
[5] Dinangkur Kundu S. M. Ibrahim Lavlu Cacti 0.8 Network Monitoring
[6] Angela Orebaugh, Simon Biles, Jacob Babbin. Snort Cookbook
[7] Juniper Networks CA 94089 USA. Intrusion Detection and Prevention Concepts
& Examples Guide
[8] Andy Firman , Build a Debian based Intrusion Detection Sensor (IDS)
[9] Nguyn Quc Cng, H Thng Pht Hin Xm Nhp Mng
- 67 -