Guió Alumnes ModulA CatSkill2021 - Documents de Google

CSRouter:‌
‌
‌
nano‌‌/etc/iptables-rules.sh‌
posem‌‌les‌‌regles‌‌a‌‌dintre‌ ‌
‌
#les‌‌provem‌ ‌
/etc/iptables-rules.sh‌ ‌
‌
per‌‌comprovar‌‌regles‌ ‌
iptables‌‌-nvL‌ ‌
‌
-------------------------‌ ‌
.-‌‌Redirigir‌‌el‌‌transit‌‌que‌‌vingui‌‌de‌‌la‌‌WAN‌‌pel‌‌port‌‌80‌‌i‌‌443,‌‌cap‌‌al‌‌servidor‌‌de‌‌la‌‌DMZ‌‌ ‌
#Tot‌‌el‌‌que‌‌arribi‌‌de‌‌l'exterior‌‌i‌‌vagi‌‌al‌‌port‌‌80‌‌9‌‌443‌‌el‌‌redirigim‌‌a‌‌la‌‌maquina‌‌de‌‌la‌‌DMZ‌ ‌
iptables‌‌-t‌‌nat‌‌-A‌‌PREROUTING‌‌-i‌‌enp0s3‌‌-p‌‌tcp‌‌--dport‌‌80‌‌-j‌‌DNAT‌‌--to‌‌10.0.6.2:80‌ ‌
iptables‌‌-t‌‌nat‌‌-A‌‌PREROUTING‌‌-i‌‌enp0s3‌‌-p‌‌tcp‌‌--dport‌‌443‌‌-j‌‌DNAT‌‌--to‌‌10.0.6.2:443‌ ‌
‌
.-‌‌Utilitzant‌‌les‌‌iptables‌‌configurar‌‌el‌‌router‌‌perquè‌‌només‌‌es‌‌permetin‌‌les‌‌connexions‌‌en‌‌el‌‌port‌‌
22‌‌des‌‌de‌‌la‌‌subxarxa‌‌de‌‌la‌‌LAN.‌‌Les‌‌altres‌‌connexions‌‌seran‌‌rebutjades.‌ ‌
#Comentar‌‌la‌‌linia‌‌següent‌‌que‌‌està‌‌al‌‌principi‌‌del‌‌fitxer‌ ‌
#iptables‌‌-P‌‌INPUT‌‌ACCEPT‌ ‌
‌
#Nomes‌‌permetre‌‌l'acces‌‌ssh‌‌des‌‌des‌‌la‌‌LAN‌
#iptables‌‌-A‌‌INPUT‌‌-p‌‌tcp‌‌-s‌‌10.0.6.0/24‌‌--dport‌‌22‌‌-j‌‌ACCEPT‌ ‌
#Taquem‌‌tots‌‌els‌‌accessos‌‌indesitjats‌‌des‌‌de‌‌qualsevol‌‌xarxa‌‌al‌‌port‌‌22‌ ‌
#Nota:‌‌0.0.0.0/0‌‌significa:‌‌qualsevol‌‌xarxa‌ ‌
#iptables‌‌-A‌‌INPUT‌‌-s‌‌0.0.0.0/0‌‌-p‌‌tcp‌‌--dport‌‌22‌‌-j‌‌REJECT‌ ‌
‌
.-‌‌configura‌‌els‌‌logs‌‌del‌‌iptables‌‌perquè‌‌cada‌‌vegada‌‌que‌‌es‌‌crei‌‌una‌‌connexió‌‌quedi‌‌registrada‌‌
en‌‌l'arxiu‌‌/var/log/iptables.log‌ ‌
#creem‌‌l'arxiu‌‌de‌‌logs‌
‌
#configurem‌‌el‌‌syslog‌ ‌
nano‌‌/etc/rsyslog.d/10-iptables.conf‌ ‌
‌
:msg,‌‌contains,‌‌"[IPTABLES]:‌‌"‌‌-/var/log/iptables.log‌ ‌
&‌‌~ ‌ ‌
‌
‌
.-‌ ‌
Securitzar‌‌el‌‌servei‌‌web‌‌del‌‌servidor‌‌de‌‌la‌‌DMZ‌ ‌
‌
configurar‌‌el‌‌https‌ ‌
cp‌‌/etc/apache2/sites-available/000-default.conf‌ ‌
/etc/apache2/sites-available/000-default.conf.old‌ ‌
cp‌‌/etc/apache2/sites-available/default-ssl.conf‌ ‌/etc/apache2/sites-available/default-ssl.old‌ ‌
‌
a2enmod‌‌ssl‌ ‌
a2enmod‌‌headers‌ ‌
a2ensite‌‌default-ssl‌ ‌
‌
crear‌‌el‌‌certificat‌‌autosignat‌ ‌
penssl‌‌req‌‌-x509‌‌-nodes‌‌-days‌‌365‌‌-newkey‌‌rsa:2048‌‌-keyout‌‌

/etc/ssl/private/apache-selfsigned.key‌‌-out‌‌/etc/ssl/certs/apache-selfsigned.crt‌ ‌
‌
Country‌‌Name‌‌(2‌‌letter‌‌code)‌‌[AU]:ES‌ ‌
State‌‌or‌‌Province‌‌Name‌‌(full‌‌name)‌‌[Some-State]:Girona‌ ‌
Locality‌‌Name‌‌(eg,‌‌city)‌‌[]:Girona‌ ‌
Organization‌‌Name‌‌(eg,‌‌company)‌‌[Internet‌‌Widgits‌‌Pty‌‌Ltd]:Institut‌‌Montilivi‌
Organizational‌‌Unit‌‌Name‌‌(eg,‌‌section)‌‌[]:Informatica‌ ‌
Common‌‌Name‌‌(e.g.‌‌server‌‌FQDN‌‌or‌‌YOUR‌‌name)‌‌[]:dmz.catskill.cat‌ ‌
Email‌‌Address‌‌[]:ciber@catskill.cat‌ ‌
‌
nano‌‌/etc/apache2/sites-available/default-ssl.conf‌ ‌
‌
<VirtualHost‌‌*:443>‌ ‌
‌DocumentRoot‌‌/var/www/html‌ ‌
‌
‌SSLEngine‌‌on‌ ‌
‌SSLCertificateFile‌‌/etc/ssl/certs/apache-selfsigned.crt‌ ‌
‌SSLCertificateKeyFile‌‌/etc/ssl/private/apache-selfsigned.key‌ ‌
</VirtualHost>‌ ‌
‌
a2ensite‌‌default-ssl.conf‌ ‌
‌
https://192.168.1.100/‌ ‌
‌
nano‌‌/etc/apache2/apache2.conf‌ ‌
ServerName‌‌localhost‌ ‌
‌
apache2ctl‌‌configtest‌ ‌
systemctl‌‌restart‌‌apache2‌ ‌
‌
.-‌‌redireccionar‌‌http‌‌a‌‌https‌ ‌
nano‌‌/etc/apache2/sites-available/000-default.conf‌ ‌
<VirtualHost‌‌*:80>‌ ‌
‌ edirect‌‌/‌‌https://192.168.1.100/‌ ‌
R
</VirtualHost>‌ ‌
‌
apache2ctl‌‌configtest‌ ‌
systemctl‌‌restart‌‌apache2‌ ‌
‌
http://192.168.1.100/‌ ‌
‌
.-OpenVPN‌ ‌
‌
#‌ ‌
cp‌‌-r‌‌/usr/share/easy-rsa‌‌/etc/openvpn/‌ ‌
‌
#Setup‌‌Certificate‌‌Authority‌ ‌
cd‌‌/etc/openvpn/easy-rsa‌ ‌
‌
mkdir‌‌/etc/openvpn/server/pki‌ ‌
‌
mv‌‌/etc/openvpn/easy-rsa/vars.example‌‌/etc/openvpn/easy-rsa/vars‌ ‌
‌
#edit‌‌vars‌‌and‌‌add‌‌linies‌ ‌
nano‌‌/etc/openvpn/easy-rsa/vars‌ ‌
‌
set_var‌‌EASYRSA‌ ‌"$PWD"‌ ‌
set_var‌‌EASYRSA_PKI‌ ‌"$EASYRSA/pki"‌ ‌
set_var‌‌EASYRSA_DN‌ ‌"cn_only"‌ ‌
set_var‌‌EASYRSA_REQ_COUNTRY‌ ‌"ES"‌ ‌
set_var‌‌EASYRSA_REQ_PROVINCE‌ ‌"Girona"‌ ‌
set_var‌‌EASYRSA_REQ_CITY‌ ‌"Girona"‌ ‌
set_var‌‌EASYRSA_REQ_ORG‌ ‌"Catskill54‌‌CERTIFICATE‌‌AUTHORITY"‌ ‌
set_var‌‌EASYRSA_REQ_EMAIL‌ "catskill54@catskill.cat"‌ ‌
set_var‌‌EASYRSA_REQ_OU‌ ‌"catskill54‌‌CA"‌ ‌
set_var‌‌EASYRSA_KEY_SIZE‌ ‌2048‌ ‌
set_var‌‌EASYRSA_ALGO‌ ‌rsa‌ ‌
set_var‌‌EASYRSA_CA_EXPIRE‌ 7500‌ ‌
set_var‌‌EASYRSA_CERT_EXPIRE‌ ‌365‌ ‌
set_var‌‌EASYRSA_NS_SUPPORT‌ "no"‌ ‌
set_var‌‌EASYRSA_NS_COMMENT‌ "catskill54‌‌CERTIFICATE‌‌AUTHORITY"‌ ‌
set_var‌‌EASYRSA_EXT_DIR‌ ‌"$EASYRSA/x509-types"‌ ‌
set_var‌‌EASYRSA_SSL_CONF‌ ‌"$EASYRSA/openssl-easyrsa.cnf"‌ ‌
set_var‌‌EASYRSA_DIGEST‌ ‌"sha256"‌ ‌
‌
#inir‌‌pki‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌init-pki‌ ‌
#posar‌‌yes‌‌si‌‌pregunta‌ ‌
‌
#created‌‌PKI‌‌dir‌‌it‌‌is‌‌in:‌‌/etc/openvpn/easy-rsa/pki‌ ‌
#build‌‌the‌‌CA‌‌certificates‌‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌build-ca‌ ‌
#posem‌‌el‌‌pass:‌‌catskill54‌ ‌
‌
#si‌‌s'ha‌‌de‌‌portar‌‌a‌‌esborrar‌‌posarem‌‌yes‌‌al‌‌executar‌‌/etc/openvpn/easy-rsa/easyrsa‌‌init-pki‌ ‌
‌
#Generate‌‌Server‌‌Certificate‌‌Files‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌gen-req‌‌catskillvpn-server‌‌nopass‌ ‌
posarem‌‌intro‌‌en‌‌Common‌‌Name‌‌(eg:‌‌your‌‌user,‌‌host,‌‌or‌‌server‌‌name)‌‌[catskillvpn-server]:‌ ‌
‌
#anar‌‌repetin‌‌els‌‌passos‌‌anteriors‌‌si‌‌dona‌‌errors‌ ‌
‌
#Sign‌‌the‌‌Server‌‌Key‌‌Using‌‌CA‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌sign-req‌‌server‌‌catskillvpn-server‌ ‌
#posar‌ ‌yes‌‌i‌‌el‌‌pass‌‌catskill54‌ ‌
‌
#verify‌‌the‌‌generated‌‌certificate‌‌file‌ ‌
openssl‌‌verify‌‌-CAfile‌‌pki/ca.crt‌‌pki/issued/catskillvpn-server.crt‌‌ ‌
‌
#generate‌‌a‌‌strong‌‌Diffie-Hellman‌‌key‌‌to‌‌use‌‌for‌‌the‌‌key‌‌exchange‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌gen-dh‌ ‌
‌
#After‌‌creating‌‌all‌‌certificate‌‌files,‌‌copy‌‌them‌‌to‌‌the‌‌directory‌‌/etc/openvpn/server/‌ ‌
cp‌‌/etc/openvpn/easy-rsa/pki/ca.crt‌‌/etc/openvpn/server/‌ ‌
cp‌‌/etc/openvpn/easy-rsa/pki/dh.pem‌‌/etc/openvpn/server/‌ ‌
cp‌‌/etc/openvpn/easy-rsa/pki/private/catskillvpn-server.key‌‌/etc/openvpn/server/‌ ‌
cp‌‌/etc/openvpn/easy-rsa/pki/issued/catskillvpn-server.crt‌‌/etc/openvpn/server/‌ ‌
‌
#Generate‌‌Client‌‌Certificate‌‌and‌‌Key‌‌File‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌gen-req‌‌client‌‌nopass‌ ‌
#posar‌‌intro‌ ‌
‌
#sign‌‌the‌‌client‌‌key‌‌using‌‌your‌‌CA‌‌certificate‌ ‌
/etc/openvpn/easy-rsa/easyrsa‌‌sign-req‌‌client‌‌client‌ ‌
#posar‌‌yes‌ ‌
#posar‌‌catskill54‌ ‌
‌
#copy‌‌all‌‌client‌‌certificate‌‌and‌‌key‌‌file‌‌to‌‌the‌‌directory‌‌/etc/openvpn/client/‌ ‌
mkdir‌‌/etc/openvpn/client/‌ ‌
‌
cp‌‌/etc/openvpn/easy-rsa/pki/ca.crt‌‌/etc/openvpn/client/‌ ‌
cp‌‌/etc/openvpn/easy-rsa/pki/issued/client.crt‌‌/etc/openvpn/client/‌ ‌
cp‌‌/etc/openvpn/easy-rsa/pki/private/client.key‌‌/etc/openvpn/client/‌ ‌
‌
#Configure‌‌OpenVPN‌‌Server‌ ‌
nano‌‌/etc/openvpn/server.conf‌ ‌
‌
#posar‌‌a‌‌dintre‌ ‌
port‌‌1194‌ ‌
proto‌‌udp‌ ‌
dev‌‌tun‌ ‌
ca‌‌/etc/openvpn/server/ca.crt‌ ‌
cert‌‌/etc/openvpn/server/catskillvpn-server.crt‌ ‌
key‌‌/etc/openvpn/server/catskillvpn-server.key‌ ‌
dh‌‌/etc/openvpn/server/dh.pem‌ ‌
server‌‌10.0.8.0‌‌255.255.255.0‌ ‌
push‌‌"redirect-gateway‌‌def1"‌ ‌
push‌‌"dhcp-option‌‌DNS‌‌208.67.222.222"‌ ‌
push‌‌"dhcp-option‌‌DNS‌‌208.67.220.220"‌ ‌
duplicate-cn‌ ‌
cipher‌‌AES-256-CBC‌ ‌
tls-version-min‌‌1.2‌ ‌
tls-cipher‌‌
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:T‌
LS-DHE-RSA-WITH-AES-128-GCM-SHA$‌ ‌
auth‌‌SHA512‌ ‌
auth-nocache‌ ‌
keepalive‌‌20‌‌60‌ ‌
persist-key‌ ‌
persist-tun‌ ‌
compress‌‌lz4‌ ‌
daemon‌ ‌
user‌‌nobody‌ ‌
group‌‌nogroup‌ ‌
log-append‌‌/var/log/openvpn.log‌ ‌
verb‌‌3 ‌ ‌
‌
#Start‌‌OpenVPN‌‌Service‌ ‌
systemctl‌‌enable‌‌openvpn@server‌ ‌
systemctl‌‌start‌‌openvpn@server‌ ‌
‌
#Start‌‌OpenVPN‌‌Service‌ ‌
systemctl‌‌status‌‌openvpn@server‌ ‌
‌
#‌‌check‌‌the‌‌vpn‌‌network‌‌interface‌‌ ‌
ip‌‌a‌‌show‌‌tun0‌ ‌
‌
#check‌‌log‌ ‌
tail‌‌-f‌‌/var/log/openvpn.log‌‌ ‌
‌
#Generate‌‌Client‌‌Configuration‌ ‌
nano‌‌/etc/openvpn/client/client.ovpn‌ ‌
client‌ ‌
dev‌‌tun‌ ‌
proto‌‌udp‌ ‌
remote‌‌192.168.1.100‌‌1194‌ ‌
ca‌‌ca.crt‌ ‌
cert‌‌client.crt‌ ‌
key‌‌client.key‌ ‌
cipher‌‌AES-256-CBC‌ ‌
auth‌‌SHA512‌ ‌
auth-nocache‌ ‌
tls-version-min‌‌1.2‌ ‌
tls-cipher‌‌
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:T‌
LS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256‌ ‌
resolv-retry‌‌infinite‌ ‌
compress‌‌lz4‌ ‌
nobind‌ ‌
persist-key‌ ‌
persist-tun‌ ‌
mute-replay-warnings‌ ‌
verb‌‌3 ‌ ‌
‌
#configurem‌‌el‌‌ip‌‌tables‌ ‌
nano‌‌/etc/iptables-rules.sh‌
‌ ‌
#openvpn‌ ‌
iptables‌‌-I‌‌FORWARD‌‌-i‌‌tun0‌‌-o‌‌enp0s3‌‌-s‌‌10.0.4.0/24‌‌-m‌‌conntrack‌‌--ctstate‌‌NEW‌‌-j‌‌ACCEPT‌ ‌
iptables‌‌-I‌‌FORWARD‌‌-m‌‌conntrack‌‌--ctstate‌‌RELATED,ESTABLISHED‌‌-j‌‌ACCEPT‌ ‌
#el‌‌MASQUERADE‌‌ja‌‌esta‌‌feta‌‌d'abans‌‌iptables‌‌-t‌‌nat‌‌-I‌‌POSTROUTING‌‌-o‌‌enp0s3‌‌-s‌‌
10.0.4.0/24‌‌-j‌‌MASQUERADE‌ ‌
‌
#Tota‌‌la‌‌carpeta‌‌/etc/openvpn/client/s'ha‌‌de‌‌passar‌‌al‌‌client‌ ‌
#al‌‌client‌‌s'ha‌‌d'instalar‌‌el‌‌programa‌‌OpenVPN‌‌Connect‌ ‌
i‌‌carregar‌‌l'arxiu‌‌client.opvn‌ ‌
/etc/openvpn/client/‌ ‌
‌
.-‌‌IDS‌‌amb‌‌SNORT‌ ‌
Snort‌‌versio‌‌:‌‌2.9.7.0‌ ‌
‌
#Revisar‌‌configuració‌‌ ‌
nano‌‌/etc/snort/snort.conf‌ ‌
‌
ipvar‌‌HOME_NET‌‌[10.0.4.0/24,10.0.6.0/24]‌ ‌
‌
#‌‌List‌‌of‌‌ports‌‌you‌‌run‌‌web‌‌servers‌‌on‌ ‌
portvar‌‌HTTP_PORTS‌‌
[80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848‌
,5250,6988,7000,7001,7144,7145$‌ ‌
‌
#‌‌List‌‌of‌‌ports‌‌you‌‌want‌‌to‌‌look‌‌for‌‌SSH‌‌connections‌‌on:‌ ‌
portvar‌‌SSH_PORTS‌‌22‌ ‌
‌
var‌‌RULE_PATH‌‌/etc/snort/rules‌ ‌
var‌‌SO_RULE_PATH‌‌/etc/snort/so_rules‌ ‌
var‌‌PREPROC_RULE_PATH‌‌/etc/snort/preproc_rules‌ ‌
‌
#‌‌site‌‌specific‌‌rules‌ ‌
include‌‌$RULE_PATH/local.rules‌ ‌
‌
#per‌‌validar‌‌la‌‌configuracio‌ ‌
snort‌‌-T‌‌-c‌‌/etc/snort/snort.conf‌ ‌
‌
Les‌‌regles‌‌estan‌‌a‌‌/etc/snort/rules/local.rules‌ ‌
‌
Les‌‌alertes‌‌es‌‌estaran‌‌a‌‌/var/log/snort/alert‌ ‌
tail‌‌-f‌‌/var/log/snort/alert‌ ‌
‌
Hi‌‌ha‌‌regles‌‌fetes‌‌per‌‌fer‌‌alarma‌‌si‌‌es‌‌fan‌‌pings‌ ‌
‌
nano‌‌/etc/snort/rules/local.rules‌ ‌
log‌‌icmp‌‌$EXTERNAL_NET‌‌any‌‌->‌‌$HOME_NET‌‌any‌‌(msg:"log‌‌ICMP‌‌Catskills‌‌

test";sid:1000001;rev:001;)‌ ‌
alert‌‌icmp‌‌$EXTERNAL_NET‌‌any‌‌->‌‌$HOME_NET‌‌any‌‌(msg:"alert‌‌ICMP‌‌
1";sid:1000002;rev:001;)‌ ‌
alert‌‌icmp‌‌$HOME_NET‌‌any‌‌->‌‌$EXTERNAL_NET‌‌any‌‌(msg:"alert‌‌ICMP‌‌
2";sid:1000003;rev:001;)‌ ‌
‌
alert‌‌icmp‌‌any‌‌any‌‌->‌‌$HOME_NET‌‌any‌‌(msg:"ICMP‌‌test";‌‌sid:10000001;‌‌rev:001;)‌ ‌
‌
#Per‌‌iniciar‌‌i‌‌que‌‌guardi‌‌les‌‌alertes‌‌interficie‌‌dmz‌‌i‌‌de‌‌la‌‌lan‌ ‌
snort‌‌-i‌‌enp0s8‌‌-u‌‌snort‌‌-g‌‌snort‌‌-c‌‌/etc/snort/snort.conf‌‌-l‌‌/var/log/snort‌‌-A‌‌full‌ ‌
‌
#per‌‌parar‌‌hauria‌‌de‌‌ser‌‌CTR+C‌‌però‌‌no‌‌funciona,‌‌hem‌‌de‌‌fer-ho‌‌amb‌‌un‌‌kill‌‌del‌‌numero‌‌que‌‌
ens‌‌hagi‌‌sortit‌ ‌
al‌‌executar‌‌el‌‌snort:‌‌ng‌‌packet‌‌processing‌‌(pid=5344)‌ ‌
kill‌‌-9‌‌5344‌ ‌
‌
#Per‌‌detectar‌‌sqlinjection‌ ‌
https://www.hackingarticles.in/detect-sql-injection-attack-using-snort-ids/‌ ‌
‌
nano‌‌/etc/snort/rules/local.rules‌ ‌
‌
#Regla‌‌per‌‌detectar‌‌SQLinjection.‌‌Busquem‌‌cometes‌‌simples‌‌o‌‌dobles‌ ‌
alert‌‌tcp‌‌any‌‌any‌‌->‌‌any‌‌80‌‌(msg:‌‌"Error‌‌Based‌‌SQL‌‌Injection‌‌Detected";‌‌content:‌‌"%27"‌‌; ‌‌
sid:100000011;)‌ ‌
alert‌‌tcp‌‌any‌‌any‌‌->‌‌any‌‌80‌‌(msg:‌‌"Error‌‌Based‌‌SQL‌‌Injection‌‌Detected";‌‌content:‌‌"22"‌‌; ‌‌
sid:100000012;)‌ ‌
‌
#Regla‌‌per‌‌detectar‌‌SQLinjection.‌‌Busquem‌‌operadors‌ ‌
alert‌‌tcp‌‌any‌‌any‌‌->‌‌any‌‌80‌‌(msg:‌‌"AND‌‌SQL‌‌Injection‌‌Detected";‌‌content:‌‌"and"‌‌;‌‌nocase;‌‌
sid:100000060;)‌ ‌
alert‌‌tcp‌‌any‌‌any‌‌->‌‌any‌‌80‌‌(msg:‌‌"OR‌‌SQL‌‌Injection‌‌Detected";‌‌content:‌‌"or"‌‌;‌‌nocase;‌‌

sid:100000061;)‌ ‌
‌
#Regla‌‌per‌‌detectar‌‌SQLinjection.‌‌Busquem‌‌encode‌‌operadors‌ ‌
alert‌‌tcp‌‌any‌‌any‌‌->‌‌any‌‌80‌‌(msg:‌‌"AND‌‌SQL‌‌Injection‌‌Detected";‌‌content:‌‌"and"‌‌;‌‌nocase;‌‌
sid:100000008;)‌ ‌
alert‌‌tcp‌‌any‌‌any‌‌->‌‌any‌‌80‌‌(msg:‌‌"OR‌‌SQL‌‌Injection‌‌Detected";‌‌content:‌‌"or"‌‌;‌‌nocase;‌‌

sid:100000009;)‌ ‌
‌
#Per‌‌provocar‌‌SQLInjection‌ ‌
DVWA‌ ‌
http://192.168.1.100/DVWA/‌ ‌
‌
Amb‌‌username‌‌i‌‌password‌ ‌
admin‌ ‌
password‌ ‌
‌
en‌‌http://192.168.1.100/DVWA/vulnerabilities/sqli/‌‌posar‌‌ ‌
‌
'‌‌or‌‌'1'='1'‌ ‌
‌
o‌‌bé‌‌altres‌ ‌
%'‌‌or‌‌'0'='0'‌ ‌
‌
%'‌‌or‌‌0=0‌‌union‌‌select‌‌null,‌‌version()‌‌# ‌ ‌
‌
%'‌‌or‌‌0=0‌‌union‌‌select‌‌null,‌‌user()‌ ‌
‌
#Regla‌‌per‌‌detectar‌‌connexions‌‌ftp‌‌port‌‌21‌ ‌
alert‌‌tcp‌‌192.168.x.x‌‌any‌‌->‌‌$HOME_NET‌‌21‌‌(msg:FTP‌‌connection‌‌attempt;‌‌sid:1000002;‌‌
rev:1;)‌ ‌
‌
.-‌‌ProxyInvers‌ ‌
Es‌‌farà‌‌que‌‌en‌‌el‌‌servidor‌‌de‌‌la‌‌DMZ‌‌redirigeigi‌‌cap‌‌a‌‌un‌‌servidor‌‌de‌‌la‌‌LAN‌ ‌
‌
En‌‌el‌‌servidor‌‌de‌‌la‌‌LAN‌ ‌
‌
En‌‌el‌‌servidor‌‌DMZ‌ ‌
a2enmod‌‌mod_proxy‌ ‌
‌
afegir‌‌una‌‌entrada‌‌al‌‌directori‌‌sites-available‌ ‌
nano‌‌/etc/apache2/sites-available/000-default.conf‌‌ ‌
‌
a2ensite‌‌/etc/apache2/sites-available/000-default.conf‌‌ ‌
‌
Afegir‌‌les‌‌entrades‌ ‌
‌
ProxyPass‌ /intranet‌ http://IP_LAN/‌ ‌
ProxyPassReverse‌ /intranet‌ http://IP_LAN/‌ ‌
‌
‌
Per‌‌provar‌‌s'accedeix‌‌des‌‌de‌‌la‌‌WAN‌‌http://IP_WAN/intranet‌ ‌

Guió Alumnes ModulA CatSkill2021 - Documents de Google

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guió Alumnes ModulA CatSkill2021 - Documents de Google

Uploaded by

Copyright:

Available Formats

CSRouter:‌

You might also like