Environment RedHat7.3 online more and more of a hacker, a growing number of artists there.
How can I make sure I can save a complete log? a little concept of the hacker knows that enter the system after the first see things is to clean up the log and found that the simplest of invasion by the most direct way is to go to the file system records. Now let's talk about how to set up a security log of the server. Imagine if an intruder cannot link your log server, how to change your log? now we will learn how to set up a no-ip's log server. Now, to explain how to use the Snort to do three things: StealthsniferstealthNIDSporbestealthlogger all this is available in a no-IP server above. Is short for NIDS, i.e. NetworkIntrusionDectectionServer intrusion detection server. Why stealth? in the internet in any of the services running, it will be dangerous. Whether it is http, ftp, telnet, Word will have the opportunity to be hack's invasion. Stealthlogger uniqueness allows us to receive information, do not send any information. Such external computer (the computer is hack intrusion) is not going to change the information received by logerserver. That is to guarantee the integrity of our information, as well as the original. In order to ensure that the security log server, it is better not to log the server connection in the network. That is, when you need to check that the logger is something on the server, you need to the front of the computer, turn on the screen. Instead of the remote login in. However, if you must connect to the Internet so, then please use two interfaces. In other words two network cards and note, first, be sure to turn off IPforwarding. The second is used to make the interface is not stealthlogger ip of a network card, the card must not be followed by another IP network card on the same network. Set: first, of course, is to determine your network card is installed correctly, and can be caught by the kernel. Then put the card needed module is written to/etc/modules.conf file. Now let's set an ip network connection interface. Edit the file/etc/sysconfig/network-scripts/ifcfg-et0vim/etc/sysconfig/network-scripts/ifcfg-et0 DEVICE = et0USERCTL = noONBOOT = yesBOOTPROTO = BROADCAST = NETWORK = NETMASK = IPADDR = archive, use ifconfig to active our eth0 interface. Initial stealt here we use the snort this program. If your computer does not have this program, you can download the www.snort.org. Now we run snort-dviet0 here-d options tell snort on information to decode (decode)-v tell snort will result is displayed in the screen above-I is specified the required interface you can use the-c option to tell snort displays only the ASCII part. Omit hexadecimal data. ?$snort-dviCet0 Logdirectory=/var/log/snort InitializingNetworkInterfaceet0kernelfilter,protocolALL,TURBOmode(63frames),rawpacketsocket ——==InitializingSnort==——DecodingEthernetoninterfaceet0 ——==InitializationComplate==—— -*>Snort! <*- version1.8.4(build99) bymartinroesch( roesch@sourcefire.com ,www.snort.org) …… ………… > NIDS (intrusion detection) intrusion detection itself is a very complex matter. Snort itself also provides powerful intrusion detection features. Here I just do a simple introduction, so that we can have a concept. If the real entity to do a NIDS. Need some more complex actions. For example set better rules, regularly updated snort.conf the rules defined in (when the new form of attack, to timely update)
No comments:
Post a Comment