#1
配置Linux操作系统平台上的iptables,或者Windows操作系统平台上的个人防火墙,完成如下功能,并进行测试:
(1)不允许其他网络使用本机的Telnet服务;
(2)只允许特定IP地址,访问主机的某一网络服务(如FTP、HTTP、SMB),而其他的IP地址无法访问。
| Host computer | ip address |
|---|---|
| time | 192.168.92.2 |
| Linux MetaSploitable | 192.168.92.5 |
| SEED Ubuntu | 192.168.92.4 |
(1) does not allow other networks to use the machine Telnet services;
enter telnet 192.168.92.4 may display in kali seed
in seed command line sudo iptables -A INPUT -p tcp -j DROP
case kali Telnet seed can not
last executed and a state before the iptables -F iptables -P INPUT ACCEPT command to restore two
(2) allow only specific IP addresses, host of a network access services (such as FTP, HTTP, SMB), while the other IP address can not access.
Kali performed using telnet connection with the seed, can now be connected to
the input :( seed in the first mention the right) the sudo SU
iptables the DROP the INPUT # -P reject all incoming packets
iptables -A INPUT -p tcp -s 192.168.92.2 - j ACCEPT # of receiving packets from kali
At this time, kali and seed can, meta telnet connection to the seed can not telnet connection
successfully set
a state before the iptables -F iptables -P INPUT ACCEPT and restore the last two instruction executed.
#2
使用Snort对给定的pcap文件进行入侵检测,并对检测出的攻击进行说明
Before the experiment used listen.pcap drag and drop files into the desktop kali, enter the command:
snort -r listen.pacp -c /etc/snort/snort.conf -K ascii #对listen.pacp进行入侵检测
See detected packet Tcp packet mostly
open at / var / log / snort / alert directory file, to obtain a lot of additional information
or a command line: vim / var / log / snort / alert
#3分析蜜网网关的防火墙和IDS/IPS配置规则。
分析虚拟网络攻防环境中蜜网网关的防火墙和IDS/IPS配置规则,并撰写分析报告,说明蜜网网头是如何利用防火墙和入侵检测技术完成其攻击数据捕获和控制需求的。具体分析配贺规则与启动项文件包括:
(1)防火墙(netfilter+IPTables) : /etc/init.d/rc.firewall;
(2)入侵检测系统(Snort) : /etc/init.cl/hflow-snort与/etc/snort/snort.conf;
(3)入侵防御系统(Snort_inline) : /etc/init.cl/hflow-snort_inline与/etc/snort_inline/snort_ inline.conf。
分析内容如下:
(1)上述脚本是如何实现蜜网网关的数据捕获和数据控制机制?
(2)获取IPTables的实际规则列表、Snort和Snort_inline的实际执行参数。
(3)蜜网网关开机之后,防火墙、NIDS、NIPS是如何启动的?
(4)Bonus: 蜜网网关中的Snort规则是如何自动升级的?
Practical operation
according to the job requirements of the following selection network in the honey.
For (1), are:
data control generally includes a firewall control data and abnormality data IPS limit (the snort_inline), first using su - be put right, then view the three vim /etc/init.d/rc.firewall chain: blacklist, whitelist and protection list (FenceList).
In the above-mentioned features, plus:
Firewall source or destination address belongs to the host blacklist, discarding all packets.
For the host belongs to the white list, and does not accept the record.
For the host fall within the protection list, you do not want to prohibit access to certain hosts to be accessed.
For (2), there is:
(the I) IPTables actual list of rules: data capture including firewall logging and snort network flow records. To view the list of rules by iptables -t filter -L. Not difficult to find, the default rules into OUTPUT, INPUT, FORWARD have been closed and replaced by some self-defined rules (including some parameters before configuring Roo is also reflected in the rule table).
(II) Snort actual execution parameters: /etc/init.d/snortd opened with vim Snort script file, observed the first chart you can see the start is an option for some parameters, the second map corresponding to the parameters of the actual running time. After specifying the network interface, if no other parameters, the default parameters to run. For example, the default is not open -A mode, the default use /etc/snort/snort.conf (default directory config files), eth0, binary mode to save log files.
(III) Snort_inline actual implementation parameters: Open Snort_inline script file vim /etc/init.d/hw-snort_inline, can observe the actual operating parameters, and the parameter defined in the front.
(III) Snort_inline actual implementation parameters: Open Snort_inline script file vim /etc/init.d/hw-snort_inline, can observe the actual operating parameters, and the parameter defined in the front.
For (3), are:
through the command chkconfig --list | to query the current service is not open grep [service]. chkconfig command is used to check the various services of the system. We found that firewalls and NIPS (snort_inline) is to follow the system startup and boot automatically configure just the script file. NIDS is manually activated.
For (4), are:
use vim /etc/honeywall.conf open honeywall configuration file, which you can see a lot of this stuff: Before installation configuration when the roo IP address, location whitelist blacklist, where snort rule updates, etc. . We can see Oinkmaster words, by querying, this really is automatically updated software. Through observation, we found that automatic updates are turned off by default
and then we open oinkmaster.conf files in the current directory, you can see the files have more detailed comments.