Linux Intrusion Detection trace solutions [share] Huawei cloud

Others 2019-12-10 14:08:38 views: null

Background note

Scanning is the basis of all the invasion, found by scanning the target host is the active host, operating system, what version, which opened up services. Scanning technology complex, new scanning technology are endless, impossible to exhaust all scanning technology, following the invasion by steps to make a brief overview of the classification and host scans, port scans, and scanning services.

Scanning can be divided into two main activities: 1) ICMP echo scanning and Broadcast ICMP scanning; port scanning is also divided into two categories: 1) open scanning, such scanning will produce large amounts of audit data, easily found each other, but reliable high (e.g., TCP connect scan); 2) a secret for scanning, such scanning can effectively avoid the intrusion detection system and the other inspection firewall, but this scan data packet used in the network discards readily to produce error detection information (such as SYN, FIN, ACK, NULL, etc. scan); the last one for the specific service scanning, refers to a specific service to a specific system (OS type and version) of the (web services and service versions) of a specific vulnerability scanning, now there are usually scanning software to plug-in to add support for a specific vulnerability scanning, scan confirmed once the loopholes can be directly used. For example, scanning WEB server, FTP server or scan for.

Detection ideas

Different scanning techniques and scanning mode, there are different methods of detection. But the general idea is to detect the same, namely the use of iptables configuration policies to logging (refer to the specific configuration policies idea configured to detect different scenes), then scanning to detect suspicious look through the analysis of log and alarm. Below detection scheme, and scanning techniques for different scanning mode, a check using different detection schemes.

Scene 1: ICMP scanning check mark

Broadcast ICMP or use ICMP echo sounding activities host, is a system configured with IPTABLES logged

For Broadcast ICMP packet:

Iptable configured with the system, the configuration of the logging strategy is as follows:

iptables -A INPUT -p icmp --icmp-type echo-request -j LOG

Discovery Protocol ICMP echo request type is a broadcast packet, when the recording of this type of package found alarm.

For ICMP echo packets:

1 idea :

If you can determine the IP address range of permitted use whitelist to detect suspicious behavior and alert;

2 ideas :

If you can not determine the IP address white list, look for non-working hours (such as late at night) record, if found suspicious behavior issue the corresponding alarm.

Scene 2: TCP Connect scanning check mark

Use the appropriate ports and services to detect TCP three-way handshake is open

1 idea :

First, to maintain a whitelist port operating systems and business systems required for normal operation and opening up, and configure the appropriate iptables logging policy:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j LOG

Find logging, the port is not in the white list if recorded in the log, the alarm.

2 ideas :

Statistical detection method, respectively, for the slow scan (1 hour to 2 days of a packet) and a conventional scan (1 minute to 1 hour will send packets N) arranged in two statistical detection method. For conventional scanning first, if found within the period of time (five minutes is recommended, selected from the range 1 to 60 minutes), recording a different target IP addresses from the same port count exceeds a certain threshold value (3 is recommended, recommendation range to a value> 3), the alarm, in steps of 5 minutes duration statistics log lookup; for the second slow scan, if a period of time (6 hours is recommended, optionally the range of 1 hour to 2 day), recording a different target port from the same IP address exceeds a certain count threshold (recommended value 3, suggested range to a value> 3), the alarm,
note: the time threshold and a particular value of the count threshold should be based on the actual situation set up

Scene 3: WEB scanning check mark

WEB server discovery using the GET request information server versions, vulnerabilities, and further exploit these vulnerabilities intrusion WEB Apache on linux service, which will be recorded in the scanning WEB server log access.log, the characteristics evident. I.e., for 10 minutes to produce the same plurality of IP 10 get requests per second, it is clear that the web scanning traces. Time threshold may be used (5 minutes is recommended, recommendation range recommended in the range of 1-1440 min) and the count threshold (recommended value is 10, the range of recommended value> 3) to filter the IP request log, analyze whether the attacker invasion. Also, for SQL injection, XSS injection, command injection and scan path traversal attack WEB scan trace log according to a keyword to identify potential.

NOTE: The time threshold value and a particular threshold value, the count should be set according to the actual situation, and may change

Author: JZ

Guess you like

Origin www.cnblogs.com/huaweicloud/p/12016154.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com