Проведите разведку системы и определите, какие сетевые службы запущены на защищаемой системе:
sudo nmap -sA < ip-адрес >
sudo nmap -sT < ip-адрес >
sudo nmap -sS < ip-адрес >
sudo nmap -sV < ip-адрес >
По желанию можете поэкспериментировать с опциями: https://nmap.org/man/ru/man-briefoptions.html.
В качестве ответа пришлите события, которые попали в логи Suricata и Fail2Ban, прокомментируйте результат.
Устанавливаем
sudo apt-get install suricata
sudo suricata-update
sudo systemctl enable suricata
sudo systemctl start suricata.service
sudo systemctl status suricata.service
sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban.service
sudo systemctl status fail2ban.service
Настраиваем
sudo nano /etc/suricata/suricata.yaml
Изменяем значение параметра EXTERNAL_NET на "any"
sudo systemctl restart suricata
Файлы логов
sudo tail /var/log/suricata/suricata.log
sudo tail /var/log/suricata/stats.log
Запускаем
sudo suricata -c /etc/suricata/suricata.yaml -s signatures.rules -i ens18
Выводим логи с алертами
sudo tail -f /var/log/suricata/fast.log
Сканируем
sudo nmap -sA 192.168.6.241
sudo nmap -sT 192.168.6.241
sudo nmap -sS 192.168.6.241
sudo nmap -sV 192.168.6.241
Логи Suricata
08/30/2023-18:12:24.696074 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.6 .243:8 -> 192.168.6.241:0
08/30/2023-18:12:24.696074 [**] [1:2100366:8] GPL ICMP_INFO PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.6 .243:8 -> 192.168.6.241:0
08/30/2023-18:13:43.450205 [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:51304 -> 192.168.6.241:3306
08/30/2023-18:13:43.450205 [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:51304 -> 192.168.6.241:3306
08/30/2023-18:13:43.452772 [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:43530 -> 192.168.6.241:1433
08/30/2023-18:13:43.452772 [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:43530 -> 192.168.6.241:1433
08/30/2023-18:13:43.456503 [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Pri ority: 2] {TCP} 192.168.6.243:48922 -> 192.168.6.241:5901
08/30/2023-18:13:43.457937 [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:37462 -> 192.168.6.241:5432
08/30/2023-18:13:43.459153 [**] [1:2002910:6] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Pri ority: 2] {TCP} 192.168.6.243:52942 -> 192.168.6.241:5801
08/30/2023-18:13:43.465361 [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:53844 -> 192.168.6.241:1521
08/30/2023-18:13:43.456503 [**] [1:2002911:6] ET SCAN Potential VNC Scan 5900-5920 [**] [Classification: Attempted Information Leak] [Pri ority: 2] {TCP} 192.168.6.243:48922 -> 192.168.6.241:5901
08/30/2023-18:13:43.457937 [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:37462 -> 192.168.6.241:5432
08/30/2023-18:13:43.459518 [**] [1:2002910:6] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Pri ority: 2] {TCP} 192.168.6.243:60772 -> 192.168.6.241:5800
08/30/2023-18:13:43.465361 [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:53844 -> 192.168.6.241:1521
08/30/2023-18:14:08.315206 [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:3306
08/30/2023-18:14:08.315206 [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:3306
08/30/2023-18:14:08.318053 [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:5432
08/30/2023-18:14:08.318053 [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:5432
08/30/2023-18:14:08.326323 [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:1433
08/30/2023-18:14:08.326323 [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:1433
08/30/2023-18:14:08.330004 [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:1521
08/30/2023-18:14:08.330004 [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:61616 -> 192.168.6.241:1521
08/30/2023-18:14:25.959524 [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:3306
08/30/2023-18:14:25.959524 [**] [1:2010937:3] ET SCAN Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:3306
08/30/2023-18:14:25.962738 [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:5432
08/30/2023-18:14:25.962738 [**] [1:2010939:3] ET SCAN Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:5432
08/30/2023-18:14:25.966934 [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:1433
08/30/2023-18:14:25.966934 [**] [1:2010935:3] ET SCAN Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic ] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:1433
08/30/2023-18:14:25.972128 [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:1521
08/30/2023-18:14:25.972128 [**] [1:2010936:3] ET SCAN Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Tr affic] [Priority: 2] {TCP} 192.168.6.243:38779 -> 192.168.6.241:1521
Пинг получил приоритет 3
nmap -sA, nmap -sS, nmap -sT, nmap -sV получили приоритет 2, как потенциально опасный
nmap -sV мог получить приоритет 1, если был бы распознан как веб-атака
fail2ban на сканирования не отреагировал
Проведите атаку на подбор пароля для службы SSH:
hydra -L users.txt -P pass.txt < ip-адрес > ssh
Настройка hydra:
создайте два файла: users.txt и pass.txt;
в каждой строчке первого файла должны быть имена пользователей, второго — пароли. В нашем случае это могут быть случайные строки, но ради эксперимента можете добавить имя и пароль существующего пользователя.
Дополнительная информация по hydra: https://kali.tools/?p=1847.
Включение защиты SSH для Fail2Ban:
открыть файл /etc/fail2ban/jail.conf,
найти секцию ssh,
установить enabled в true.
Дополнительная информация по Fail2Ban:https://putty.org.ru/articles/fail2ban-ssh.html.
В качестве ответа пришлите события, которые попали в логи Suricata и Fail2Ban, прокомментируйте результат.
hydra -L users.txt -P pass.txt 192.168.6.241 ssh
Suricata
sudo tail -f /var/log/suricata/fast.log
08/30/2023-19:02:34.134199 [**] [1:2001219:20] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.6.243:50944 -> 192.168.6.241:22
08/30/2023-19:02:34.134199 [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.6.243:50944 -> 192.168.6.241:22
08/30/2023-19:02:34.135654 [**] [1:2003068:7] ET SCAN Potential SSH Scan OUTBOUND [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.6.243:51008 -> 192.168.6.241:22
08/30/2023-19:02:39.586546 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.6.243:50928 -> 192.168.6.241:22
08/30/2023-19:02:39.618599 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.6.243:50944 -> 192.168.6.241:22
08/30/2023-19:02:39.650687 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.6.243:51008 -> 192.168.6.241:22
08/30/2023-19:02:39.650687 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.6.243:51024 -> 192.168.6.241:22
08/30/2023-19:02:41.250572 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.6.243:50982 -> 192.168.6.241:22
08/30/2023-19:02:41.282448 [**] [1:2210054:1] SURICATA STREAM excessive retransmissions [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.6.243:50966 -> 192.168.6.241:22
Fail2ban
sudo cat /var/log/fail2ban.log
2023-08-30 19:00:41,649 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:00:41
2023-08-30 19:00:41,933 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:00:41
2023-08-30 19:00:43,061 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:00:43
2023-08-30 19:02:33,907 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:33
2023-08-30 19:02:34,253 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:34
2023-08-30 19:02:34,276 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:34
2023-08-30 19:02:34,283 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:34
2023-08-30 19:02:34,298 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:34
2023-08-30 19:02:34,330 fail2ban.actions [27432]: NOTICE [sshd] Ban 192.168.6.243
2023-08-30 19:02:36,265 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:36
2023-08-30 19:02:36,266 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:36
2023-08-30 19:02:36,274 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:36
2023-08-30 19:02:36,274 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:36
2023-08-30 19:02:36,314 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:36
2023-08-30 19:02:36,327 fail2ban.filter [27432]: INFO [sshd] Found 192.168.6.243 - 2023-08-30 19:02:36
Логины и пароли в txt были записаны неправильные
Suricata просигнализировала, но не предотвратила
Fail2ban зафиксировал и заблокировал атакующего