使用安全狗进行Linux主机安全加固
本文简述如何使用安全狗软件进行Linux主机的安全加固。
1. 安装软件
这款软件是免费的,官网下载Linux版,网址
官网上没找到Linux版本的使用说明书,自己摸索吧。
解压缩后运行 up.sh 脚本进行自动安装,需要使用root用户执行。
# sh up.sh
extracting files ...
step 1/2, start install common lib [ok]
step 2/2, start Install Server Defense Module
step 2.1, checking os release version... [ok]
step 2.2, installing file... [ok]
step 2.3, start service... [ok]
step 2.4, save safedog install info...
Tips:
(1)safedog install directory: /etc/safedog
(2)install safedog version: 2.8.21207
install safedog completely
Installation is complete!
[x] finish to call safedog install script!安装完毕的同时已经自动开始运行了,运行时有3个进程。
root 1218 0.1 0.0 17412 60 ? Sl 08:59 0:17 sdmonitor
root 1449 0.0 0.7 439484 7244 ? Sl 08:59 0:09 sdcc -d
root 1460 3.2 3.8 748332 38660 ? Sl 08:59 5:10 sdsvrd -d关闭方法
# /etc/init.d/safedog stop
stop sdsvrd server #
safedog serivce stopped!有个小问题就是虽然关闭服务了,但 sdmonitor 和 sdcc 进程依然存在。
2. 端口扫描测试
尝试扫描测试主机 192.168.198.144 的端口,其中3000为grafana端口,用于测试。
# nmap 192.168.198.144
Starting Nmap 6.40 ( http://nmap.org ) at 2021-09-07 11:19 CST
Nmap scan report for 192.168.198.144
Host is up (0.00030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3000/tcp open ppp
MAC Address: 00:0C:29:AF:64:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds扫描被日志记录下来,日志位置 /etc/safedog/logs。
2021-09-07 11:19:48 [43066:13:DBG] [sdalarm.cpp: 105:main]Alarm Description<
[{"time":"2021-09-07 11:19:47","attackerIp":"192.168.198.137","victimPort":0,"type":3,"ProtectMode":1}]>
2021-09-07 11:19:48 [43071:13:DBG] [sdalarm.cpp: 41:main]------------------------------
2021-09-07 11:19:48 [43071:13:DBG] [sdalarm.cpp: 45:main]sdalarm
2021-09-07 11:19:48 [43071:13:DBG] [sdalarm.cpp: 45:main]-s
2021-09-07 11:19:48 [43071:13:DBG] [sdalarm.cpp: 45:main]2001
...
2021-09-07 11:19:48 [43071:13:DBG] [sdalarm.cpp: 105:main]Alarm Description<
[{"time":"2021-09-07 11:19:48","attackerIp":"192.168.198.137","victimPort":0,"type":2,"ProtectMode":1}]>再次扫描已经扫不到端口了,而且无法通过网页打开grafana登录界面,说明 IP 已经被屏蔽。
# nmap 192.168.198.144
Starting Nmap 6.40 ( http://nmap.org ) at 2021-09-07 11:22 CST
Nmap scan report for 192.168.198.144
Host is up (0.00032s latency).
All 1000 scanned ports on 192.168.198.144 are filtered
MAC Address: 00:0C:29:AF:64:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 34.58 seconds攻击信息会被发送到后台。
2021/09/07 11:20:30:446 [1104988480] INFO root - Post Data to http://client-server3.safedog.cn/innerIntf/sorsi.html,Response code:200,Return Err: 0,Request state:Success
2021/09/07 11:20:30:447 [1104988480] INFO root - AlarmInfo: {
"Description": "[{\"time\":\"2021-09-07 11:19:47\",\"attackerIp\":\"192.168.198.137\",\"victimPort\":0,\"type\":3,\"ProtectMode\":1}]",
"version": 2,
"SafedogType": 2,
"AlarmType": 2001,
"AlarmTime": "2021-09-07 11:19:47"
}
2021/09/07 11:20:30:447 [1104988480] INFO root - AlarmInfo: {
"Description": "[{\"time\":\"2021-09-07 11:19:48\",\"attackerIp\":\"192.168.198.137\",\"victimPort\":0,\"type\":2,\"ProtectMode\":1}]",
"version": 2,
"SafedogType": 2,
"AlarmType": 2001,
"AlarmTime": "2021-09-07 11:19:48"
}重启主机192.168.198.144,可以继续通过3000端口登录,看来不是永久性黑名单。
3. 暴力破解测试
使用正确用户名密码admin/admin访问grafana,得到反馈。
# curl http://admin:admin@192.168.198.144:3000/api/search
[]尝试两次使用错误密码访问API之后,使用正确密码也无法登录了。
总结
使用安全加固软件会占用一定的CPU和内存,需要自行权衡。
版权说明 : 本文为转载文章, 版权归原作者所有 版权申明
原文链接 : https://blog.csdn.net/zsx0728/article/details/120141160
内容来源于网络,如有侵权,请联系作者删除!
