IPS ＋IDS 来保证你服务器的安全

废话不多说，直接看下面配置文件，

IDS (snort) 和 IPS (Guardian) 的原理实质为：

1   snort 利用iptables 保存的日志分析日志记录。

2   Guardian 用snort 分析日志记录的结果进行防御

3   snort  guardian 的核心为iptables log 记录，下面为配置文件，

###############
## Guardian  ##
###############
 
#rpm pakcet download
http://www.chaotic.org/guardian/


tar -xzvf guardian-***
cd guardian-***


# installing ....
cp guardian.pl /usr/sbin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/snort/


touch /etc/snort/guardian.ignore
touch /etc/snort/guardian.target
touch /var/log/snort/guardian.log


# setting guardian configure file (PATH /etc/snort/guardian.conf)


Interface eth0
LogFile /var/log/snort/guardian.log
AlerFile /var/log/snort/alert
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/grardian.target
TimeLimit 86400 #units: second


# /usr/local/bin/guardian_block.sh 


source=$1
interface=$2
/sbin/iptables -I INPUT -s $source -i $interface -j DROP


# /usr/local/bin/guardian_block.sh


source=$1
interface=$2
/sbin/iptables -D INPUT -s $source -i $interface -j DROP


#---------------------------------------------------------------------------------------------


# server start , restart and stop


guardian.sh [ start | restart | stop | status ] 


######################################### WORKS ###############################################


 command
                    | -----------------> iptables------------------>DROP     
                    |if alter               |             |
                    |                       |                        |TimeLimit Timeout
           |       Listen          |      default           |
 alert<-----------------Guradin=================> ACCEPT
   |
   |--guardian.ignore
   |--guardian.target




#  If the connection presents IP alias ,Must make the IP alias to become effective in guardian, \
#  Ip alias ip address must Increase in guardian.target 

###############
##   Snort   ##
###############


# download snort packet (rpm)
http://www.snort.org
http://www.snort.org/dl/binaries/linux


# download snort rules databases
# register snort
https://www.snort.org/pub-bin/register.cgi
http://www.snort.org.pub-bin/downloads.cgi
#---------------------------------------------------------------------------
tar -xzvf snortrules-**
# copy rules directory all rules to "/etc/snort/rules" directory


# default snort in gear start ,but optimize policy you should  \
# setting "/etc/snort/snort.conf" files


# For example (varible "var HOME_NET" value)


# host
var HOME_NET 192.168.1.10


#net
var HOMT_NET 192.168.1.0/24,192.168.2.0/24


# setting snort include rules
var RULE_PATH /etc/snort/rules include $RULE_APTH/pop3_rules   #(example)


#--------------------------------------------------------------------------


# setting snort working interface
# configure files from "/etc/sysconfig/snort"
# singleness interface " INTERFACE=interface"
# more interface " INTERFACE="interface1 interface2 . . "


# For example 
INTERFACE=eth0 #singleness interface
INTERFACE="eth0 eth1 eth2" #more interface


# server start , restart and stop 
service snortd [ start | stop | restart ]
/etc/init.d/snortd [ start | stop | restart ]


# log file PATH "/var/log/snort/alert  |  var/log/snort/INTERFACE_Name/alert"
# test command bash: nmap scan port ,Whether there are records at "cat /var/log/snort/alert"

################
##   Nessus   ##
################

#rpm  www.nessus.org
http://www.nessus.org/products/nessus/nessus-download-agreement
# Nessus server  |  Nessus client 
#register
http://www.nessus.org/register
register expression
nessus-fetch --register xxxx-xxxx-xxxx-xxxx-xxxx