Mengamankan Serangan dari Internet (centos) (Bagian 1)
dalam bahasan ini, saya ingin membagi ilmu bagaimana cara mengamankan server anda dari serangan luar. dengan menggunakan aplikasi denyhosts, sayang nya denyhosts ini ada beberapa kelemahan seperti interval pengecekan mudah di tebak, berikut langkah-langkah mengamankan server anda dengan denyhosts dan aplikasi tambahan dengan shell script
1. Install denyhosts
# yum install denyhosts
2. Configure Deny hosts
# vi /etc/denyhosts.conf
edit
BLOCK_SERVICE = ALL
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = admin@yourdomain.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
DENY_THRESHOLD_RESTRICTED = 1
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_INVALID = 3
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
HOSTNAME_LOOKUP=YES
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
WORK_DIR = /usr/share/denyhosts/data
3. Restart Service denyhosts
# service denyhosts restart atau # /etc/init.d/denyhosts restart
DONE
Note: kelemahan diatas di lihat dari berapa kali user coba login, di settingan atas saya buat 3x DENY_THRESHOLD_INVALID = 3. pertanyaannya ? kalau user coba2 login dengan interval waktu yang berbeda ?
untuk menutupi kekurangan tersebut saya buatkan script untuk mencari dan mengunci, anomali diatas dengan interval waktu tertentu. program ini saya namakan cekInterval.sh
CODE :
#!/bin/bash
VAR1=$(date +"%H")
VAR2=$(date +"%b %d")
hit=`expr $VAR1 - 1`
hit2=$(printf '%02d\n' $hit)
for i in `cat /var/log/secure | grep "$VAR2 $hit2" | grep "Failed password" | awk -F"from" '{print $2}'|awk '{print $1}'|sort -u`
do
CEK=$(cat /etc/hosts.deny | grep $i | wc -l)
if [ $CEK -lt 1 ]
then
echo "ALL: "$i >> /etc/hosts.deny
echo "Ip $i BLACKLISTED, criteria = To Many Failed Login with different Username or password" | mail -s "Suspected IP,Blocked" admin@yourdomain.com
else
exit 0
fi
done
#=======================================================================#
demikian semoga bermanfaat
1. Install denyhosts
# yum install denyhosts
2. Configure Deny hosts
# vi /etc/denyhosts.conf
edit
BLOCK_SERVICE = ALL
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = admin@yourdomain.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
DENY_THRESHOLD_RESTRICTED = 1
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_INVALID = 3
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
HOSTNAME_LOOKUP=YES
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
WORK_DIR = /usr/share/denyhosts/data
3. Restart Service denyhosts
# service denyhosts restart atau # /etc/init.d/denyhosts restart
DONE
Note: kelemahan diatas di lihat dari berapa kali user coba login, di settingan atas saya buat 3x DENY_THRESHOLD_INVALID = 3. pertanyaannya ? kalau user coba2 login dengan interval waktu yang berbeda ?
untuk menutupi kekurangan tersebut saya buatkan script untuk mencari dan mengunci, anomali diatas dengan interval waktu tertentu. program ini saya namakan cekInterval.sh
CODE :
#!/bin/bash
VAR1=$(date +"%H")
VAR2=$(date +"%b %d")
hit=`expr $VAR1 - 1`
hit2=$(printf '%02d\n' $hit)
for i in `cat /var/log/secure | grep "$VAR2 $hit2" | grep "Failed password" | awk -F"from" '{print $2}'|awk '{print $1}'|sort -u`
do
CEK=$(cat /etc/hosts.deny | grep $i | wc -l)
if [ $CEK -lt 1 ]
then
echo "ALL: "$i >> /etc/hosts.deny
echo "Ip $i BLACKLISTED, criteria = To Many Failed Login with different Username or password" | mail -s "Suspected IP,Blocked" admin@yourdomain.com
else
exit 0
fi
done
#=======================================================================#
demikian semoga bermanfaat
Comments
Post a Comment