AntiCsdos [Linux]

Prima oara trebuie sa verifici daca ai modulul de kernel
"ip_queue". Logheaza-te ca root si scrie:

Cod:

# lsmod | grep ip_queue

Daca nu spune nimic, scrie:

Cod:

# modprobe ip_queue

apoi

Cod:

# lsmod | grep ip_queue

ar trebui sa arate ceva in genul: ip_queue 10977 1

Daca arata asa, e bine. Trecem mai departe.

1. Downloadam pachetele de care avem nevoie:

-snort_inline=> http://mesh.dl.sourceforge.net/sourceforge/snort-inline/snort_inline-2.4.3-RC4.tar.gz
(sa nu iei alta versiune, mie doar asta imi merge anti exploitu asta)
- libdnet ==> http://switch.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.11.tar.gz
- libnet ==> http://www.packetfactory.net/libnet/dist/libnet.tar.gz
- pcre ==> http://fresh.t-systems-sfr.com/unix/src/misc/pcre-6.7.tar.gz
- iptables-devel ==>
Pentru Fedora, scrie: yum install iptables-devel
Pentru Mandriva, scrie urpmi iptables-devel
Pentru Debian, scrie apt-get install iptables-devel

2. Le instalam in ordinea asta:

Cod:

# tar xzvf libdnet-1.11.tar.gz
# cd libdnet-1.11
# ./configure
# make
# make install

# tar xzvf libnet.tar.gz
# cd libnet
# ./configure
# make
# make install

# tar xzvf pcre-6.6.tar.gz
# cd pcre-6.6
# ./configure
# make
# make install

Apoi snort_inline:

Cod:

# tar xzvf snort_inline-2.4.3-RC4.tar.gz
# cd snort_inline-2.4.3-RC4
# ./configure
# make
# make install

Daca la configure iti da eroare ca ii lipseste si o alta librarie
inafara de cele de mai sus, va trebui sa o instalezi tu.
Daca la compilare iti da eroare de make[3]: *** [spo_alert_fast.o] Error
1, trebuie sa:

Cod:

# cd /root
# wget ftp://ftp.linux.ro/kernel.org/linux/kernel/v2.6/linux-2.6.9.tar.bz2
# bzip2 -cd linux-2.6.9.tar.bz2 | tar xf -
# cd /usr/include
# mv linux linux.vechi
# ln -s /root/linux-2.6.9/include/linux/ linux
si inapoi la instalarea snort_inline. daca ai folosit chestia asta,
trebuie sa o aducem inapoi la normal:
# cd /usr/include
# rm -rf linux
# mv linux.vechi linux

Dupa ce snort_inline a fost instalat, trecem la configurare:

Cod:

# cd snort_inline-2.4.3-RC4
# mkdir rules
# cp etc/classification.config rules/
# cp etc/reference.config rules/
# mkdir /etc/snort_inline
# cp etc/* /etc/snort_inline/
# cp rules/ /etc/snort_inline/ -R

Deschizi cu un editor text fisierul: /etc/snort_inline/snort_inline.conf
si inlocuiesti linia:
var RULE_PATH /etc/snort_inline/drop_rules
cu
var RULE_PATH /etc/snort_inline/rules

Apoi te duci jos, in acelasi fisier, si in loc de:

Cod:

### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules

### Disabled

Lasi doar:

Cod:

### The Drop Rules
# Enabled
include $RULE_PATH/hlds1.rules
include $RULE_PATH/hlds2.rules
include $RULE_PATH/hlds3.rules

### Disabled

Apoi, trebuie sa creezi si editezi cele 3 fisiere dupa cum urmeaza:
/etc/snort_inline/rules/hlds1.rules trebuie sa contina:

Cod:

alert udp any any <> any 27015 (msg: "HLDS Exploit"; \
content: "\"\\\""; replace: " ";)

/etc/snort_inline/rules/hlds2.rules trebuie sa contina:

Cod:

alert udp any any <> any 28015 (msg: "HLDS Exploit"; \
content: "\"\\\""; replace: " ";)

/etc/snort_inline/rules/hlds3.rules trebuie sa contina:

Cod:

alert udp any any <> any 29015 (msg: "HLDS Exploit"; \
content: "\"\\\""; replace: " ";)

Mai departe:

Cod:

# mkdir /var/log/snort_inline

Apoi facem regulile de iptables pentru fiecare port udp:

Cod:

# iptables -I INPUT -p udp --dport 27015 -j QUEUE
# iptables -I INPUT -p udp --dport 28015 -j QUEUE
# iptables -I INPUT -p udp --dport 29015 -j QUEUE

Si ultima, pornim snort_inline:

Cod:

# /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D

Ca sa porneasca la startup-ul linuxului, trebuie sa adaugi in
/etc/rc.d/rc.local :

/sbin/modprobe ip_queue
/sbin/iptables -I INPUT -p udp --dport 27015 -j QUEUE
/sbin/iptables -I INPUT -p udp --dport 28015 -j QUEUE
/sbin/iptables -I INPUT -p udp --dport 29015 -j QUEUE
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N
-l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D


Cam asta ar fi. 27015, 28015 , 29015 sunt porturile pe care ruleaza serverul, deci pot fi inlocuite cu orice

Autor : laddu