Tentativas de Acesso
1. Tentativas de Acesso
liquid
(usa Suse)
Enviado em 19/04/2010 - 11:52h
Bom Dia galera do VOL.Venho pedir mais uma vez uma ajuda.
Tenho o seguinte script de Firewall instalado em meus clientes:
######################################################
# Script Firewall - SuSEfirewall2
#
# Criado por Marconi Junior - 14/10/2009
#######################################################
#!/bin/bash
if [ "$1" = "flush" ]; then
echo "Flushing"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F #Flush no NAT
iptables -X #Flush nas CHAINS
-f.
echo " Done "
else
echo " Iniciando regras do Firewall"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -Z
##########################################################
echo "CONFIGURACAO DAS INTERFACES"
##########################################################
echo "Configurando as interfaces "
echo "eth3 = 192.168.0.2 "
echo "eth2 =
INTRA=eth3
INTER=eth2
SUSE= #SERVIDOR SUSE-FIREWALL
##########################################################
echo "REGRAS PRINCIPAIS OBRIGATORIAS"
#########################################################
echo "Liberando Loopback"
iptables -A INPUT -i lo -j ACCEPT
#########################################################
echo "EVITANDO SPOOFING"
#########################################################
iptables -t nat -A PREROUTING -i $INTER -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 172.16.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 192.168.0.0/24 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 200.171.228.173 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 212.154.133.204 -j DROP
##########################################################
echo "Aplicando Regras de Seguranca"
# Protecao contra synflood, ICMP broadcasting.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Protecao contra Portscanner, ping of Death, DoS attack.
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $INTER -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
# Protecao contra pacotes malformados e invalidos.
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
###########################################################
echo "LIBERANDO PING"
###########################################################
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
###########################################################
echo "LIBERANDO SSH PARA O FIREWALL"
##########################################################
iptables -A INPUT -p tcp --dport 22 -d $SUSE -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
###########################################################
echo "CONFIGURANDO NAT PARA O SQUID"
###########################################################
# iptables -t nat -A PREROUTING -i $INTER -p tcp --dport 80 -j REDIRECT --to-port 3128
# iptables -t nat -A PREROUTING -i $INTER -p tcp --dport 443 -j REDIRECT --to-port 3128
#########################################################
echo "MASCARANDO O IP"
#########################################################
iptables -t nat -A POSTROUTING -o $INTER -j MASQUERADE
##########################################################
echo "LIBERACAO DE INTERNET"
#########################################################
iptables -A FORWARD -i $INTRA -j ACCEPT
##########################################################
echo "BLOQUEIO DE MSN"
#########################################################
modprobe ipt_string
# iptables -t filter -A FORWARD -p tcp --dport 6891:6901 -j ACCEPT
# iptables -t filter -A FORWARD -p tcp --dport 1863 -j ACCEPT
# iptables -t filter -A FORWARD -p udp --dport 1863 -j ACCEPT
# iptables -t filter -A FORWARD -p tcp --dport 5190 -j ACCEPT
# iptables -t filter -A FORWARD -p udp --dport 5190 -j ACCEPT
############################################################
echo "HABILITAR MODULO DE FTP "
############################################################
# load FTP conntrack & NAT helper modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
############################################################
echo "LIBERACAO DE PORTAS DA INTERNET PARA INTRANET"
############################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 20 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 21 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 53 -j ACCEPT # DNS
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 37000:38000 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 8080 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --sport 80 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 1723 -j ACCEPT # PPTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 47 -j ACCEPT # retorno PPTP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 500 -j ACCEPT # ISAKMP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 1701 -j ACCEPT # L2TP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 123 -j ACCEPT # NTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 110 -j ACCEPT # POP3
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 3389 -j ACCEPT # TERMINAL SERVICES
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 5900 -j ACCEPT # ULTRAVNC
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 10051 -j ACCEPT # Server ZABBIX
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 10050 -j ACCEPT # Lister Server ZABBIX
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 4550 -j ACCEPT # CAMERAS EXTERNO
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 3130 -j ACCEPT # CAMERAS EXTERNO
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 5550 -j ACCEPT # CAMERAS EXTERNO
#############################################################
echo "STATEFULL INSPECTION"
#############################################################
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##########################################################
echo "CONFIGURANDO LOGS"
##########################################################
echo "Logando tentativas invalidas de navegar ( Lan )"
iptables -A FORWARD -i $INTRA -o $INTER -j LOG --log-level DEBUG --log-prefix " Intra para Internet:"
echo "Logando pacotes bloqueados da internet para a intranet"
iptables -A INPUT -p tcp -i $INTER -j LOG --log-level DEBUG --log-prefix "Pacotetcp:"
iptables -A INPUT -p icmp -i $INTER -j LOG --log-level DEBUG --log-prefix "Pacoteicmp:"
#############################################################
Mais as regras de NAT para os serviços internos.
Tudo funciona muito bem, mas ultimamente venho sofrendo muitas tentativas de invasao ao firewall e outras tentativas de acesso como admin(ou administrador) aos servidores windows dentro da rede(via terminal service).
Alguns desses endereços eu coloquei manualmente nas regras de bloqueio de spoofing.
Existe algum procedimento para melhorar este script e deixa-lo mais "Forte"?? existe algum comando que verifique mais de uma tentativa de logon errado de um mesmo ip e bloqueie o acesso deste mesmo ip??
Obrigado a todos.
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Como escolher o melhor escalonador de CPU para melhorar o desempenho da máquina
Curiosidade sobre DOOM Guy e Isabelle de Animal Crossing
Inicializando servidor Ubuntu na AWS e rodando apache em Container
Dicas
Instalando TeamViewer no Debian 12
Conheça o Octopi, outro frontend para o Pacman com acesso ao AUR (Arch Linux e derivados)
Terminal transparente no Debian 12 com interface i3wm usando Xfce4-Terminal e Compton
Tópicos
O que é isso no meu navegador? [RESOLVIDO] (5)
Eu estou com problemas para usar o QBASIC no Dosbox X (2)
Ubuntu simplesmente morreu (8)
Como colocar uma assinatura digital em um código compilado ! (2)
Top 10 do mês
-
Xerxes
1° lugar - 69.304 pts -
Fábio Berbert de Paula
2° lugar - 58.214 pts -
Clodoaldo Santos
3° lugar - 54.269 pts -
Sidnei Serra
4° lugar - 37.651 pts -
Buckminster
5° lugar - 21.392 pts -
Daniel Lara Souza
6° lugar - 16.753 pts -
Mauricio Ferrari
7° lugar - 16.076 pts -
Alberto Federman Neto.
8° lugar - 15.751 pts -
Diego Mendes Rodrigues
9° lugar - 15.197 pts -
edps
10° lugar - 14.384 pts
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
