Igor Barros Posted December 2, 2011 Share Posted December 2, 2011 Pessoal, estou recebendo alguns ataques em meu servidor e gostaria de bloquea-los. Os logs dos ataques estão disponíveis nesta página: http://igorbarros.com.br/logs Estou disposto a pagar por esta proteção; Fico no aguardo do contato. Link to comment Share on other sites More sharing options...
joaopaulo Posted December 2, 2011 Share Posted December 2, 2011 Peguei esse firewall na net(nao tenho o link mais) há algum tempo atrás e uso ele no meu vps na burst. Troque venet0 e venet0:1 pelo nome de suas interfaces de rede. Crie um arquivo em /etc/init.d/firewallP com o conteudo abaixo. Aí para ativar, só usar: /etc/init.d/firewallP start #!/bin/bash # ********************************************** # ** Script de firewall para proteção básica # ********************************************** # Declaração de variáveis. FIREWALL='/etc/init.d/firewall' WAN1='venet0' IPTABLES=$(which 'iptables') MODPROBE=$(which 'modprobe') start() { echo "-------------------------------------" echo "Firewall!" echo "-------------------------------------" echo 'Loading modules...' $MODPROBE 'ip_tables' $MODPROBE 'x_tables' echo 'Cleaning up firewall...' iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X iptables -Z iptables -t nat -Z iptables -t mangle -Z iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT echo 'OK -> Default policy defined...' echo 'OK -> Loopback interface enabled...' iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT echo 'OK -> DOS Protection' #echo 'OK -> Comunication trought interfaces enabled...' #echo '1' > /proc/sys/net/ipv4/ip_forward # Bloquear pacotes com estado "novo/invalido" que saiam pela eth0 iptables -A FORWARD -o venet0 -m state --state NEW,INVALID -j DROP #Bloqueando conexão brute force via SSH: iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT echo 'OK -> Accepted SSH Connection (fail2ban enabled)...' #PROTEÇÃO CONTRA ATAQUES iptables -A INPUT -m state --state INVALID -j DROP echo "OK -> Blocking attacks..." #PROTEGE CONTRA PACOTES QUE PODEM PROCURAR E OBTER INFORMAÇÕES INTERNAS iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP echo "OK -> Spy-packages protection..." #BLOQUEANDO TRACEROUTE iptables -A INPUT -p udp -s 0/0 -i venet0 --dport 33435:33525 -j DROP echo "OK -> Blocking traceroute..." #REGRAS DE SEGURANÇA NA INTERNET iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT echo "OK -> Internet security rules..." #PROTECOES DE KERNEL echo 0 > /proc/sys/net/ipv4/conf/venet0/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/venet0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo "OK -> Kernel protections..." #Liberar WebMin #iptables -A INPUT -p udp --dport 10000 -j ACCEPT #iptables -A INPUT -p tcp --dport 10000 -j ACCEPT #Portas Diversas echo "------> Abrindo Portas do Apache" iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT #iptables -A INPUT -p tcp --dport 8080 -j ACCEPT #iptables -A INPUT -p tcp --dport 45659 -j ACCEPT echo"-------> Abrindo Portas para Email" iptables -A INPUT -p tcp --dport 25 -j ACCEPT iptables -A INPUT -p udp --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p udp --dport 110 -j ACCEPT iptables -A INPUT -p tcp --dport 143 -j ACCEPT iptables -A INPUT -p udp --dport 143 -j ACCEPT iptables -A INPUT -p tcp --dport 465 -j ACCEPT iptables -A INPUT -p udp --dport 465 -j ACCEPT iptables -A INPUT -p tcp --dport 587 -j ACCEPT iptables -A INPUT -p udp --dport 587 -j ACCEPT iptables -A INPUT -p tcp --dport 995 -j ACCEPT iptables -A INPUT -p udp --dport 995 -j ACCEPT iptables -A INPUT -p tcp --dport 993 -j ACCEPT iptables -A INPUT -p udp --dport 993 -j ACCEPT echo"-------> Abrindo Portas para DNS" iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT echo"-------> Abrindo Portas para MYSQL" iptables -A INPUT -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -p udp --dport 3306 -j ACCEPT echo"-------> Abrindo Portas para FTP" iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p udp --dport 21 -j ACCEPT echo"-------> Abrindo Portas para SSH" iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 22 -j ACCEPT #Proteções Adicionais #iptables -A INPUT -p tcp --dport 5900 -j DROP #iptables -A INPUT -p tcp --dport 53 -j DROP #echo 'OK -> Definido redirecionamento de proxy transparente' #iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j REDIRECT --to-port 3128 # Proteção contra ping da morte # ------------------------------------------------------- iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Proteção contra trinoo # ------------------------------------------------------- iptables -N TRINOO iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: " iptables -A TRINOO -j DROP iptables -A INPUT -p TCP -i venet0 --dport 27444 -j TRINOO iptables -A INPUT -p TCP -i venet0 --dport 27665 -j TRINOO iptables -A INPUT -p TCP -i venet0 --dport 31335 -j TRINOO iptables -A INPUT -p TCP -i venet0 --dport 34555 -j TRINOO iptables -A INPUT -p TCP -i venet0 --dport 35555 -j TRINOO echo 'OK -> Trinoo protection...' # Proteção contra trojans # ------------------------------------------------------- iptables -N TROJAN iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: " iptables -A TROJAN -j DROP iptables -A INPUT -p TCP -i venet0 --dport 666 -j TROJAN iptables -A INPUT -p TCP -i venet0 --dport 4000 -j TROJAN iptables -A INPUT -p TCP -i venet0 --dport 6000 -j TROJAN iptables -A INPUT -p TCP -i venet0 --dport 6006 -j TROJAN iptables -A INPUT -p TCP -i venet0 --dport 16660 -j TROJAN echo 'OK -> Trojan protection...' # Proteção contra worms # ------------------------------------------------------- iptables -A FORWARD -p tcp --dport 135 -i venet0 -j REJECT echo 'OK -> Worm protection...' # Proteção contra port scanners # ------------------------------------------------------- iptables -N SCANNER iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: " iptables -A SCANNER -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i venet0 -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL NONE -i venet0 -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL ALL -i venet0 -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i venet0 -j SCANNER iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i venet0 -j SCANNER iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i venet0 -j SCANNER iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i venet0 -j SCANNER echo 'OK -> Port Scanner Protection...' ## BLOQUEANDO PORT SCANNERS OCULTOS iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT echo 'OK -> Hidden Port Scanner Protection...' #BackOrifice iptables -A INPUT -p tcp -m tcp --dport 31337 -j DROP iptables -A INPUT -p udp -m udp --dport 31337 -j DROP echo 'OK -> BackOrifice Protection...' #NetBus iptables -A INPUT -p tcp -m tcp --dport 12345:12346 -j DROP iptables -A INPUT -p udp -m udp --dport 12345:12346 -j DROP echo 'OK -> NetBus Protecion...' # Ativa mascaramento de saída # ------------------------------------------------------- iptables -A POSTROUTING -t nat -o venet0 -j MASQUERADE echo 'OK -> Packages output masquerading...' echo mkdir -p /var/lock/subsys/ touch /var/lock/subsys/iptables } stop() { echo "Stopping Firewall!" echo "OK -> Flushing all chains" iptables -F iptables -t nat -F iptables -t mangle -F echo "OK -> Removed user defined chains" iptables -X iptables -t nat -X iptables -t mangle -X iptables -Z iptables -t nat -Z iptables -t mangle -Z iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT echo "OK -> Resetted built-in chains to the default ACCEPT policy" echo OK echo rm -f /var/lock/subsys/iptables } case "$1" in start) start ;; stop) stop ;; restart) # Função inútil, mas... sejam felizes... start ;; status) iptables --list ;; panic) echo "OK -> Changed target policies to DROP" iptables -P INPUT DROP && \ iptables -P FORWARD DROP && \ iptables -P OUTPUT DROP && \ echo echo "OK -> Flushing all chains" iptables -F INPUT && iptables -F FORWARD && iptables -F OUTPUT echo "OK -> Removed user defined chains" iptables -X echo "OK -> Extremelly paranoic mode [ON] (yes, you can be more paranoic than the default start function)" ;; *) echo "Opções disponíveis são: start|stop|restart|status|panic" ;; esac exit 0 Link to comment Share on other sites More sharing options...
Jordan Miguel Posted December 2, 2011 Share Posted December 2, 2011 Porque não utiliza o CSF? Link to comment Share on other sites More sharing options...
Igor Barros Posted December 3, 2011 Author Share Posted December 3, 2011 Porque não utiliza o CSF? Já utilizo, mas não bloqueia este tipo de ataque. Se você tiver o programa chamado "WireShark", tente abrir esse pacote que você verá. http://igorbarros.com.br/logs/21-11-2011-00-31-02.cap Link to comment Share on other sites More sharing options...
Recommended Posts