[Original] Recommend you to use an invasive test system active firewall -> Snort Guardian ------------------------------- ------------------------------------- Snort It is an open source lightweight intrusion monitoring system to monitor the abnormal situation on the network, give reports; Guardian is a active firewall based on Snort iptables, which analyzes Snort's log files, and automatically uses some criteria. Malicious IP automatically adds the input chain of iptables and discarders its datagram.
Since I use Snort Guardian, I can see a lot of malicious behavior every day, I am very happy! Recommend you to use! Installation Steps: 1) Install Snort: * Now Snort & Guardian, the current download address is: http://www.snort.org/dl/snort-2.3.0rc2.tar.gz http://www.snort.org/ DL / Contrib / ... Guardian-1.6.tar.gz * Copy the above file to / tmp * TAR ZXVF * .TGZ * CD Snort-2.3.0rc2 *. / configure * make * make install * mkdir / etc / snort * CD / etc / snort * wget http://www.snortrules-snapshot-current.tar.gz * tar zxvf SnortRules-snapshot-current.tar.gz * mkdir / var / log / snort * cd / etc * vi key settings snort.conf modified as follows: var HOME_NET yournetwork var RULE_PATH / etc / snort / rules preprocessor http_inspect: global / iis_unicode_map /etc/snort/rules/unicode.map 1252 include / etc / snort /Rules/reference/rules/class /et /etc/snort/rules/classification.config, as: YourNetwork 220.8.0.0/16, you can choose to remove include include $ rule_path / local.rules, the front # number is removed, set your own rules. Set * / usr / local / bin / snort -d -l / var / log / snort -c /etc/snort.conf * Write the previous command to /etc/rc.d/rc.local 2) Install Guardian- - Requires Perl Support * CD / TMP * TAR ZXVF Guardian-1.6.tar.gz * cd Guardian-1.6 * echo> /etc/guardian.Ignore * cp Guardian.pl / usr / local / bin /. * cp scripts / iptables_block.sh /usr/local/bin/guardian_block.sh * cp scripts / iptables_unblock.sh /usr/local/bin/guardian_unblock.sh * cp guardian.conf / etc /. * vi /etc/guardian.conf As follows: HostgatewaybyTe 1 # Guardian log file logfile /var/log/guardian.log #Guardian reads Snort Logs AlertFile / Var / log / Snort / Alert # Put you the IGNOREFILE you need to ignore /etc/guardian.ignore # The maximum time of blocking IP, 99999999 is no time limit TimeLimit 86400 * / usr / bin / perl /usr/local/guardian.pl -c /etc/guardian.conf * will last Add /etc/rc.d/rc.local to this, complete settings Note: 1) Snort rule files are often updated, you can use the following script to automatically update:
