Tentativas de Acesso

1. Tentativas de Acesso

Jose Marconi
liquid

(usa Suse)

Enviado em 19/04/2010 - 11:52h

Bom Dia galera do VOL.

Venho pedir mais uma vez uma ajuda.

Tenho o seguinte script de Firewall instalado em meus clientes:

######################################################
# Script Firewall - SuSEfirewall2
#
# Criado por Marconi Junior - 14/10/2009
#######################################################
#!/bin/bash

if [ "$1" = "flush" ]; then
echo "Flushing"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F #Flush no NAT
iptables -X #Flush nas CHAINS
-f.
echo " Done "
else
echo " Iniciando regras do Firewall"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

##########################################################
echo "CONFIGURACAO DAS INTERFACES"
##########################################################

echo "Configurando as interfaces "
echo "eth3 = 192.168.0.2 "
echo "eth2 =
INTRA=eth3
INTER=eth2
SUSE= #SERVIDOR SUSE-FIREWALL
##########################################################
echo "REGRAS PRINCIPAIS OBRIGATORIAS"
#########################################################

echo "Liberando Loopback"

iptables -A INPUT -i lo -j ACCEPT

#########################################################
echo "EVITANDO SPOOFING"
#########################################################

iptables -t nat -A PREROUTING -i $INTER -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 172.16.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 192.168.0.0/24 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 200.171.228.173 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 212.154.133.204 -j DROP

##########################################################

echo "Aplicando Regras de Seguranca"

# Protecao contra synflood, ICMP broadcasting.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Protecao contra Portscanner, ping of Death, DoS attack.

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $INTER -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
# Protecao contra pacotes malformados e invalidos.

iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

###########################################################
echo "LIBERANDO PING"
###########################################################

iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

###########################################################
echo "LIBERANDO SSH PARA O FIREWALL"
##########################################################

iptables -A INPUT -p tcp --dport 22 -d $SUSE -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

###########################################################
echo "CONFIGURANDO NAT PARA O SQUID"
###########################################################

# iptables -t nat -A PREROUTING -i $INTER -p tcp --dport 80 -j REDIRECT --to-port 3128
# iptables -t nat -A PREROUTING -i $INTER -p tcp --dport 443 -j REDIRECT --to-port 3128

#########################################################
echo "MASCARANDO O IP"
#########################################################

iptables -t nat -A POSTROUTING -o $INTER -j MASQUERADE

##########################################################
echo "LIBERACAO DE INTERNET"
#########################################################

iptables -A FORWARD -i $INTRA -j ACCEPT
##########################################################
echo "BLOQUEIO DE MSN"
#########################################################

modprobe ipt_string

# iptables -t filter -A FORWARD -p tcp --dport 6891:6901 -j ACCEPT
# iptables -t filter -A FORWARD -p tcp --dport 1863 -j ACCEPT
# iptables -t filter -A FORWARD -p udp --dport 1863 -j ACCEPT
# iptables -t filter -A FORWARD -p tcp --dport 5190 -j ACCEPT
# iptables -t filter -A FORWARD -p udp --dport 5190 -j ACCEPT

############################################################
echo "HABILITAR MODULO DE FTP "
############################################################

# load FTP conntrack & NAT helper modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp


############################################################
echo "LIBERACAO DE PORTAS DA INTERNET PARA INTRANET"
############################################################

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 20 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 21 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 53 -j ACCEPT # DNS
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 37000:38000 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 8080 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --sport 80 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 1723 -j ACCEPT # PPTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 47 -j ACCEPT # retorno PPTP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 500 -j ACCEPT # ISAKMP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 1701 -j ACCEPT # L2TP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 123 -j ACCEPT # NTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 110 -j ACCEPT # POP3
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 3389 -j ACCEPT # TERMINAL SERVICES
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 5900 -j ACCEPT # ULTRAVNC
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 10051 -j ACCEPT # Server ZABBIX
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 10050 -j ACCEPT # Lister Server ZABBIX
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 4550 -j ACCEPT # CAMERAS EXTERNO
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 3130 -j ACCEPT # CAMERAS EXTERNO
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 5550 -j ACCEPT # CAMERAS EXTERNO


#############################################################
echo "STATEFULL INSPECTION"
#############################################################

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

##########################################################
echo "CONFIGURANDO LOGS"
##########################################################

echo "Logando tentativas invalidas de navegar ( Lan )"

iptables -A FORWARD -i $INTRA -o $INTER -j LOG --log-level DEBUG --log-prefix " Intra para Internet:"

echo "Logando pacotes bloqueados da internet para a intranet"

iptables -A INPUT -p tcp -i $INTER -j LOG --log-level DEBUG --log-prefix "Pacotetcp:"
iptables -A INPUT -p icmp -i $INTER -j LOG --log-level DEBUG --log-prefix "Pacoteicmp:"


#############################################################

Mais as regras de NAT para os serviços internos.
Tudo funciona muito bem, mas ultimamente venho sofrendo muitas tentativas de invasao ao firewall e outras tentativas de acesso como admin(ou administrador) aos servidores windows dentro da rede(via terminal service).

Alguns desses endereços eu coloquei manualmente nas regras de bloqueio de spoofing.

Existe algum procedimento para melhorar este script e deixa-lo mais "Forte"?? existe algum comando que verifique mais de uma tentativa de logon errado de um mesmo ip e bloqueie o acesso deste mesmo ip??

Obrigado a todos.



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts