Tema:
Compañeros, puse proteccion a mi proxy via psad, y funca muy bien ahora la predunta es que comando debo configurar para q mate un proceso de port scan, porque si detecta cuando alguien me hace un port scan pero no toma accion alguna solo me envia un mail y me dice que ip me hizo un port scan como hago para que a parte de que me informe tome acciones al respecto.
Comentarios
Estimo que cuando te refieres
Estimo que cuando te refieres a que tome acciones, te refieres a que bloquee la IP atacante, de ser asi, entre los features del programa se indica que tienes la opcion de:
Auto-blocking of scanning IP addresses via Netfilter and/or tcpwrappers based on scan danger level. (This feature is NOT enabled by default.)
Pero tambien claramente te indica que dicha opcion viene desactivada por default, por tanto debes revisar la documentacion en la parte pertinente para decidir cual de los metodos de bloqueo son los que te conviene usar.
Seguramente esto es lo que buscas.
http://www.cipherdyne.org/psad/docs/config.html#AUTO_IDS_DANGER_LEVEL
There are only 10 types people in the world:
Those who understand binary and those who don't
mmm.. si root bit, no me
mmm.. si root bit, no me habia percatado de ese comando se me paso por alto.. ahora ya solucione ese problema pero cuando activo el servicio psad, service psad start , el selinux me bota un mensaje.. de como q no permite q funcione o algo asi.. ahora como hago para q el selinux me deje empaz al psad he tratado de pero nada me funca, no se si me podrias ayudar con eso..
Selinux tiene 3 posibles
Selinux tiene 3 posibles status
strict = Restriccion completa de todos los servicios
targeted = Restriccion a los demonios de red
disable = Selinux desabilitado
Si no necesitas tener habilitado Selinux puedes ir a /etc/sysconfig/selinux editar el archivo y desahabilitarlo.
Saludos,
There are only 10 types people in the world:
Those who understand binary and those who don't
si eso lo se, pero si
si eso lo se, pero si desactivo el selinux, no quedare sin proteccion??
y mira ya lo desactive y volvi a levantar el servicio de psad y sin empbargo el selinux me dice esto.. y eso q ya lo desactive...
Resúmen:
SELinux is preventing iptables (iptables_t) "write" to /var/log/psad/psad.iptout
(var_log_t).
Descripción Detallada:
SELinux is preventing iptables (iptables_t) "write" to /var/log/psad/psad.iptout
(var_log_t). The SELinux type var_log_t, is a generic type for all files in the
directory and very few processes (SELinux Domains) are allowed to write to this
SELinux type. This type of denial usual indicates a mislabeled file. By default
a file created in a directory has the gets the context of the parent directory,
but SELinux policy has rules about the creation of directories, that say if a
process running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file
(/var/log/psad/psad.iptout) was created with the wrong context, this domain will
be denied. The usual solution to this problem is to reset the file context on
the target file, restorecon -v '/var/log/psad/psad.iptout'. If the file context
does not change from var_log_t, then this is probably a bug in policy. Please
file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against
the selinux-policy package. If it does change, you can try your application
again to see if it works. The file context could have been mislabeled by editing
the file or moving the file from a different directory, if the file keeps
getting mislabeled, check the init scripts to see if they are doing something to
mislabel the file.
Permitiendo Acceso:
You can attempt to fix file context by executing restorecon -v
'/var/log/psad/psad.iptout'
El siguiente comando permitirá este acceso:
restorecon '/var/log/psad/psad.iptout'
Información Adicional:
Contexto Fuente system_u:system_r:iptables_t
Contexto Destino root:object_r:var_log_t
Objetos Destino /var/log/psad/psad.iptout [ file ]
Source iptables
Source Path /sbin/iptables
Port
Host localhost.localdomain
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
RPM de Políticas selinux-policy-2.4.6-203.el5
SELinux Activado True
Tipo de Política targeted
MLS Activado True
Modo Obediente Enforcing
Nombre de Plugin mislabeled_file
Nombre de Equipo localhost.localdomain
Plataforma Linux localhost.localdomain 2.6.18-164.el5 #1 SMP
Thu Sep 3 03:33:56 EDT 2009 i686 i686
Cantidad de Alertas 18
First Seen jue 01 oct 2009 08:12:45 ECT
Last Seen vie 02 oct 2009 12:53:01 ECT
Local ID d75949dd-b272-4e7d-ac5d-37089c4483fb
Números de Línea
Mensajes de Auditoría Crudos
host=localhost.localdomain type=AVC msg=audit(1254505981.675:17): avc: denied { write } for pid=2911 comm="iptables" path="/var/log/psad/psad.iptout" dev=sda2 ino=22939671 scontext=system_u:system_r:iptables_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file
host=localhost.localdomain type=AVC msg=audit(1254505981.675:17): avc: denied { write } for pid=2911 comm="iptables" path="/var/log/psad/psad.ipterr" dev=sda2 ino=22939672 scontext=system_u:system_r:iptables_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1254505981.675:17): arch=40000003 syscall=11 success=yes exit=0 a0=98a3120 a1=98a31c0 a2=98a2368 a3=0 items=0 ppid=2910 pid=2911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
y aparte al mail me llega lo
y aparte al mail me llega lo siguiente:
you may just need to add a default logging rule to the INPUT chain on mi ip.
Reiniciaste tu equipo ????
Reiniciaste tu equipo ????
There are only 10 types people in the world:
Those who understand binary and those who don't
si lo reinicie.. pero lo
si lo reinicie.. pero lo mismo man..
Estas seguro que esta
Estas seguro que esta deshabilitado, aplica este comando y pasa la salida del mismo:
dmesg | grep SELinux
Que version de psad tienes instalada ???
There are only 10 types people in the world:
Those who understand binary and those who don't
ya pase el comando y salio lo
ya pase el comando y salio lo siguiente
[root@localhost ~]# dmesg | grep SELinux
SELinux: Initializing.
SELinux: Starting in permissive mode
SELinux: Registering netfilter hooks
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev sda2, type ext3), uses xattr
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev cpuset, type cpuset), uses genfs_contexts
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
AHORA... tengo la version psad-2.1.5-1.i386.rpm
mira reinice el servicio y nada me sale q selinux hace lo siguiente:
ResúmenSELinux is preventing iptables (iptables_t) "write" to /var/log/psad/psad.iptout (var_log_t). Descripción DetalladaSELinux is preventing iptables (iptables_t) "write" to /var/log/psad/psad.iptout (var_log_t). The SELinux type var_log_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (/var/log/psad/psad.iptout) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v '/var/log/psad/psad.iptout'. If the file context does not change from var_log_t, then this is probably a bug in policy. Please file a bug report against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Permitiendo AccesoYou can attempt to fix file context by executing restorecon -v '/var/log/psad/psad.iptout' El siguiente comando permitirá este acceso:restorecon '/var/log/psad/psad.iptout'
Eso quiere decir que SELINUX
Eso quiere decir que SELINUX aun sigue activo, el mensaje claramente indica que esta arrancando en modo permisivo:
SELinux: Initializing.
SELinux: Starting in permissive mode
Si estuviera desahabilitado deberia salirte esto:
$ dmesg | grep SELinux
[ 0.004000] SELinux: Disabled at boot.
Tal como me sale a mi.
Revisa bien y desactiva SELinux
There are only 10 types people in the world:
Those who understand binary and those who don't
Páginas