Linux HLDS DDOS exploit fix
in spanish/protugal?
scuze de asta dar am si rezolvarea !!!!!!!!!
De iptables si presupun ca nu are rost sa scriu, cel mai probabil e deja instalat. Prima oara trebuie sa verifici daca ai modulul de kernel ip_queue. Logheaza-te ca root si scrie:
# lsmod | grep ip_queue
Daca nu spune nimic, scrie:
# modprobe ip_queue
apoi
# lsmod | grep ip_queue
ar trebui sa arate ceva in genul: ip_queue 10977 1
Daca arata asa, e bine. Trecem mai departe.
1. Downloadam pachetele de care avem nevoie:
- snort_inline ==>
http://prdownloads.sourceforge.net/snort-inline/snort_inline-2.4.3-RC4.tar.gz?download (sa nu iei alta versiune, mie doar asta imi merge anti exploitu asta)
- libdnet ==>
http://switch.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.11.tar.gz
- libnet ==>
http://www.packetfactory.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz
- pcre ==> http://fresh.t-systems-sfr.com/unix/src/misc/pcre-6.6.tar.gz
- iptables-devel ==> incearca intai sa scrii ca root: urpmi
iptables-devel iar daca nu merge, trebuie sa cauti iptables-devel pe rpmfind.net si sa alegi aceeasi versiune cu cea a iptables deja instalata. downloadezi acel rpm si il instalezi cu
rpm -Uhv iptables-devel-1.2xxxmdk.i586.rpm
2. Le instalam in ordinea asta:
# tar xzvf libdnet-1.11.tar.gz # cd libdnet-1.11 # ./configure # make # make install # tar xzvf libnet-1.0.2a.tar.gz # cd Libnet-1.0.2a # ./configure # make # make install # tar xzvf pcre-6.6.tar.gz # cd pcre-6.6 # ./configure # make # make install
Apoi snort_inline:
# tar xzvf snort_inline-2.4.3-RC4.tar.gz # cd snort_inline-2.4.3-RC4 # ./configure # make # make install
Daca la configure iti da eroare ca ii lipseste si o alta librarie inafara de cele de mai sus, va trebui sa o instalezi tu. Daca la compilare iti da eroare de
make[3]: *** [spo_alert_fast.o] Error 1, trebuie sa:
# cd /root # wget ftp://ftp.linux.ro/kernel.org/linux/kernel/v2.6/linux-2.6.9.tar.bz2 # bzip2 -cd linux-2.6.9.tar.bz2 | tar xf - # cd /usr/include # mv linux linux.vechi # ln -s /root/linux-2.6.9/include/linux/ linux
si inapoi la instalarea snort_inline. daca ai folosit chestia asta, trebuie sa o aducem inapoi la normal:
# cd /usr/include # rm -rf linux # mv linux.vechi linux
Dupa ce snort_inline a fost instalat, trecem la configurare:
# cd snort_inline-2.4.3-RC4 # mkdir rules # cp etc/classification.config rules/ # cp etc/reference.config rules/ # mkdir /etc/snort_inline # cp etc/* /etc/snort_inline/ # cp rules/ /etc/snort_inline/ -R
Deschizi cu un editor text fisierul: /etc/snort_inline/snort_inline.conf si inlocuiesti linia:
var RULE_PATH /etc/snort_inline/drop_rules
cu
var RULE_PATH /etc/snort_inline/rules
Apoi te duci jos, in acelasi fisier, si in loc de:
### The Drop Rules # Enabled include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules ### Disabled
Lasi doar:
### The Drop Rules # Enabled include $RULE_PATH/hlds1.rules include $RULE_PATH/hlds2.rules include $RULE_PATH/hlds3.rules ### Disabled
Apoi, trebuie sa creezi si editezi cele 3 fisiere dupa cum urmeaza:
/etc/snort_inline/rules/hlds1.rules trebuie sa contina:
alert udp any any <> any 27015 (msg: "HLDS Exploit"; \n content: "\"\\\""; replace: " ";)
/etc/snort_inline/rules/hlds2.rules trebuie sa contina:
alert udp any any <> any 28015 (msg: "HLDS Exploit"; \n content: "\"\\\""; replace: " ";)
/etc/snort_inline/rules/hlds3.rules trebuie sa contina:
alert udp any any <> any 29015 (msg: "HLDS Exploit"; \n content: "\"\\\""; replace: " ";)
Mai departe:
# mkdir /var/log/snort_inline
Apoi facem regulile de iptables pentru fiecare port udp:
# iptables -I INPUT -p udp --dport 27015 -j QUEUE # iptables -I INPUT -p udp --dport 28015 -j QUEUE # iptables -I INPUT -p udp --dport 29015 -j QUEUE
Si ultima, pornim snort_inline:
# /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D
Ca sa porneasca la startup-ul linuxului, trebuie sa adaugi in
/etc/rc.d/rc.local : /sbin/modprobe ip_queue /sbin/iptables -I INPUT -p udp --dport 27015 -j QUEUE /sbin/iptables -I INPUT -p udp --dport 28015 -j QUEUE /sbin/iptables -I INPUT -p udp --dport 29015 -j QUEUE /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D
Cam asta ar fi.
_________________
"They Say Curiosity Killed The Cat.What The *** Was The Cat Curious About That Got Him Killed?"
