Linux HLDS DDOS exploit fix

Od HLDS.pl
Wersja PawelS (dyskusja | edycje) z dnia 14:07, 26 cze 2006
(różn.) ← poprzednia wersja | zobacz aktualną wersję (różn.) | następna wersja → (różn.)
Skocz do: nawigacji, wyszukiwania

in spanish/protugal?

gotta translate

scuze de asta dar am si rezolvarea !!!!!!!!!

De iptables si presupun ca nu are rost sa scriu, cel mai probabil e deja instalat. Prima oara trebuie sa verifici daca ai modulul de kernel ip_queue. Logheaza-te ca root si scrie:

# lsmod | grep ip_queue

Daca nu spune nimic, scrie:

# modprobe ip_queue

apoi

# lsmod | grep ip_queue

ar trebui sa arate ceva in genul: ip_queue 10977 1

Daca arata asa, e bine. Trecem mai departe.

1. Downloadam pachetele de care avem nevoie:

  • snort_inline ==>

http://prdownloads.sourceforge.net/snort-inline/snort_inline-2.4.3-RC4.tar.gz?download (sa nu iei alta versiune, mie doar asta imi merge anti exploitu asta)

  • libdnet ==>

http://switch.dl.sourceforge.net/sourceforge/libdnet/libdnet-1.11.tar.gz

  • libnet ==>

http://www.packetfactory.net/libnet/dist/deprecated/libnet-1.0.2a.tar.gz

iptables-devel iar daca nu merge, trebuie sa cauti iptables-devel pe rpmfind.net si sa alegi aceeasi versiune cu cea a iptables deja instalata. downloadezi acel rpm si il instalezi cu

rpm -Uhv iptables-devel-1.2xxxmdk.i586.rpm

2. Le instalam in ordinea asta:

# tar xzvf libdnet-1.11.tar.gz
# cd libdnet-1.11
# ./configure
# make
# make install

# tar xzvf libnet-1.0.2a.tar.gz
# cd Libnet-1.0.2a
# ./configure
# make
# make install

# tar xzvf pcre-6.6.tar.gz
# cd pcre-6.6
# ./configure
# make
# make install

Apoi snort_inline:

# tar xzvf snort_inline-2.4.3-RC4.tar.gz
# cd snort_inline-2.4.3-RC4
# ./configure
# make
# make install

Daca la configure iti da eroare ca ii lipseste si o alta librarie inafara de cele de mai sus, va trebui sa o instalezi tu. Daca la compilare iti da eroare de

make[3]: *** [spo_alert_fast.o] Error 1,
trebuie sa:
# cd /root
# wget ftp://ftp.linux.ro/kernel.org/linux/kernel/v2.6/linux-2.6.9.tar.bz2
# bzip2 -cd linux-2.6.9.tar.bz2 | tar xf -
# cd /usr/include
# mv linux linux.vechi
# ln -s /root/linux-2.6.9/include/linux/ linux

si inapoi la instalarea snort_inline. daca ai folosit chestia asta, trebuie sa o aducem inapoi la normal:

# cd /usr/include
# rm -rf linux
# mv linux.vechi linux

Dupa ce snort_inline a fost instalat, trecem la configurare:

# cd snort_inline-2.4.3-RC4
# mkdir rules
# cp etc/classification.config rules/
# cp etc/reference.config rules/
# mkdir /etc/snort_inline
# cp etc/* /etc/snort_inline/
# cp rules/ /etc/snort_inline/ -R

Deschizi cu un editor text fisierul: /etc/snort_inline/snort_inline.conf si inlocuiesti linia:

var RULE_PATH /etc/snort_inline/drop_rules

cu

var RULE_PATH /etc/snort_inline/rules

Apoi te duci jos, in acelasi fisier, si in loc de:

### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules

### Disabled

Lasi doar:

### The Drop Rules
# Enabled
include $RULE_PATH/hlds1.rules
include $RULE_PATH/hlds2.rules
include $RULE_PATH/hlds3.rules

### Disabled

Apoi, trebuie sa creezi si editezi cele 3 fisiere dupa cum urmeaza:

/etc/snort_inline/rules/hlds1.rules
trebuie sa contina:
alert udp any any <> any 27015 (msg: "HLDS Exploit"; \n content: "\"\\\""; replace: " ";)

/etc/snort_inline/rules/hlds2.rules trebuie sa contina:

alert udp any any <> any 28015 (msg: "HLDS Exploit"; \n content: "\"\\\""; replace: " ";)

/etc/snort_inline/rules/hlds3.rules trebuie sa contina:

alert udp any any <> any 29015 (msg: "HLDS Exploit"; \n content: "\"\\\""; replace: " ";)

Mai departe:

# mkdir /var/log/snort_inline

Apoi facem regulile de iptables pentru fiecare port udp:

# iptables -I INPUT -p udp --dport 27015 -j QUEUE
# iptables -I INPUT -p udp --dport 28015 -j QUEUE
# iptables -I INPUT -p udp --dport 29015 -j QUEUE

Si ultima, pornim snort_inline:

# /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q
-N -l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D

Ca sa porneasca la startup-ul linuxului, trebuie sa adaugi in

/etc/rc.d/rc.local :

/sbin/modprobe ip_queue
/sbin/iptables -I INPUT -p udp --dport 27015 -j QUEUE
/sbin/iptables -I INPUT -p udp --dport 28015 -j QUEUE
/sbin/iptables -I INPUT -p udp --dport 29015 -j QUEUE
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N
-l /var/log/snort_inline/ -t /var/log/snort_inline/ -v -D

Cam asta ar fi.

_________________

"They Say Curiosity Killed The Cat.What The *** Was The Cat Curious About That Got Him Killed?"

Osobiste
Przestrzenie nazw
Warianty
Działania
HLDS.pl - Menu:
Inne
IRC
Inne sekcje:
Znajomi:
Narzędzia