컨트롤 + [
를 사용 할 수 있다.
@ IN TXT "v=spf1 ip4:111.222.333.444 ip4:111.222.333.555 -all"
@ IN SPF "v=spf1 ip4:111.222.333.444 ip4:111.222.333.555 -all"
#$regex1,$regex2값을 서버 아이피로 변경한다.
#예를 들어 서버 아이피가 222.222.222.222 이면
# $regex1 = [regex] "222\.222\.222\.(?:222|51):3389\s+(\d+\.\d+\.\d+\.\d+)";
#제일 마지막은 or 연산이기 때문에 신경 안써도 된다. 한개만 들어가도 됨.
###################### Config ######################
$regex1 = [regex] "111\.222\.333\.(?:140|51):3389\s+(\d+\.\d+\.\d+\.\d+)";
$regex2 = [regex] "원본 네트워크 주소:\t(\d+\.\d+\.\d+\.\d+)";
$regex1_mssql = [regex] "111\.222\.333\.(?:140|51):1433\s+(\d+\.\d+\.\d+\.\d+)";
$regex2_mssql = [regex] "클라이언트: (\d+\.\d+\.\d+\.\d+)";
$MyIp = "123.123.123.123"; #현재 내가 접속한 IP 차단하지 않는다.
$deny_count = 5; #임계값
$loop_time = 30; #loop_time 마다 재 실행.(초)
###################### Config ######################
$tick = 0;
"Start to run at: " + (get-date);
while($True) {
$blacklist = @();
#Port 3389 RDP
"Running... (tick:" + $tick + ")"; $tick+=1;
$a = @()
netstat -no | Select-String ":3389" | ? { $m = $regex1.Match($_);
$ip = $m.Groups[1].Value; if ($m.Success -and $ip -ne $MyIp) {$a = $a + $ip;} }
if ($a.count -gt 0) {
$ips = get-eventlog Security -Newest 1000 | Where-Object {$_.EventID -eq 4625 } | foreach {
$m = $regex2.Match($_.Message); $ip = $m.Groups[1].Value; $ip; } | Sort-Object | Tee-Object -Variable list | Get-Unique
foreach ($ip in $a) { if ($ips -contains $ip) {
if (-not ($blacklist -contains $ip)) {
$attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count;
"Found RDP attacking IP on 3389: " + $ip + ", with count: " + $attack_count;
if ($attack_count -ge $deny_count) {$blacklist = $blacklist + $ip;}
}
}
}
}
#Port 1433 MSSQL
$a = @()
netstat -no | Select-String ":1433" | ? { $m = $regex1_mssql.Match($_);
$ip = $m.Groups[1].Value;
if ($m.Success -and $ip -ne $MyIp) {$a = $a + $ip;} }
if ($a.count -gt 0) {
$ips = get-eventlog Application -Newest 1000 | Where-Object {$_.EventID -eq 18456 -and ($_.Message -like "*sa*" ) } | foreach {
$m = $regex2_mssql.Match($_.Message); $ip = $m.Groups[1].Value; $ip; echo $m; } | Sort-Object | Tee-Object -Variable list | Get-Unique
foreach ($ip in $a) { if ($ips -contains $ip) {
if (-not ($blacklist -contains $ip)) {
$attack_count = ($list | Select-String $ip -SimpleMatch | Measure-Object).count;
"Found MSSQL attacking IP on 1433: " + $ip + ", with count: " + $attack_count;
if ($attack_count -ge $deny_count) {$blacklist = $blacklist + $ip;}
}
}
}
}
<# 주석처리. 사용안함. 미 테스트
#FTP
$MyFtpLogFile1 = "";
$now = (Get-Date).AddMinutes(-5); #check only last 5 mins.
#Get-EventLog has built-in switch for EventID, Message, Time, etc. but using any of these it will be VERY slow.
$count = (Get-EventLog Security -Newest 1000 | Where-Object {$_.EventID -eq 4625 -and $_.Message -match "Logon Type:\s+8" -and
$_.TimeGenerated.CompareTo($now) -gt 0} | Measure-Object).count;
if ($count -gt 50) #threshold
{
$ips = @();
$ips1 = dir "C:\inetpub\logs\LogFiles\FPTSVC2" | Sort-Object -Property LastWriteTime -Descending
| select -First 1 | gc | select -Last 200 | where {$_ -match "An\+error\+occured\+during\+the\+authentication\+process."}
| Select-String -Pattern "(\d+\.\d+\.\d+\.\d+)" | select -ExpandProperty Matches | select -ExpandProperty value | Group-Object
| where {$_.Count -ge 10} | select -ExpandProperty Name;
$ips2 = dir "C:\inetpub\logs\LogFiles\FTPSVC3" | Sort-Object -Property LastWriteTime -Descending
| select -First 1 | gc | select -Last 200 | where {$_ -match "An\+error\+occured\+during\+the\+authentication\+process."}
| Select-String -Pattern "(\d+\.\d+\.\d+\.\d+)" | select -ExpandProperty Matches | select -ExpandProperty value | Group-Object
| where {$_.Count -ge 10} | select -ExpandProperty Name;
$ips += $ips1; $ips += $ips2; $ips = $ips | where {$_ -ne "10.0.0.1"} | Sort-Object | Get-Unique;
foreach ($ip in $ips) {
if (-not ($blacklist -contains $ip)) {
"Found attacking IP on FTP: " + $ip;
$blacklist = $blacklist + $ip;
}
}
}
#>
#Firewall change
<# $current = (netsh advfirewall firewall show rule name="MY BLACKLIST" | where {$_ -match "RemoteIP"}).replace("RemoteIP:", "").replace(" ","").replace("/255.255.255.255",""); #inside $current there is no \r or \n need remove. foreach ($ip in $blacklist) { if (-not ($current -match $ip) -and -not ($ip -like "10.0.0.*")) {"Adding this IP into firewall blocklist: " + $ip; $c= 'netsh advfirewall firewall set rule name="MY BLACKLIST" new RemoteIP="{0},{1}"' -f $ip, $current; Invoke-Expression $c; } } #>
foreach ($ip in $blacklist) {
$fw=New-object -comObject HNetCfg.FwPolicy2; # http://blogs.technet.com/b/jamesone/archive/2009/02/18/how-to-manage-the-windows-firewall-settings-with-powershell.aspx
$myrule = $fw.Rules | where {$_.Name -eq "MY BLACKLIST"} | select -First 1; # Potential bug here?
if (-not ($myrule.RemoteAddresses -match $ip) -and -not ($ip -like "123.123.123.*"))
{"Adding this IP into firewall blocklist: " + $ip;
$myrule.RemoteAddresses+=(","+$ip);
#echo $ip > C:\BlackListIP.txt
}
}
"__________________________________________________________________________________"
Wait-Event -Timeout $loop_time #pause 30 secs
} # end of top while loop.
netsh advfirewall firewall add rule name="MY BLACKLIST" dir=in action=block localip=any remoteip=107.160.158.70
//설치
yum install net-snmp
//부팅시 실행
chkconfig snmpd on
//부팅시 실행 확인
chkconfig --list | grep snmpd
//snmpd 실행
service snmpd start
기존것은 snmpd.conf.org로 변경해놓고
vim /etc/snmp/snmpd.conf
#community name 설정. localhost는 public
#111.222.333.444 IP와 111.111.111.0/24 대역은 community name을 password 라고 지정.
com2sec local_id localhost public
com2sec reno_id 111.222.333.444 password
com2sec reno_id 111.111.111.0/24 password
####
#위에서 설정한 local_id와 reno_id를 각각 local_group와 reno_group로 그룹에 매핑.
#securityModel은 v1과 v2c를 사용. v3는 생략
# groupName securityModel securityName
group local_group v1 local_id
group local_group v2c local_id
group reno_group v1 reno_id
group reno_group v2c reno_id
####
# snmpd의 권한설정. 다 필요없고 전부 준다. (.1)
# Third, create a view for us to let the group have rights to:
# Make at least snmpwalk -v 1 localhost -c public system fast again.
# name incl/excl subtree mask(optional)
view all included .1
#view systemview included .1V
#view systemview included .1.3.6.1.2.1.25.1.1
####
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
access local_group "" any noauth exact all none none
access reno_group "" any noauth exact all none none
방화벽에서 snmp:tcp, snmp:udp 둘다 열어주자
function stickyFooter(){
jQuery("#footer").css({position: "absolute",top:($(window).scrollTop()+$(window).height()-$("#footer").height())+"px",left:0px;});
}
jQuery(function(){
stickyFooter();
jQuery(window)
.scroll(stickyFooter)
.resize(stickyFooter);
});
#!/bin/bash
if [ "$1" == "" ] ; then
echo "사용법 : $0 장치명 [delay]"
echo "예) $0 eth0 3 "
exit 1
fi
if [ "$2" == "" ] ; then delay=3 ; else delay=$2 ; fi
echo "시간 : 수신(Kbit/Sec) / 송신(Kbit/Sec)"
while ( true ) ; do
rx1=`grep $1 /proc/net/dev | awk '{print $1}' | sed 's/.*://'`
tx1=`grep $1 /proc/net/dev | awk '{print $9}'`
sleep $delay
rx2=`grep $1 /proc/net/dev | awk '{print $1}' | sed 's/.*://'`
tx2=`grep $1 /proc/net/dev | awk '{print $9}'`
# 1024/8 == 128
rx3=$(((rx2-rx1)/128/delay))
tx3=$(((tx2-tx1)/128/delay))
echo "`date '+%k:%M:%S'` : $rx3 / $tx3"
done