POMOCNEObrona przed popularnym skanerem SIP:
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
Logowanie nagłówków SIP do pliku:
ngrep -d eth0 -W byline port 5060 -t | grep "#" -A6 >> /var/log/5060.log &2>/dev/null
Monitorowanie ruchu z IP i do IP:
ngrep src 192.168.1.112 or dst 192.168.1.112 -W byline
ngrep port 5060 -W byline
tcpdump -i eth0 src host 192.168.1.12 or dst host 192.168.1.12 and "udp" -w dump.cap -p -n -s 0
Zablokowanie ruchu Atakującego nas IP:
iptables -I INPUT -s 192.168.77.78 -j DROP
Dostęp do NFS:
root# nano /etc/fstab
IP_SERVERA_NFS:/home/zasób /home/gdzie nfs rw,rsize=16384,wsize=16384,hard,intr,nfsvers=3,tcp,nodev,async 0 0
root# nano /etc/exports
/home/zasób IP_KOMU_ZASÓB(rw,async,no_subtree_check,no_root_squash)
Generowanie klucza:
root# ssh-keygen -t rsa
BackUP Rsync:
root# rsync -avz /home/folder_do_bacupu login@serwer_backupujący:/home/folder_na_backup
Fail2Ban:
root# apt-get install fail2ban
/etc/fail2ban/filter.d/asterisk.conf
[INCLUDES]
[Definition]
failregex = NOTICE.* .*: Registration from '.*' failed for '' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '' - ACL error (permit/deny)
NOTICE.* failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from \)
NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@.*
ignoreregex =
/etc/fail2ban/jail.conf
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 259200
/etc/asterisk/logger.conf
[general]
dateformat=%F %T
root# asterisk -rx 'logger reload'
root# /etc/init.d/fail2ban restart
Prosty firewall:
#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
#dostep do sieci Internet
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#dostep z IP
iptables -A INPUT -i eth0 -s 192.168.0.102 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.103 -j ACCEPT
#dostep do portow
iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
Instalacja pakietów dla WANPIPE:
Debian:
apt-get -y install gcc g++ automake autoconf libtool make libncurses5-dev flex bison patch libtool autoconf linux-headers-`uname -r` libxml2-devel cmake
CentOS:
yum -y install kernel-devel-`uname -r` libtool* make gcc patch perl bison gcc-c++ ncurses-devel flex libtermcap-devel autoconf* automake* autoconf libxml2-devel cmake
|