入侵保护系统(IPS)是保护CentOS服务器免受恶意活动的重要工具。以下是一份全面的实施指南:
对于CentOS服务器,推荐以下开源IPS选项:
# 添加EPEL仓库
sudo yum install epel-release
# 安装Suricata
sudo yum install suricata
# 安装规则管理工具
sudo yum install suricata-update
sudo vi /etc/suricata/suricata.yaml
# 设置监控的网卡
af-packet:
- interface: eth0
# 启用IPS模式
nfq:
mode: accept
repeat-mark: 1
repeat-mask: 1
# 规则路径
default-rule-path: /var/lib/suricata/rules
rule-files:
- *.rules
sudo suricata-update
sudo suricata-update update-sources
sudo yum install fail2ban
创建本地配置文件:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vi /etc/fail2ban/jail.local
常用配置:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 86400
sudo yum install ossec-hids-server
sudo vi /var/ossec/etc/ossec.conf
添加以下监控项:
<syscheck>
<frequency>7200</frequency>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
</syscheck>
# 使用Firewalld与Suricata集成
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
sudo vi /etc/logrotate.d/suricata
添加内容:
/var/log/suricata/*.log {
daily
missingok
rotate 7
compress
delaycompress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
endscript
}
编辑Suricata配置:
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
- alert-mail:
enabled: yes
to: your-email@example.com
from: suricata@yourhost.example.com
sudo crontab -e
添加:
0 3 * * * /usr/bin/suricata-update && systemctl restart suricata
sudo journalctl -u suricata -f
测试规则是否生效:
curl http://testmyids.com/uid/index.html
检查Suricata日志中是否有相关警报:
grep 'uid' /var/log/suricata/fast.log
通过以上步骤,您可以在CentOS服务器上建立一个多层次的入侵保护系统,有效防御各种恶意活动。