Modérateur: modos Ixus
ppp0 Lien encap:Protocole Point-à-Point
inet adr:80.8.1.130 P-t-P:80.8.1.1 Masque:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:2017732 errors:0 dropped:0 overruns:0 frame:0
TX packets:2223535 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:562295426 (536.2 Mb) TX bytes:446484897 (425.8 Mb)
eth0 Link encap:Ethernet HWaddr 00:10:5A:4A:C8:FF
inet addr:192.168.142.65 Bcast:192.168.142.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:86455 errors:0 dropped:0 overruns:0 frame:0
TX packets:77249 errors:0 dropped:0 overruns:0 carrier:0
collisions:3221 txqueuelen:1000
RX bytes:59584987 (56.8 Mb) TX bytes:12807153 (12.2 Mb)
Interrupt:9 Base address:0x1080
#!/bin/sh
# this is a sample block script for guardian. This should work with ipchains.
# This command gets called by guardian as such:
# guardian_block.sh <source_ip> <interface>
# and the script will issue a command to block all traffic from that source ip
# address. The logic of weither or not it is safe to block that address is
# done inside guardian itself.
source=$1
interface=$2
/sbin/iptables -I INPUT -s $source -i $interface -j DROP
echo "The Snort-Guardian service has updated your firewall rules by blocking thefollowing IP address: $source.
This IP address will be blocked for 24 hours unless the server is rebooted.
For detailed information: /var/log/guardian.log
/var/log/snort/alert
" | mail -s "Firewall rules updated" admin
#!/bin/sh
# this is a sample block script for guardian. This should work with ipchains.
# This command gets called by guardian as such:
# guardian_block.sh <source_ip> <interface>
# and the script will issue a command to block all traffic from that source ip
# address. The logic of weither or not it is safe to block that address is
# done inside guardian itself.
source=$1
interface=$(/sbin/e-smith/db configuration get ExternalIP)
/sbin/iptables -I INPUT -s $source -i $interface -j DROP
echo "The Snort-Guardian service has updated your firewall rules by blocking thefollowing IP address: $source.
This IP address will be blocked for 24 hours unless the server is rebooted.
For detailed information: /var/log/guardian.log
/var/log/snort/alert
" | mail -s "Firewall rules updated" admin
#!/bin/sh
#
# guardiand Start/Stop the Guardian daemon.
#
# chkconfig: 2345 40 60
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
echo -n "Starting guardian daemon: "
daemon guardiand -c /etc/guardian.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/guardian
;;
stop)
echo -n "Stopping guardian daemon: "
killproc guardiand
RETVAL=$?
rm -f /var/lock/subsys/guardian && rm -f /var/lock/guardian
echo
;;
status)
status guardiand
RETVAL=$?
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit 0
esmith::util::serviceControl
(
NAME => 'snortd',
ACTION => 'restart'
) ||
die "Couldn't restart snortd";
esmith::util::serviceControl
(
NAME => 'guardiand',
ACTION => 'restart'
) ||
die "Couldn't restart guardiand";
[root@sme root]# service guardiand start
Starting guardian daemon: execvp: Permission non accordée [ ECHOUE ]
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/guardian
#!/bin/sh
#
# guardiand Start/Stop the Guardian daemon.
#
# chkconfig: 2345 40 60
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
echo -n "Starting guardian daemon: "
daemon guardiand -c /etc/guardian.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/guardian
;;
stop)
echo -n "Stopping guardian daemon: "
killproc guardiand
RETVAL=$?
rm -f /var/lock/subsys/guardian && rm -f /var/lock/guardian
echo
;;
status)
status guardiand
RETVAL=$?
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit 0
Maintenant il faut lui faire rédémarrer quardian à chaque renouvellement d'IP
Il faut éditer le fichier /etc/e-smith/events/actions/snort-restart
et rajouter juste après
Code:
esmith::util::serviceControl
(
NAME => 'snortd',
ACTION => 'restart'
) ||
die "Couldn't restart snortd";
ca
Code:
esmith::util::serviceControl
(
NAME => 'guardiand',
ACTION => 'restart'
) ||
die "Couldn't restart guardiand";
Ou alors il faut que guardian.pl reste dans /usr/local/bin et faire une copie de ce fichier dans /usr/sbin en tant que guardiand ???
#!/bin/sh
#
# guardiand Start/Stop the Guardian daemon.
#
# chkconfig: 2345 40 60
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
echo -n "Starting guardian daemon: "
daemon guardiand -c /etc/guardian.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/guardian
;;
stop)
echo -n "Stopping guardian daemon: "
killproc guardiand
RETVAL=$?
rm -f /var/lock/subsys/guardian && rm -f /var/lock/guardian
echo
;;
status)
status guardiand
RETVAL=$?
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit 0
if ($status eq "enabled") {
esmith::util::serviceControl
(
NAME => 'snortd',
ACTION => 'restart'
) ||
die "Couldn't restart snortd";
esmith::util::serviceControl
(
NAME => 'guardiand',
ACTION => 'restart'
) ||
die "Couldn't restart guardiand";
}
exit (0);
Retour vers E-Smith / SME Server
Utilisateur(s) parcourant actuellement ce forum : Google [Bot] et 1 invité