How to use gateway IDS to protect the security of the CentOS server's internal network
Abstract: With the increasing number of network attacks, protecting the security of the server's internal network has become particularly important. This article will introduce how to use gateway IDS (Intrusion Detection System) to protect the security of the CentOS server's internal network. We will monitor network traffic by configuring a gateway IDS and use a rule-based firewall to block malicious traffic from entering the internal network. The article will also include some sample code to help readers better understand and implement these security measures.
(1) Install Suricata:
$ sudo yum install epel-release
$ sudo yum install suricata
(2) Configure Suricata:
$ sudo vi /etc/suricata/suricata.yaml
In the configuration file, we can customize the behavior of Suricata by defining rule sets, enabling logging, configuring alarms, etc.
(1) Create a new iptables chain:
$ sudo iptables -N IDS
(2) Will log the gateway IDS Traffic is directed to this chain:
$ sudo iptables -A INPUT -j IDS
(3) Configure rules on the IDS chain:
$ sudo iptables -A IDS -m conntrack --ctstate ESTABLISHED ,RELATED -j ACCEPT
$ sudo iptables -A IDS -m conntrack --ctstate INVALID -j DROP
$ sudo iptables -A IDS -p tcp --dport 22 -m recent --name ssh --set -m comment --comment "Allow SSH"
$ sudo iptables -A IDS -p tcp --dport 22 -m recent --name ssh --rcheck --seconds 60 --hitcount 4 -j DROP
The meaning of the above rules is: allow established and related connections to pass through, discard invalid connections, and prohibit SSH connections if 4 consecutive SSH connections are triggered within 60 seconds.
import sys logfile_path = '/var/log/suricata/eve.json' def analyze_logs(): with open(logfile_path, 'r') as logfile: for line in logfile: # 在这里进行日志分析和报警的逻辑 pass if __name__ == '__main__': analyze_logs()
By writing appropriate logic, we can detect abnormal traffic, malicious IPs and other potential attack activities, and promptly Sound an alarm.
Conclusion:
By using gateway IDS and configuring firewall rules, we can protect the security of the CentOS server's internal network. Just installing an IDS system is not enough, we also need to regularly update the rule set, monitor logs and provide timely alarms. Only through comprehensive security measures can the server intranet be effectively protected from the threat of network attacks.
Reference materials:
(Note: The sample code in this article is for reference only. Please adjust and test according to the actual situation in the specific environment.)
The above is the detailed content of How to use gateway IDS to secure the internal network of CentOS servers. For more information, please follow other related articles on the PHP Chinese website!