如何偵測 usb device 異動

自 linux kernel 2.6 以後， udev 取代了 devfs 與 hotplug，負責處理 device 偵測與管理。他會動態在 /dev 目錄中 create/remove device node。

例如當我們插上一個 COM 轉 USB 的設備線路時，會產生 /dev/ttyUSB0 這個 device，然後程式就能針對這個 device 進行 COM Port IO 處理，當該設備線路被移除時， /dev/ttyUSB0 這個 device 會被刪除。

udev daemon 就是 systemd-udevd，用來接收 device uevents，並與 kernel 溝通。可以在 /etc/udev/rules.d/ 目錄中，產生 .rules 檔案，用來處理 usb device 異動。

首先要用 udevadm 監控 usb device 異動的 uevents

# udevadm monitor --kernel --property --subsystem-match=usb
monitor will print the received events for:
KERNEL - the kernel uevent

產生 ttyUSB0 時

KERNEL[13411.612407] add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1 (usb)
ACTION=add
BUSNUM=002
DEVNAME=/dev/bus/usb/002/008
DEVNUM=008
DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1
DEVTYPE=usb_device
MAJOR=189
MINOR=135
PRODUCT=67b/2303/400
SEQNUM=2450
SUBSYSTEM=usb
TYPE=0/0/0

KERNEL[13411.612646] add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1/2-1.1:1.0 (usb)
ACTION=add
DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1/2-1.1:1.0
DEVTYPE=usb_interface
INTERFACE=255/0/0
MODALIAS=usb:v067Bp2303d0400dc00dsc00dp00icFFisc00ip00in00
PRODUCT=67b/2303/400
SEQNUM=2451
SUBSYSTEM=usb
TYPE=0/0/0

當 ttyUSB0 被移除時

KERNEL[13367.889477] remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1/2-1.1:1.0 (usb)
ACTION=remove
DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1/2-1.1:1.0
DEVTYPE=usb_interface
INTERFACE=255/0/0
MODALIAS=usb:v067Bp2303d0400dc00dsc00dp00icFFisc00ip00in00
PRODUCT=67b/2303/400
SEQNUM=2448
SUBSYSTEM=usb
TYPE=0/0/0

KERNEL[13367.889520] remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1 (usb)
ACTION=remove
BUSNUM=002
DEVNAME=/dev/bus/usb/002/003
DEVNUM=003
DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1
DEVTYPE=usb_device
MAJOR=189
MINOR=130
PRODUCT=67b/2303/400
SEQNUM=2449
SUBSYSTEM=usb
TYPE=0/0/0

建立 add/remove 的 script

sudo vim /root/bin/usbdevice_added.sh

#!/bin/bash
echo "USB device added   at $(date)" >> /var/log/usbdevice.log


sudo vim /root/bin/usbdevice_removed.sh

#!/bin/bash
echo "USB device removed at $(date)" >> /var/log/usbdevice.log


sudo chmod +x /root/bin/usbdevice_added.sh
sudo chmod +x /root/bin/usbdevice_removed.sh

根據 udevadm monitor 得到的屬性 SUBSYSTEM, ACTION, DEVTYPE，設定對應的 script

vim /etc/udev/rules.d/80-usb.rules

SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device",  RUN+="/root/bin/usbdevice_added.sh"
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="/root/bin/usbdevice_removed.sh"

reload udevadm

sudo udevadm control --reload

tail -f /var/log/usbdevice.log

References

How to Run a Script When USB Devices Is Attached or Removed Using UDEV

How to Use Udev for Device Detection and Management in Linux

How to run custom scripts upon USB device plug-in?

如何在 Postman 記錄 Cookie

Postman 是用來測試一些 Server Http API 的工具。但在遇到 Server 需要登入後，才能使用的 http request，這時候需要做一些額外的設定。

我們是使用 Java Server，通常在這樣的 Server，會使用 JSESSIONID 這個 Cookie，用來對應 HTTP Server Session ID

首先做一個 Login 的 Request，然後在 Test 頁籤，填入以下的 code。

var a = pm.cookies.get("JSESSIONID");
pm.globals.set("JSESSIONID", a);

執行該 Login 後，可在 Environment 變數中，看到 JSESSIONID 的值

接下來就可以在需要登入後，才能使用的 API 裡面，增加 JSESSIONID 的 Cookie Value

{{JSESSIONID}}

Install Suricata in CentOS 7

Suricata 是 IDS (Intrusion Detection System)，也是 IPS (Intrusion Prevention System)，由 Open Security Foundation (OISF) 開發。

IDS 系統是監控網路，檢查並偵測是否有特殊可疑的活動。 IDS 只有監看與記錄的功能。

IPS 是入侵預防系統，是 IDS 的強化產品，可即時偵測並主動防禦。能夠直接把可疑封包移除，中斷連線，發送 email 示警。

以往 IDS 系統都會提到 Snort，而 Suricata 跟 Snort 的主要差異是性能，Suricata 以 multithread 運作。

安裝 suricata

安裝 library

yum install epel-release
sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
  libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo \
  lz4-devel

編譯最新的 6.0.0 stable 版

cd /usr/src

wget https://www.openinfosecfoundation.org/download/suricata-6.0.0.tar.gz

tar -xvzf suricata-6.0.0.tar.gz

cd suricata-6.0.0

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua

make

make install
ldconfig

# make install-conf
# make install-rules
make install-full

查詢版本

# suricata -V
This is Suricata version 6.0.0 RELEASE

注意 suricata.yaml 的設定

HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

直接測試(先以 ifconfig 查詢網路卡的名稱 enp2s0)

# suricata -c /etc/suricata//suricata.yaml -i enp2s0

設定自動啟動

vim /etc/init.d/suricatad

#!/bin/sh
# $Id$
#
# suricatad         Start/Stop the suricata IDS daemon.
#
# chkconfig: 2345 40 60
# description:  Suricata is a lightweight network intrusion detection tool that \
#                currently detects more than 1100 host and network \
#                vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case "$1" in
start)
    echo -n "Starting Suricata: "
    daemon PCAP_FRAMES=max /usr/bin/suricata -D -c /etc/suricata/suricata.yaml -i enp2s0
    ;;
stop)
    echo -n "Stopping Suricata: "
    killproc suricata
    echo
    ;;
restart)
    $0 stop
    $0 start
    ;;
status)
    status suricata
    ;;
*)
    echo "Usage: $0 {start|stop|restart|status|}"
    exit 1
esac

exit 0

chmod +x /etc/init.d/suricatad
chkconfig --add suricatad
service suricatad start
service suricatad status

設定 log rorate

vi /etc/logrotate.d/suricata.logrotate

/var/log/suricata/*.log /var/log/suricata/*.json
{
    rotate 30
    missingok
    nocompress
    create
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
    endscript
}

nikto 攻擊測試

在另一台機器，以 nikto 作攻擊測試

Nikto 是 web server scanner 可測試 67000 潛在可能有問題的檔案，檢查 webserver index files 及 HTTP server options。

wget https://github.com/sullo/nikto/archive/master.zip -O nikto.zip
unzip nikto.zip
cd nikto-master/program
chmod +x nikto.pl
./nikto.pl -h 192.168.1.5 -p 80

References

Suricata CentOS Installation

Suricata Basic Setup

suricata rules

CentOS 7安裝IDS/IPS安全監測工具(Snorby＋Barnyard2＋Suricata)

在 CentOS 7.x 上安裝 Suricata 入侵偵測系統

[研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)

基於CentOS6.5下Suricata（一款高性能的網絡IDS、IPS和網絡安全監控引擎）的搭建（圖文詳解）

Install ClamAV in CentOS 7

安裝 ClamAV

sudo yum -y install epel-release
sudo yum -y install clamav clamd

# 如果有 selinux，要 enable selinux
sudo setsebool -P antivirus_can_scan_system 1

增加台灣病毒碼更新資料庫

sudo vi /etc/freshclam.conf

DatabaseMirror db.tw.clamav.net
DatabaseMirror clamav.stu.edu.tw

更新病毒碼

sudo freshclam

ClamAV update process started at Wed Oct 28 14:39:25 2020
daily database available for download (remote version: 25970)
Time: 17.0s, ETA: 0.0s [=============================>] 108.67MiB/108.67MiB
Testing database: '/var/lib/clamav/tmp.1a97b/clamav-3ea52eb38408f34bb5f4419b3286235e.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 25970, sigs: 4336254, f-level: 63, builder: raynman)
main database available for download (remote version: 59)
Time: 17.3s, ETA: 0.0s [=============================>] 112.40MiB/112.40MiB
Testing database: '/var/lib/clamav/tmp.1a97b/clamav-087960cd134405741c214b5dd9915ec8.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode database available for download (remote version: 331)
Time: 0.4s, ETA: 0.0s [=============================>] 289.44KiB/289.44KiB
Testing database: '/var/lib/clamav/tmp.1a97b/clamav-4905f2da7d8e4b680242ba674f8d9ced.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

設定自動更新病毒碼

mkdir -p /var/log/clamav
chown -R clamupdate:clamupdate /var/log/clamav/

sudo vi /etc/freshclam.conf
UpdateLogFile /var/log/clamav/freshclam.log

增加自動更新病毒碼 cronjob

vi /etc/cron.daily/freshclam.sh

#!/bin/sh
/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log


chmod 755 /etc/cron.daily/freshclam.sh

另一種設定自動更新的方式，是直接啟動 clamav-freshclam.service

設定 clamd

vi /etc/clamd.d/scan.conf

LocalSocket /var/run/clamd.scan/clamd.sock

# 啟用紀錄
LogFile /var/log/clamd/clamd.scan

# 啟用記錄訊息時間
LogTime yes

# 啟用LocalSocket
LocalSocket /var/run/clamd.scan/clamd.sock

# 啟用ExtendedDetecionInfo
ExtendedDetectionInfo yes

# 啟用PidFile
PidFile /var/run/clamd.scan/clamd.pid

產生 clamd log file

mkdir -p /var/log/clamd/
touch /var/log/clamd/clamd.scan
chown -R clamscan:clamscan /var/log/clamd

啟動 clamd

sudo systemctl enable clamd@scan
sudo systemctl start clamd@scan

設定每日自動掃瞄特定目錄

儲存記錄檔於 /var/log/clamscan_daily.log

mkdir -p /var/log/clamscan

vi /etc/cron.daily/clamscan.sh

#!/bin/sh
echo "************" >> /var/log/clamscan/clamscan_daily.log
date '+%Y-%m-%d %T' >> /var/log/clamscan/clamscan_daily.log
/usr/bin/clamscan -i -r /var/www/html >> /var/log/clamscan/clamscan_daily.log

chmod 755 /etc/cron.daily/clamscan.sh

logrotate

vi /etc/logrotate.d/clamscan.logrotate

/var/log/clamscan/clamscan_daily.log {
   missingok
   rotate 30
   daily
}

修改 clamscan.logrotate

vi /etc/logrotate.d/clamav-update

/var/log/clamav/freshclam.log {
    monthly
    notifempty
    missingok
    postrotate
        systemctl try-restart clamav-freshclam.service
    endscript
}

安裝 LMD

# 安裝 EPEL
yum -y install epel-release
# 安裝 mailx
yum install mailx

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz

cd maldetect-1.6.4/
./install.sh

ln -s /usr/local/maldetect/maldet /bin/maldet
hash -r

LMD 預設安裝目錄在 /usr/local/maldetect/ , 裡面的 conf.maldet 就是 LMD 的設定檔, 開啟 LMD 的設定檔

vi /usr/local/maldetect/conf.maldet

# 如果要發 email，要改成 1
email_alert="0"
email_addr="user@domain"

quarantine_hits="1"
quarantine_clean="1"

scan_clamscan="1"

掃描後查看 report

maldet -e list

# read report
maldet –report SCANID

# clean report
maldet --clean SCANID

測試 LMD

mkdir -p /var/www/LMDtest
cd /var/www/LMDtest
wget https://www.eicar.org/download/eicar.com 
wget https://www.eicar.org/download/eicar.com.txt 
wget https://www.eicar.org/download/eicar_com.zip 
wget https://www.eicar.org/download/eicarcom2.zip

chown -R httpd:httpd /var/www/LMDtest

掃描

maldet -a /var/www/LMDtest

看 report

maldet --report 201028-1639.16052

PATH:          /var/www/LMDtest/
TOTAL FILES:   4
TOTAL HITS:    4
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicar.com => /usr/local/maldetect/quarantine/eicar.com.575417503
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicarcom2.zip => /usr/local/maldetect/quarantine/eicarcom2.zip.2371612503
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicar.com.txt => /usr/local/maldetect/quarantine/eicar.com.txt.17479243
{HEX}EICAR.TEST.3 : /var/www/LMDtest/eicar_com.zip => /usr/local/maldetect/quarantine/eicar_com.zip.8340145
===============================================
Linux Malware Detect v1.6.4 < proj@rfxn.com >

隔離區 /usr/local/maldetect/quarantine/

# 刪除隔離區檔案
rm -rf /usr/local/maldetect/quarantine/*

References

Install and configure LMD and Clam AntiVirus on CentOS 7

How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

CentOS7 安裝防毒軟體 ClamAV

How to Install ClamAV on CentOS 7: A Step-by-Step Guide

CENTOS 7 安裝ClamAV