有几器要報廢

找到硬碟抹除的工具 shred

使用linux mint

下載iso後寫到usb開几

sudo fdisk -l 找到要抹除的硬碟代號

sudo shred -vfz /dev/sdX

-n - 覆盖的次数。默认是三次。

-u - 覆盖并删除。

-s - 要粉碎的字节数。

-v - 显示扩展信息。

-f - 必要时强制改变权限以允许写入。

-z - 最后用 0 覆盖来隐藏粉碎。

466G的傳統硬碟跑1次要1小時50分

總共要跑4次

https://www.51cto.com/article/686975.html

graylog6的indices 保存方法改變如下圖

之前的設定是多久之後可以刪除或close

如果是close 必需再手動刪除

目前看來沒這個選項了

不知道在比較長時間後會不會跟以前一樣

因為儲存大量資料導致search變的很慢

這几天進graylog時提示6版已經出來了

看官網說的是可以直接更新

還是先裝一台來試看看好了

這次用的是almalinux 9

6版已經不再支援 elasticsearch 了

依照官網安裝流程裝到opensearch就有問題了

安裝後無法啟動

看了一下 opensearch.yml

裡面有一段 

######## Start OpenSearch Security Demo Configuration ########

# WARNING: revise all the lines below before you go into production

plugins.security.ssl.transport.pemcert_filepath: esnode.pem

plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem

plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true

plugins.security.ssl.http.pemcert_filepath: esnode.pem

plugins.security.ssl.http.pemkey_filepath: esnode-key.pem

plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.allow_unsafe_democertificates: true

plugins.security.allow_default_init_securityindex: true

plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']

plugins.security.audit.type: internal_opensearch

plugins.security.enable_snapshot_restore_privilege: true

plugins.security.check_snapshot_restore_write_privileges: true

plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]

plugins.security.system_indices.enabled: true

plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,

  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,

  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,

  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,

  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,

  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,

  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,

  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,

  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,

  .plugins-flow-framework-state]

node.max_local_storage_nodes: 3

######## End OpenSearch Security Demo Configuration ########

感覺是這段的問題

備分後重新開一個新的 opensearch.yml

裡面的內容只要以下這些就好

cluster.name: graylog

node.name: ${HOSTNAME}

path.data: /var/lib/opensearch

path.logs: /var/log/opensearch

discovery.type: single-node

network.host: 0.0.0.0

action.auto_create_index: false

plugins.security.disabled: true

indices.query.bool.max_clause_count: 32768

改完後啟動就沒問題了

跟之前不同 graylog這個版本安裝好後

打開 http://127.0.0.1:9000 無法進到web介面 

看了一下 /var/log/graylog-server/server.log

It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has

been started. You must log in to it to perform the initial configuration and continue.

Initial configuration is accessible at 0.0.0.0:9000, with username 'admin' and password 'iIcCiFzjWY'.

Try clicking on http://admin:iIcCiFzjWY@0.0.0.0:9000

需要先 Initial configuration 才能使用

進入後依照畫面的步驟設定後 就能進入graylog的介面了

Memory/Heap usage 預設是1G 要再調整

/etc/sysconfig/graylog-server

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow"

依ram大小調整

https://go2docs.graylog.org/current/upgrading_graylog/upgrading_graylog.html

https://go2docs.graylog.org/current/downloading_and_installing_graylog/installing_graylog.html

使用 curl 取得ip的相關資訊

curl ipinfo.io/8.8.8.8

{

  "ip": "8.8.8.8",

  "hostname": "dns.google",

  "anycast": true,

  "city": "Mountain View",

  "region": "California",

  "country": "US",

  "loc": "37.4056,-122.0775",

  "org": "AS15169 Google LLC",

  "postal": "94043",

  "timezone": "America/Los_Angeles",

  "readme": "https://ipinfo.io/missingauth"

}

發生好几次電腦大量封包的傳輸

netflow的值都在几萬甚至几十萬

以往的做法都是先把ip block掉

等user自己來反應

但醬沒辦法在事發的當時撈到相關資料

到底是那個程式造成的

最近找到

LiveTcpUdpWatch

這個工具

就可以在 eset protect 上直接派送到電腦上執行並傳回資料

馬上就可以知道是那支程式造成的 資料撈回來後再把ip block掉

相當方便

程式如下

curl -o %temp%\LiveTcpUdpWatch.exe http://10.0.0.1/LiveTcpUdpWatch.exe

%temp%\LiveTcpUdpWatch.exe /CaptureTime 300000 /scomma "%temp%\tcpudp.csv"

ping -n 310 localhost > NUL

curl -u id:passwd -T "%TEMP%\tcpudp.csv" ftp://10.0.0.2/

https://www.nirsoft.net/utils/live_tcp_udp_watch.html

https://www.nirsoft.net 這個站裡的工具都很好用

一直有user反應收信時間會delay的問題

因為之前把greylist打開

目前的想法是分成上下班時段

上班關掉 下班再打開

試一段時間看看

指令如下

/usr/bin/pmgsh set /config/mail -greylist 0

/usr/bin/pmgsh set /config/mail -greylist 1

https://pmg.proxmox.com/pmg-docs/pmgsh.1.html

為了要測試siem

需要起 snmptrap

找了二個方法

第一個方法是直接用 zabbix_trap_receiver.pl

但有問題起不來

https://zhuanlan.zhihu.com/p/426390981

第二個方法是直接改 /etc/snmp/snmptrapd.conf

內容如下

# Example configuration file for snmptrapd

#

# No traps are handled by default, you must edit this file!

#

disableAuthorization yes

authCommunity   log,execute,net public

[snmp] logOption s 2

[snmp] logOption f /tmp/snmptrapd-direct.log

format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n

systemctl restart snmptrapd

醬就可以了