安全态势感知管理平台SIP/探针STA

深信服安全感知平台(简称SIP)是一款面向全行业的大数据安全分析平台,旨在为用户构建一套集检测、可视、响应于一体的本地安全大脑,让安全可感知、易运营,更有价值。
点击可切换产品版本
知道了
不再提醒
SIP3.0.65
{{sendMatomoQuery("安全态势感知管理平台SIP/探针STA","Linux DNS服务器")}}

Linux DNS服务器

更新时间:2022-07-29
  1. 资产感知需要配置DNS服务器

登录SIP,在[资产感知/资产管理/主机资产]页面,确保DNS主机的类型配置正确,如下图所示。

  1. 在SIEM分析系统里新增采集器

在SIP的SIEM分析系统->日志源对接页面,点击新增,如下图所示,配置好DNS服务器的IP地址,类型选择“DNS Linux”,最后点击“确定”

  1. 修改DNS服务器的配置文件(在DNS服务器上操作)

1、使用xshell或其它工具进入dns服务器的后台;

2、先对/etc/named.conf文件做备份,执行命令vi /etc/named.conf编辑文件内容,在文件里新增一段配置,用于将dns请求日志记录并转发给syslog,文件内容如下所示,红色字体高亮显示的部分就是我们编辑时需要新加的部分。

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

// See the BIND Administrator's Reference Manual (ARM) for details about the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {

listen-on port 53 { any; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

recursing-file "/var/named/data/named.recursing";

secroots-file "/var/named/data/named.secroots";

allow-query { any; };

/*

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

- If you are building a RECURSIVE (caching) DNS server, you need to enable

recursion.

- If your recursive DNS server has a public IP address, you MUST enable access

control to limit queries to your legitimate users. Failing to do so will

cause your server to become part of large scale DNS amplification

attacks. Implementing BCP38 within your network would greatly

reduce such attack surface

*/

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

channel query_log {

syslog local3;

severity info;

print-time yes;

print-category yes;

};

category queries { query_log; };

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

3、执行命令systemctl restart named,用于重启dns服务;

4、执行命令vi /etc/rsyslog.conf编辑文件内容,用于将dns的日志转发给SIP,文件内容如下所示,红色字体高亮显示的部分就是我们编辑时需要新加的部分。

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

#$ModLoad imklog # reads kernel messages (the same are read from journald)

#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514

# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog

# Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,

# not useful and an extreme performance hit

#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;

# local messages are retrieved through imjournal now.

$OmitLocalLogging on

# File to store the position in the journal

$IMJournalStateFile imjournal.state

#### RULES ####

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

# ### begin forwarding rule ###

# The statement between the begin ... end define a SINGLE forwarding

# rule. They belong together, do NOT split them. If you create multiple

# forwarding rules, duplicate the whole block!

# Remote Logging (we use TCP for reliable delivery)

#

# An on-disk queue is created for this action. If the remote host is

# down, messages are spooled to disk and sent when it is up again.

#$ActionQueueFileName fwdRule1 # unique name prefix for spool files

#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

#$ActionQueueType LinkedList # run asynchronously

#$ActionResumeRetryCount -1 # infinite retries if host is down

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

#*.* @@remote-host:514

local3.* @@10.222.3.146:514

# ### end of the forwarding rule ###

注意:这一行的意思是“发送给SIP的ip地址的514端口”,这里的ip地址一定要改成客户的SIP的ip地址。

5、执行命令systemctl restart rsyslog,用于重启rsyslog服务,之后SIP就能收到dns日志了。

  1. 将DNS服务器作为源地址添加到安全白名单,避免通过STA等其他设备发送过来的日志导致DNS服务器报失陷。

  1. 后续可以观察SIP的第三方日志以及安全事件,只要客户把内网主机都在资产感知模块配置正确,DNS代理误判的问题即可解决。