说明

最近公司有项目在做等保测评，所以关注到了服务器linux（这里主要是用centos7.9）网络入侵检测和杀毒软件；

1. 开源网络入侵检测软件snort

Snort是一套开放源代码的网络入侵预防软件与网络入侵检测软件。Snort使用了以侦测签名（signature-based）与通信协议的侦测方法。截至目前为止，Snort的被下载次数已达到数百万次。 Snort被认为是全世界最广泛使用的入侵预防与侦测软。 --- from wikipedia

2. 开源杀毒软件clamav

Clam AntiVirus（ClamAV）是免费、开放源代码的杀毒软件，软件与病毒码的更新皆由社群发布。目前ClamAV主要使用在由Linux、FreeBSD等类Unix系统架设的邮件服务器上，提供电子邮件的病毒扫描服务。 --- from wikipedia

=== 说实话做一线互联网运维多年了，还是头一次接触这些，所以在此记录一下 ===

下面进行实际部署~

Centos7部署网络入侵检测snort

下载安装软件及依赖

yum -y install epel-release
yum install -y gcc flex bison zlib libpcap pcre libdnet tcpdump 
yum install -y libnghttp2

yum -y install daq
wget https://www.snort.org/downloads/snort/snort-2.9.20-1.centos.x86_64.rpm && rpm -ivh snort-2.9.20-1.centos.x86_64.rpm

ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1     #这一步必须要执行要不会报错：libdnet.1 not found

下载安装snort rules

# 规则官方经常更新，可以去官方下载最新的rules【注意需要登陆要不就是灰色的】
# rules下载地址： https://www.snort.org/downloads#rules
wget https://www.snort.org/downloads/registered/snortrules-snapshot-29200.tar.gz  #最好去官网下载上传，我试着wget好像会下载不成功~
tar xf snortrules-snapshot-29200.tar.gz
cp etc/snort.conf /etc/snort/snort.conf 
cp rules/* /etc/snort/rules/

调试启动服务

# 这一步比较麻烦，自带的很多rules配置可能本身没啥用，用以下命令测试如果报错的话直接注释就可以~

snort -T -c /etc/snort/snort.conf 
...
...
MaxRss at the end of detection rules:38088

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.20 GRE (Build 82) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7


Total snort Fixed Memory Cost - MaxRss:38088
Snort successfully validated the configuration!
Snort exiting
# 看到以上信息就算成功了，可以启动服务~

systemctl start snortd && systemctl enable snortd

Centos7部署杀毒软件clamav

安装软件依赖和软件包

yum -y install epel-release
yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

修改配置

sed -i 's&^#LocalSocket /run/clamd.scan/clamd.sock&LocalSocket /run/clamd.scan/clamd.sock&g' /etc/clamd.d/scan.conf

启动服务

systemctl start clamav-freshclam && systemctl enable clamav-freshclam
systemctl start clamd@scan && systemctl enable clamd@scan

systemctl status clamav-freshclam && systemctl status clamd@scan