《《企业安全建设》实验指导书(模板).docx》由会员分享,可在线阅读,更多相关《《企业安全建设》实验指导书(模板).docx(21页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、实验二企业平安建设一、实验目的1、了解网络准入系统原理及作用2、学会ELK的安装,及基础配置,通过实验了解ELK的基础架构及相互协作关二、实验环境一台ubuntu服务器考前须知ubuntu内含安装virtual box虚拟机,和GNS3网络模拟器,共有四台 设备如下:一台win 2003 (virtual box虚拟机)作为radisu服务器,进行网络授权, 同时作为DHCP,认证服务器一台win xp (virtual box虚拟机)作为接入端, 进行准入验证一台路由器由GNS3模拟,模拟企业核心路由器一台交换机由 GNS3模拟,模拟企业接入层交换机三、实验内容及实验步骤1、网络准入实验(1
2、)准备工作:使用 root 登录,密码 360coilegePsswOrd安装一个 xfce4-terminal 终端apt install -y xfce4-terminal然后输入下面命令启动图形界面startx按ctrl+n新建一个空白工程或者点击file - New blank project起 名保存。设置GNS3的默认终端GNS3默认终端设为我们安装的XFCE4-terminal.官方站点 新手上路 包 常用网址JD京东商城ElasticsearchIndex ManagementIndex Lifecycle PoliciesRollup JobsCross Cluster Re
3、plicationRemote ClustersLicense Management7.0 Upgrade AssistantCreate index pa.No default index pattern. You mustselect or create one to continue.Tiing0以 KibanaIndex Pattu门isSaved ObjectsSpacesReportingAdvanced SettingsCreate index patternKibana uses index patterns to retrieve data from Elasticsearc
4、h indices for tilings like visualizations.Step 2 of 2: Configure settingsYou*ve defined %metadatabeat-%metadataversionH index pattern. Now you can specify some settings before we createRefreshztimestampThe Time Filter will use this field to filter your data by time.You can choose not to have a time
5、field, but you will not be able to narrow down your data by a time range. Show advanced options点Discover,查看日志成功1 hitkibanaNew Save Open Share Inspect C Auto-rejearxh. (e.g. status:200 AND extension:PHP) DiscoverAdd a filter +位 Visualize。/狙beat!)gQ DashboardH Timelion命 CanvasSelected fields1? .source
6、0 8Available fieldsag o.60 timestampu 40.2 t versionidMapsApril 2nd 2019,18:46:25.789 - April 2nd 2019,19:01:25.789 o18:47:00 13:48:00 18:49:00 18:50:00 18:51:00 18:52:00 18:53:00 18:54:00 18:55:00 18:56:00 18:57:0timestamp per 30 secondsMachine LearningindexTimesourcescoreInfrastructure_typeApril 2
7、nd 2019, 18:55:3 Q Q host: 192,168.1.8 port: 46,246 type: syslog version::Logs-11556-1363184756-1254-78238 named3645: 02-Apr-2019 18:host(): query: IN A E (127.0.0.1)APMmessage55:31.796 _id: xNqw3HkBSukl9NktmHDz _type: doc _index:Uptimeportaversion-2019.04.02 _score:实验二:将apache日志,以文件形式,使用filebeat发券U
8、 logstash配置思路与之前一样。不过这里的filebeat支持直接发到lasticsearcho 如果不使用logstash 的过滤整形功能,就就直接发到elasticsearcho过滤整形功能我们稍后再讲。修改 elasticsearch 配置登录ELK服务器修改elasticsearch默认配置,使其监听本地IP地址,而非默认的环回口vim /etc/elasticsearch/elasticsearch.ymlElasticsearch performs poorly when the system is swapping the memory. # Network # Set t
9、he bind address to a specific IP (IPv4 or IPv6):#fletwork.host 0.0,0.0sea custom port for :,port: 9200network module work module documentation.more information. consult theD cov-r 启动ES和kibanasystemctl start elasticsearch kibana安装 filebeat配置应用服务器apachedcurl -L -O 编辑filebeat配置文件vim /etc/filebeat/fileb
10、eat.yml报表输出到kibana# = Kibana =I# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana .# This requires a Kibana endpoint configuration. setup.kibana:# Kibana Host# Scheme and port can be left out and will be set to the default ( and 5i# In case you specify and additional path,
11、 the scheme is required: :/lo- 01/path# IPv6 addresses should always be defined as: s:/2001:db8:1:5601 host: H192,168.1.10:5601H114,0-1输出配置,直接输出到elasticsearh当 Configure what output to use when sending the data collected by the beat.# Elasticsearch output output -HSTWsearch:# Array of hosts to connec
12、t to.hosts: 92, 158 ! I。929C # Enabled ilm (beta) to use index lifecycle management instead daily indie#ilm.enabled: false145,1启用apache的日志解析插件filebeat modules enable apache2检查已启动插件filebeat modules list编辑apache2插件配置vim/etc/filebeat/modules.d/apache2.ymluu-module apache2 # Access logs access: enabled:
13、# Set custom paths for # Filebeat will choose var.paths: n/var/log/thethelog files. If left paths depending on /access log11empty, your OS.# Error logs error:enabled:# Set custom paths for # Filebeat will choose ar.paths: :Lthe log files. If left the paths depending on ttpd/error loguempty, your OS.
14、创立索引和模板filebeat setup -e启动 filebeatsystemctl start filebeat启动 apache systemctlstart d生成日志查看日志使用Windows服务器登录kibana登录kibana查看日志发送iptables日志到syslog后,再转发到logstash,并修改kibana展示对应字段要点logstash整形日志,并修改对应字段配置logcreat服务器,并生产iptabels日志,发送给ELK的syslog登录 Log-creat 服务器,启用 iptables systemctlstart iptables查看当前规那么,应该是
15、默认规那么iptables -nvL添加记录SSH的日志,同之前iptables日志实验iptables -I INPUT -p tcp -dport 22 -j LOG -log-prefix Mssh_loginn -log-level 4iptables -I INPUT 2 -p tcp -dport 22 -j ACCEPT修改rsyslog配置,将日志发给ELK的syslogvim /etc/rsyslog.conf加入以下行,其中是ELK服务器地址kem.4 x.x.x.x:514重启 rsyslog服务systemctl restart rsyslog配置 ELK 的 sysl
16、og,保存 iptables 日志到/var/log/iptables登录ELK,修改syslog配置 vim /etc/rsyslog.conf 加入以下行kem.4 /var/log/iptables 重启rsyslog,并查看日志 systemctl restart rsyslog cat /var/log/iptables配置logstash,整理iptables日志GROK 正那么的调试网站 :GROK默认的正那么表达式 s: 此处使用logstash的grok插件,使用正那么来匹配日志。如岱丫51/)6=151人:6,代表正那么表达式SYSLOGTIMESTAMP,所对应的日志 字
17、段为日期时间。%IPV4:SRC,表示正那么表达式IPV4,对应字段为SRC 创立iptables的日志读取文件vim /etc/logstash/conf.d/iptables.conf 输入以下内容 input file path = /var/log/iptables”) )filter grokmatch = “message = n%SYSL0GTIMESTAMP:date%DATASRC=%IPV4:SRC DST=%IPV4:DST%DATAPR0T0=%W0RD:PR0T0SPT=%NUMBER:SPTDPT=%NUMBER:DPT” output elasticsearch
18、hosts = H :/localhost:9200nindex = iptables给iptables日志加上可读权限,让logstash能读取 chmod +r /var/log/iptables 启动ELK服务systemctl start elasticsearch logstash kibana使用kibana生成报表在实验三基础上,添加 iptables 索引,可以看到日志如下列图,有清晰的字段。可以方便我们过滤。t SRCtimestamp per dayAvailable fieldsTimeSRCDSTSPTDPTPROTOO t t tversionjdindexMBApr
19、il 16th 2019,17:24:48.81423192.168.0.1224982522TCPApril16th2019,17:23:48.742192.16 Q QJ23192.168.0.1224982522TCP* t t_scoreApril16th2019,17:22:48.67323192.168.0.1224982522TCP_typedateApril16th2019,17:21:48.60723192.168.0.1224982522TCPt thostmessageApril16th2019,17:20:48.54023192.168.0.1224982522TCPt
20、pathApril16th2019,17:19:49.46623192.168.0.1224982522TCPApril16th2019,17:18:49.39723192.168.0.1224982522TCPApril16th2019,17:17:49.32623192.168.0.1224982522TCPApril16th2019,17:16:49.25723192.168.0.1224982522TCP过滤表达式,如SRC: 192. 168. 0. 121,如图211OptionsC RefreshAdd a filter +April 16th 2019,17:15:28.226
21、 - April 16th 2019,17:30:28.226 DailySelected fieldst DPTt DSTt PROTOt SPT2012019-04-162019-04-162019-04-16 2019-04-162019-04-162019-04-16fieldsSPTDPTPROTOOTimeSRCDST April 16th 2019, 17:30:17.223192.168.0.192.168.0.5632422TCPtversion121122tid April 16th 2019, 17:30:05.207192.168.0.192.168.0.5632422
22、TCPtjndex121122#.score April 16th 2019, 17:29:57.197192.168.0.192.168.0.5632422TCP121122*-rype4Acc;11 C4-K OQ1 Q 1 7 . OQ .C7 1 0710*1 1 s a1qo 1cfi aTrotimestamp per dayt SRCt SRCAvailable 0创立可视化图形,点击 kibana_tVisualize 192.168.0.121:5601/app/kibana#/visualize?.g=(filters:!0)O最常访问 B火孤官方站点 新手上路包常用网址O
23、最常访问 B火孤官方站点 新手上路包常用网址JD京东商城VisualizeG) DiscoverQ Search.| 力 VisualizeSODashboardLooks like you dgnt have any visualizations: LetsTimelion+ Create a visualizationCanvas0 items selectedS Wps选择饼图New VisualizationQ FilterControlsControlsCoordinateMapData Tableo役6o目 KiaugeGoalHeat Map Horizontal Bar区50M
24、arkdown选择索引 From a New Search, Select IndexQ Filter.Zama 一Or, From a Saved SearchQ Saved Searches Filter.Name、No matching saved searches found.按片来分割Add a filter +ipta*Data OptionsMetricsSlice Size CountSlice Size CountBucketsSelect buckets type凯 SplitEhcesSplit ChartCancel选择一些参数,生成报表,最后点三角形,生成图形,展示源
25、端口所占比例。Slice Size CountO 49825 47638Buckets Split SikesAggregation9 ETerms helpTermsFieldSPT. keywordOrder Bymetric: CountOrderSizeDescer 田 5 56324 32( 36840Group other values in separate bucket 四、实验报告要求1、根据实验指导书和实验过程撰写实验报告,并对实验过程和结果进行分析和总 结。2、实验报告内容和数据真实,实验结果分析详细。添加交换机与路由器及虚拟机网卡添加交换机添加路由器查找字符串为7200
26、添加虚拟机网卡X 2查找字符串为cloud配置虚拟机网卡先翻开Oracle virtualbox ,让虚拟机加网卡,不然下面步骤可能找不到网卡。 如果找到不可以点,右键点Cloud-1- Configure,添加vboxnetO如果找 不到可以点Refresh刷新一下同理配置 Cloud2 右键点 Cloud-2- Configure,添加 vboxnetl连线建议参照我们的接口,也可以按照自己习惯。如按自己习惯,请修改相 应网络配置。cloud2:vboxnetl swl:FastEthernetl/15swl:FastEthernetl/O RI:Ethernetl/7RI:FastEth
27、ernetO/O cloudl:vboxnetO 启动设备在RI和swl上分别点右键,start开启设备,可以看到,接口红点变绿。(2)配置网络设备配置路由器双击R1 ,按回车键。输入以下配置命令,注意提示符。可以参照桌面802. lx文件夹 中,RI. conf配置交换机双击swl ,按回车键。输入以下配置命令,可以参照桌面802. lx文件夹中, swl. conf(3)配置服务器radius+dhcp配置win 2003 (用户名,administroatr 密码 360coHege)检查网络是否设置到vboxnetO (默认已经设置好)开启虚拟机,点击上方 Input - Keyboa
28、rd - Insert Ctrl-Alt-Del输入账号密码(用户名,administroatr密码360College)配置用户及组美丽人生序号级刺一、1、(1)、开始一所有程序一 管理工具一 计算机管理一 系统工具一本地用户和组新建用户,用户名为itOl,密码PsswOrd。这个用户是用来作准入验证的用 户。点击创立,关闭。新建用户组,组名为it_group,将itOl加入此组。点创立,关闭。开始运行gpedit.msc,翻开组策略。(这一步在实验环境中已经设置好,但在 操作系统默认下,没有设置。)因为我们使用,EAP-MD5质问,操作系统需要知道 用户的密码。所以这里配置使用可逆的存储密
29、码。理DHCP+Radius开始,运行appwiz. cpl,翻开添加删除程序一添加/删除Windows组件点击确定,下一步至完成即可。配置DHCP依次点击,翻开DHCP管理器。开始一所有程序一管理工具一DHCP右键点服 务器名,新建作用域,点三次下一步,到配置默认网关,输入网关IP 192. 168. 50. 254点下一步,直到完成。按同样方式新建VlanlOO和vlanlOl的作用域。VLAN100 IP 为192. 168. 100. 100192. 168. 100. 200 网关 192. 168. 100. 254VLAN101 IP 为192. 168. 101. 100192
30、. 168. 101. 200 网关 192. 168. 101. 254配置Radisu (在Windows中称为Internet验证服务,简称IAS)开始-所有程序一管理工具一internet验证服务右键点击,RADIUS客户端一新建radius客户端,配置IP 10. 0. 0.2,密码 cisco o (与swl中配置的一致)右键点击,远程访问策略一新建远程访问策略一下一步右键点击建好的策略,属性在高级中添加下面三个属性。用于下发vlano最终配置好的界面如下,点应用radius配置完成酉覆windows xp,验证配置启动虚拟机,检查网络是否接入vboxnetl,检查过程同win20
31、03开始运行services翻开服务管理。找到Wired Autoconfig,启动服务配置本地连接,使用EAP-MD5质询。点击确定,右下角,会弹出认证提示。输入用户名密码PsswOrd如果验证不成功,请禁用本地连接,再启用或关闭swl的F1/0 口,再开启。命令如下swl (config)# int f1/0 swl (config-if)# shutdown swl(config-if)# no shutdown再进行验证。最终验证成功,可以看到window婢IP为192. 168. 50. 100如果,不输入用户名密码,过一会windows获取IP为192. 168. 100. 100
32、即 guest vlan如果尝试输入错误密码,会获取IP为192. 168. 101. 100即fail vlan2、ELK安装实验(1)准备环境修改系统默认配置,以提高性能vim /etc/security/limits. conf加入以下四行,其中nofile指同时翻开文件,nproc指同时的进程数* soft nofile 65536* hard nofile 131072* soft nproc 2048* hard nproc 4096vim /etc/sysctl. conf,增大虚拟内存vm. max_map_count=655300执行以下命令生效sysctl -p殛JAVA环
33、yum install -y java-1. 8. O-openjdk-devel. x86_64验证安装成功java -versionelasticsearch导入安装源rpm -import . elastic. co/GPG-KEY-elasticsearch 新建文件 vim /etc/yum. repos, d/elasticsearch. repo elasticsearch-6, xname=Elasticsearch repository for 6. x packagesbaseurl=, elastic, co/packages/6. x/yumgpgcheck=lgpgk
34、ey=, elastic. co/GPG-KEY-e1asticsearchenabled=lautorefresh=ltype=rpm-md安装 elasticsearchyum install elasticsearch 启动服务,需要花费约30秒。systemctl start elasticsearch验证服务已启动,查看TCP 9200端口开启ss -Int | grep 9200curl验证,看到显示如下curl 127. 0. 0. 1:9200rootlll# curl 127.0. 0. 1:9200(name : ehcvjmC ,cluster_name : elasti
35、csearch,cluster_uuid : 9b75UiQTTvauXlZjOB9Nvg,广version :(1 c ry 八number : 6. 7. 0 ,build_flavor : default”,build_type : rpnT,build_hash:8453f77,build_date : z/2019-03-21T15:32:29,844721Z,build_snapshot : false,ir7r7 八iucene_version : 7. 7. 0 ,z/minimum_wire_compatibility_versionz/ : 5 6. 0,/minimum_
36、index_compatibility_version/ : 5 0. 0,“tagline : You Know, for Search”)logstash导入安装源rpm 一一import . elastic. co/GPG-KEY-elasticsearch新建文件 vim /etc/yum. repos, d/logstash. repologstash-6, xname=Elastic repository for 6. x packagesbaseurl=, elastic, co/packages/6. x/yumgpgcheck=lgpgkey=, elastic, co/GP
37、G-KEY-e1asticsearchenabled=lautorefresh=ltype=rpm-md生成配置文件cp/etc/logstash/logstash-sample. conf/etc/logstash/conf, d/logstash. conflogstashyum install -y logstash启动服务systemctl start logstash检查服务ss -Int |grep 5044kibana新建文件vi /etc/yum. repos, d/kibana. repokibana-6. xname=Kibana repository for 6. x p
38、ackagesbaseurl=, elastic, co/packages/6. x/yumgpgcheck=lgpgkey=, elastic, co/GPG-KEY-e1asticsearchenabled=lautorefresh=ltype=rpm-md安装kibanayum install kibana配置外部端口,以供访问vim /etc/kibana/kibana. yml找到以下行,并修改,其中X. X. X. x为本机IP地址。以供其它PC访问 server, host: x x. x. x启动kibanasystemctl start kibana检查服务是否启动ss -I
39、nt | grep 5601可以用其它同网段设备访问,会出现kibana界面。. x. x. x:5601完装成功最后检查所有端口ss -Int应该会看到elasticsearch 的9200 9300logstash 的 5044kibana 的5601证明安装成功3、ELK使用实验登录ELK服务器 创立并编辑logstash酉遭文件cp /etc/logstash/logstash-sample. conf /etc/logstash/conf, d/bind. conf vim /etc/logstash/conf, d/bind.conf 如图修改配置# Sample Logstash
40、 configuration for creating a simple# Beats - Logstash - Elasticsearch pipeline.input tcp (port = 5144type = syslo0)output elasticsearch (hosts = index =: t(l t ad t | sr#user = elastic#password = ,changemeu)启动ELKsystemctl start logstash elasticsearch kibana 配置bind9登录BIND9服务器实验环境里已经将bind9的查询日志发送至rsy
41、slog的local5通道。同之前DNS实验。大家可 以自行检查bind9配置使用syslog发送给logstashvim /etc/rsyslog.conf加入以下配置,其中是ELK地址,5144是配置的logstash的端口号。local5.* x.x.x.x:5144重启 rsyslogsystemctl restart rsyslog翻开bind服务systelctl start named产生bind日志dig 1 .test dig dig dig 查看本地是否有日志cat /var/log/dns使用 windows 的flrefdx,登录 kibana 查看日志 :x.x.x.
42、x:5601如图,选择需要的索引 192.168.1.31:5601 /app/kiban a#/man agemen t/kiban a/in dex?_g=()*最常访问 3火狐官方站点 Q新手上路 包常用网址 血京东商城KkibanaDiscover宦VisualizesoDashboard面TimelionCanvasaMapsMachine Learning喷Infrastructure国r-yLogsKkibanaDiscover宦VisualizesoDashboard面TimelionCanvasaMapsMachine Learning喷Infrastructure国r-yL
43、ogsElasticsearchIndex ManagementIndex Lrfecyde PoliciesRollup JobsCross Cluster ReplicationRemote ClustersLicense Management7.0 Upgrade Assistant( KibanaIndex PatternsSaved ObjectsSpacesReportingAdvanced SettingsCreate index pa.No default index pattern.one to continue.Create index patternKtodna uses index patterns to retrieve data from Elasticsearch indices for things like visualizations.Step 1 of 2: Define index patternIndex patternat)-%metadacaversionj-2019.