马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
×
#SysmonForLinux Sysmon for Linux 是一款用于监控和记录系统活动的工具,包括进程生命周期、网络连接、文件系统写入等。Sysmon 即使在系统重启后也能正常工作,并利用高级过滤功能来帮助识别恶意活动,以及入侵者和恶意软件如何在您的网络中运行。【https://github.com/microsoft/SysmonForLinux】
#注:该方法仅记录日志无法进行阻断,同时不建议小白用户对nas后台内容做太大改动
免责声明: 本内容(包括但不限于 Sysmon 配置、Linux 命令解释、脚本示例等)仅供合法的、安全研究、教育、红队演练授权测试以及企业内部安全防护之用。 任何未经明确书面授权的渗透测试、入侵、扫描、攻击或其他非法行为均属违法。 使用本内容所造成的一切后果(包括但不限于法律责任、财产损失、数据泄露等)由使用者自行承担,与作者/分享者无关。 请严格遵守《中华人民共和国网络安全法》/《nas厂商相关服务政策》及其他相关法律法规。
前言:
看到有小伙伴分享了 安装雷池的教程,我也分享一下我的nas防护方案,我的需求有三
- 寻求一种旁路方案,即使故障对设备影响也不大
- 经过对nas web流量分析大部分都是有二次加密的,参数值有加密的情况使用waf可能也看不出来
- 更需要关系主机失陷事件,比如:主动外联,请求ioc地址,执行敏感命令
这里也列举一下一些主流的防护方案:
- 安装waf,waf安装在docker中使用串联的方式多加一层nginx拦截流量(优势:监控应用层流量可以阻断攻击者的流量,缺点:串联方案如果出现单点故障相当麻烦)
- 安装Snort/suricata,直接安装在主机上通过流量镜像可以旁路实现(优势:可以监控全部流量,缺点:部署难度/运维成本高)
- 安装云锁/Sysmon,直接安装在主机上监控进程信息和进程外联信息(奇安信云锁是付费的个人搞不了 之前长亭有个牧云不知道还为维护不维护了,也就Sysmon是微软的官方的免费安全工具后期移植到linux中的 基于eBPF可以在不改变linux原有内核的前提下进行扩展 )
所以结合我的需求和一些主流防护方案最终选择使用Sysmonforlinux,当然缺点也是有的比如:不支持阻断、运维技术成本高等
#前提条件:熟悉Linux、熟悉sysmon或熟读微软官方文档【https://learn.microsoft.com/zh-cn/sysinternals/downloads/sysmon】、有计算机安全相关经验,若以上三点都不满足不建议尝试
一、安装:
1.查看linux版本 更新对应的软件包,修复缺失的软件包等。。。
具体命令如下,如果你的系统版本和我不一样可能命令还得改一下
- root@nas_linux:/home/user_name# uname -a
- Linux nas_linux 6.12.30+ #1 SMP PREEMPT_DYNAMIC Fri Jan 16 12:14:12 UTC 2026 x86_64 GNU/Linux
- root@nas_linux:/home/user_name# curl -s https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
- root@nas_linux:/home/user_name# echo "deb [arch=amd64] https://packages.microsoft.com/debian/$(lsb_release -rs | cut -d. -f1)/prod $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/microsoft.list
- deb [arch=amd64] https://packages.microsoft.com/debian/12/prod bookworm main
- root@nas_linux:/home/user_name# apt-get update
- Get:1 https://deb.debian.org/debian bookworm InRelease [151 kB]
- Get:2 https://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
- Get:3 https://deb.debian.org/debian bookworm-proposed-updates InRelease [60.6 kB]
注:配置文件应该按照自己的实际需求和sysmon记录情况进行更改,我这里提供的只是一个示例实际需要根据情况更改哦,sysmon配置规则文件是一件很麻烦的事情,建议先在虚拟机中配置测试在应用至生产环境。sysmon规则如果配置不当可能会记录大量的日志造成频繁IO,不熟悉Linux系统的小伙伴不建议尝试!!!
这块我示例里面主要从三块出发:
- 监测恶意攻击者常用的命令行比如curl、wget、nc、python,一般恶意攻击者会使用这些命令拉取恶意文件或进行反弹shell
- so、sh文件落地
- 进程外联
当然nas正常工作也可能会触发这些规则,这就是后续不断需要规则运维的部分了
- root@nas_linux:/home/user_name# mkdir -p /home/user_name/sysmon
- root@nas_linux:/home/user_name# cd /home/user_name/sysmon
- root@nas_linux:/home/user_name/sysmon# cat > sysmon-nas-config.xml << 'EOF'
- <Sysmon schemaversion="4.90">
- <EventFiltering>
- <!-- Event ID 1: ProcessCreate -->
- <RuleGroup groupRelation="or">
- <ProcessCreate onmatch="exclude">
- <CurrentDirectory condition="is">/ql</CurrentDirectory>
- <CommandLine condition="contains">/proc/uptime</CommandLine>
- <CommandLine condition="contains">/etc/os-release</CommandLine>
- <CommandLine condition="contains">/sys/class/net/eth</CommandLine>
- <CommandLine condition="contains">/ug_sys_info_log</CommandLine>
- <CommandLine condition="contains">/build_version</CommandLine>
- <CommandLine condition="contains">/resolv.conf.dhclient</CommandLine>
- <CommandLine condition="contains">/usr/sbin/update-rc.d</CommandLine>
- <CommandLine condition="contains">/usr/bin/crudini</CommandLine>
- <CommandLine condition="contains">DBUS_SESSION_ADDRESS_ROOT</CommandLine>
- <CommandLine condition="contains">/proc/mounts</CommandLine>
- <CommandLine condition="contains">/devices/virtual/block/md</CommandLine>
- <CommandLine condition="contains">/eth0/device/vendor</CommandLine>
- </ProcessCreate>
- <ProcessCreate onmatch="include">
- <CommandLine condition="contains">curl</CommandLine><!--监测恶意攻击者常用命令 -->
- <CommandLine condition="contains">wget</CommandLine>
- <CommandLine condition="contains">nc -z</CommandLine>
- <CommandLine condition="contains">ncat</CommandLine>
- <CommandLine condition="contains">netcat</CommandLine>
- <CommandLine condition="contains">cat </CommandLine>
- <CommandLine condition="contains">python</CommandLine>
- <CommandLine condition="contains">perl</CommandLine>
- </ProcessCreate>
- </RuleGroup>
- <!-- Event ID 11: FileCreate -->
- <RuleGroup groupRelation="or">
- <FileCreate onmatch="include">
- <TargetFilename condition="end with">.sh</TargetFilename><!--监测恶意攻击者常用文件落地-->
- <TargetFilename condition="end with">.so</TargetFilename>
- </FileCreate>
- </RuleGroup>
- <!-- Event ID 3: NetworkConnect - 重点监控 -->
- <RuleGroup groupRelation="or">
- <NetworkConnect onmatch="exclude">
- <!-- 只记录公网连接 -->
- <SourceIp condition="is">127.0.0.1</SourceIp><!--进程外联行为-->
- <SourceIp condition="is">0.0.0.0</SourceIp>
- <DestinationIp condition="is">127.0.0.1</DestinationIp>
- <DestinationIp condition="is">::1</DestinationIp>
- <DestinationIp condition="begin with">192.168.</DestinationIp>
- <DestinationIp condition="begin with">10.</DestinationIp>
- <DestinationIp condition="begin with">172.16.</DestinationIp>
- <DestinationIp condition="begin with">172.17.</DestinationIp>
- <DestinationIp condition="begin with">172.18.</DestinationIp>
- <DestinationIp condition="begin with">172.19.</DestinationIp>
- <DestinationIp condition="begin with">172.20.</DestinationIp>
- <DestinationIp condition="begin with">172.21.</DestinationIp>
- <DestinationIp condition="begin with">172.22.</DestinationIp>
- <DestinationIp condition="begin with">172.23.</DestinationIp>
- <DestinationIp condition="begin with">172.24.</DestinationIp>
- <DestinationIp condition="begin with">172.25.</DestinationIp>
- <DestinationIp condition="begin with">172.26.</DestinationIp>
- <DestinationIp condition="begin with">172.27.</DestinationIp>
- <DestinationIp condition="begin with">172.28.</DestinationIp>
- <DestinationIp condition="begin with">172.29.</DestinationIp>
- <DestinationIp condition="begin with">172.30.</DestinationIp>
- <DestinationIp condition="begin with">172.31.</DestinationIp>
- <DestinationIp condition="is">::</DestinationIp>
- <DestinationIp condition="is">255.255.255.255</DestinationIp>
- <DestinationIp condition="is">0:0:0:0:0:0:0:0</DestinationIp>
- <DestinationIp condition="is">0.0.0.0</DestinationIp>
- <DestinationPort condition="is">0</DestinationPort>
- <Protocol condition="is">udp</Protocol>
- <SourceIp condition="begin with">172.17.0.</SourceIp>
- <Image condition="contains">docker-proxy</Image>
- <Image condition="contains">_serv</Image>
- <Image condition="contains">nginx</Image>
- <Image condition="contains">qbittorrent</Image>
- <Image condition="contains">syncspace</Image>
- <Image condition="contains">qinglong</Image>
- <Image condition="contains">siyuan</Image>
- <DestinationIp condition="begin with">119.23.87.190</DestinationIp> <!--ugnas.com-->
- <DestinationIp condition="begin with">113.48.224.84</DestinationIp> <!--ug.link-->
- </NetworkConnect>
- </RuleGroup>
- </EventFiltering>
- </Sysmon>
- EOF
1.创建服务开机自启
- root@nas_linux:/etc/sysmon# tee /etc/systemd/system/sysmon.service << 'EOF'
- [Unit]
- Description=Sysmon for Linux
- After=network.target
- [Service]
- Type=simple
- ExecStart=sysmon -c /home/user_name/sysmon/sysmon-nas-config.xml
- ExecReload=/bin/kill -HUP $MAINPID
- KillMode=process
- Restart=on-failure
- RestartPreventExitStatus=255
- SyslogIdentifier=sysmon
- [Install]
- WantedBy=multi-user.target
- EOF
- root@nas_linux:/etc/sysmon# systemctl daemon-reload
- root@nas_linux:/etc/sysmon# systemctl start sysmon
- root@nas_linux:/etc/sysmon# systemctl enable sysmon
- root@nas_linux:/etc/sysmon# systemctl status sysmon
- ● sysmon.service - Sysmon for Linux
- Loaded: loaded (/etc/systemd/system/sysmon.service; enabled; preset: enabled)
- Active: active (running) since Thu 2026-02-05 21:54:11 CST; 1min 32s ago
- Main PID: 264932 (sysmon)
- Tasks: 1 (limit: 28407)
- Memory: 198.2M
- CPU: 2.162s
- CGroup: /system.slice/sysmon.service
- └─264932 /opt/sysmon/sysmon -i /opt/sysmon/config.xml -service
这块的更新配置文件就是你根据你实际情况改完规则文件之后需要做的事情
- root@nas_linux:/home/user_name# systemctl stop sysmon
- root@nas_linux:/home/user_name# sysmon -u
- Sysmon v1.5.0 - Monitors system events
- Sysinternals - www.sysinternals.com
- By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
- Copyright (C) 2014-2025 Microsoft Corporation
- Licensed under MIT/GPLv2
- Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
- Removed "/etc/systemd/system/multi-user.target.wants/sysmon.service".
- Sysmon stopped.
- root@nas_linux:/home/user_name# sysmon -accepteula -i /home/user_name/sysmon/sysmon-nas-config.xml
- Sysmon v1.5.0 - Monitors system events
- Sysinternals - www.sysinternals.com
- By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
- Copyright (C) 2014-2025 Microsoft Corporation
- Licensed under MIT/GPLv2
- Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
- Loading configuration file with schema version 4.90
- Configuration file validated.
- Created symlink /etc/systemd/system/multi-user.target.wants/sysmon.service → /etc/systemd/system/sysmon.service.
- root@nas_linux:/home/user_name# systemctl start sysmon
- root@nas_linux:/home/user_name# sysmon -c
- Sysmon v1.5.0 - Monitors system events
- Sysinternals - www.sysinternals.com
- By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
- Copyright (C) 2014-2025 Microsoft Corporation
- Licensed under MIT/GPLv2
- Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
- Rule configuration (version 4.90):
- - ProcessCreate onmatch: exclude combine rules using 'Or'
- .
- .
- .
tail -n 100 /var/log/syslog
成功发现主机外联行为并定位的外联进程
| 
【自荐】绿联NAS部署本地tts声音模型omnivo487 人气#Docker
绿联NAS私有云
孙笑川258
梦梦
