instance type t3.medium 사용 및 SSM 접근 가능한 환경 (SSMManagedInstanceCore Policy 추가)
•
sg에 inbound/outbound All ICMP - IPv4 anyopen 추가
#!/bin/bash
sudo dnf install -y https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm
sudo systemctl start amazon-ssm-agent
Shell
복사
Name Tag | Located Subnet |
MainVPC-Appliance-EC2-A | MainVPC-Appliance-SubnetA |
MainVPC-Appliance-EC2-B | MainVPC-Appliance-SubnetB |
SpokeVPC1-Private-EC2-A | SpokeVPC1-Private-SubnetA |
SpokeVPC1-Private-EC2-B | SpokeVPC1-Private-SubnetB |
SpokeVPC2-Private-EC2-A | SpokeVPC2-Private-SubnetA |
SpokeVPC2-Private-EC2-B | SpokeVPC2-Private-SubnetB |
SpokeVPC3-IDC-VPN-SRV | SpokeVPC3-IDC-VPN-SubnetA |
SpokeVPC3-IDC-DNS-SRV | SpokeVPC3-IDC-Private-SubnetA |
•
Main Appliance 인스턴스 접속(SSM)해서 Suricata 설치
sudo su
cd
Shell
복사
sudo yum install pip -y
sudo pip3 install pyaml -y
sudo dnf update -y
sudo dnf install -y gcc gcc-c++ make automake autoconf libtool \
libpcap-devel pcre-devel libyaml-devel zlib-devel file-devel \
jq libmaxminddb-devel luajit luajit-devel rust cargo \
libnetfilter_queue-devel libnfnetlink-devel \
libcap-ng-devel nss-devel wget tar bzip2 jansson-devel pcre2-devel \
libnet-devel lua-devel lz4-devel gzip
Shell
복사
cd /usr/local/src
sudo wget https://www.openinfosecfoundation.org/download/suricata-current.tar.gz
sudo tar -xvzf suricata-current.tar.gz
cd $(ls -d suricata-*/ | head -n 1)
sudo ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-nfqueue --enable-luajit --enable-rust
sudo make
sudo make install
sudo make install-conf
sudo make install-rules
Shell
복사
sudo cp etc/suricata.service /etc/systemd/system/suricata.service
sudo sed -i "/ExecStart=/c\ExecStart=/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0" /etc/systemd/system/suricata.service
sudo mv /var/lib/suricata/rules/suricata.rules rulebackup.rules
sudo cat /dev/null > /var/lib/suricata/rules/suricata.rules
sudo systemctl daemon-reload
sudo ldconfig
sudo systemctl enable --now suricata
Shell
복사
•
iptables 설치
sudo dnf install -y iptables iptables-services
Shell
복사
•
Suricata 설정
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
Shell
복사
echo 'alert ip any any -> any any (msg:"traffic logged";sid:999;rev:1;)' | sudo tee -a /var/lib/suricata/rules/suricata.rules
Shell
복사
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -I FORWARD -j NFQUEUE
Shell
복사
•
아래 명령어 {} 변수 수정
•
GWLB-IP는 ENI 페이지에서 Interface Type = gateway_load_balancer 로 검색해서 찾을 수 있음
export GWLB_A_IP=10.0.3.239
export GWLB_B_IP=10.0.3.123
export Suricata_Instance_IP=10.0.4.138
iptables -t nat -A PREROUTING -p udp -s ${GWLB_A_IP} -d ${Suricata_Instance_IP} -i ens5 -j DNAT --to-destination ${GWLB_A_IP}:6081
iptables -t nat -A PREROUTING -p udp -s ${GWLB_B_IP} -d ${Suricata_Instance_IP} -i ens5 -j DNAT --to-destination ${GWLB_B_IP}:6081
iptables -t nat -A POSTROUTING -p udp --dport 6081 -s ${GWLB_A_IP} -d ${GWLB_A_IP} -o ens5 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp --dport 6081 -s ${GWLB_B_IP} -d ${GWLB_B_IP} -o ens5 -j MASQUERADE
Shell
복사
위 Suricata 설치부터 설정까지 과정을 Appliance EC2개에 모두 실행