深信服防火墙高危攻击ip通过zabbix自动封锁_zabbix监控深信服防火墙

作者：知新_RL | 2024-06-11 21:38:53

踩

zabbix监控深信服防火墙

zabbix服务器配置syslog服务

修改配置 vi /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

## 这里是服务端添加的配置 begin ###

# 使用RemoteLogs模板接受客户端的日志，保存到本地的/var/log/remote目录下，然后是每台客户端的ip_年份_月份_日期的log

$umask 0000
$template RemoteLogs,"/var/log/remote/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
$FileCreateMode 0644

# 所有服务所有级别的日志都记录

*.* ?RemoteLogs

#服务端本机的日志不记录

:fromhost-ip, !isequal, "127.0.0.1" ?Remote

#指示rsyslog在将消息写入文件后停止处理消息。如果不包含"& ~"，则消息将被写入本地文件,导致消息被记录2次。

& ~

### 这里是服务端添加的配置 end ###
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

防火墙开放端口重启服务
systemctl restart rsyslog

修改文件夹权限 chmod 755
chmod 755 /var/log/remote/ && chmod 755 /var/log/remote/{ip}

防火墙配置syslog的日志

我这边深信服防火墙AF8.0.**版本
1.配置防护日志到log传到zabbix服务器的syslog
2.配置一个新用户设置只允许api访问权限

执行脚本

读取syslog日志获取黑名单ip，通过防火墙api接口提交临时封锁黑名单

#!/usr/bin/python3
# chenzhenhua
# -*- coding: utf8 -*-

from datetime import datetime,timedelta
import json,requests

whiteiplist = []
whiteurllist = []

def getblockiplist(logname):
    iplist=[]
    with open(logname,'r',encoding='utf-8') as f:
        lines=f.readlines()
        for line in lines:
            ##获取web防护高和致命的日志文件
            if "日志类型:WEB应用防护" in line  and ("严重级别:高" in line or "严重级别:致命" in line):
                linelist = line.split()
                current_date = datetime.now().strftime('%Y-%m-%d')
                current_time = str(current_date)+" " + str(linelist[2])
                timestamp1 = datetime.strptime(current_time, '%Y-%m-%d %H:%M:%S')
                timestamp2=datetime.now()
                time_diff = timestamp2 - timestamp1
                #筛选小于30分钟的日志,获取ip地址到列表
                if time_diff < timedelta(minutes=30):
                    waf_blockip=linelist[8].split(":")[-1].strip(",")
                    iplist.append(waf_blockip)
                else:
                   continue
                   #print("The time difference is greater than or equal to 30 minutes.")
            ##获取漏洞防护高和致命的日志文件
            elif "日志类型:IPS防护日志" in line and ("严重等级:高" in line or "严重等级:致命" in line):
                    linelist = line.split()
                    current_date = datetime.now().strftime('%Y-%m-%d')
                    current_time = str(current_date) + " " + str(linelist[2])
                    timestamp1 = datetime.strptime(current_time, '%Y-%m-%d %H:%M:%S')
                    timestamp2 = datetime.now()
                    time_diff = timestamp2 - timestamp1
                    # 筛选小于30分钟的日志,获取ip地址到列表
                    if time_diff < timedelta(minutes=30):
                        waf_blockip = linelist[9].split(":")[-1].strip(",")
                        iplist.append(waf_blockip)
                    else:
                        continue
                        # print("The time difference is greater than or equal to 30 minutes.")

        f.close()

    ###去重，并且取值攻击大于等于2次的
    blocklist = list(set([x for x in iplist if iplist.count(x) > 1]))
    #print(blocklist)
    return blocklist


def gettoken():
    tkheaders = {
        "content-type": "application/json"
    }
    url = "https://{ip}/api/v1/namespaces/@namespace/login"
    data = {
        "name": "username",
        "password": "password"
    }
    r_tk = requests.post(url, data=json.dumps(data), headers=tkheaders, verify=False)
    sxf_token = r_tk.json()["data"]["loginResult"]["token"]
    return (sxf_token)


def blockip(sxftoken,blocklist):
    localtoken = sxftoken
    localblocklist=blocklist
    blockiplist=[]
    returncode=""
    url = "https://{ip}/api/batch/v1/namespaces/public/blockip"
    ###白名单ip################
    if len(localblocklist) == 0:
        returncode="ok"
    else:
        for i in localblocklist:
            if i in whiteiplist:
                continue
            else:
                blockiplist.append(i)

        if  len(blockiplist) == 0:
            returncode="ok"
        else:
            headers = {
                "content-type": "application/json",
                "token": localtoken
            }
            data = {
                "dstIP": [
                    "0.0.0.0"
                ],
                "ipType": "SRC",
                "blockTime": "1d",
                "srcIP": blockiplist
            }
            r = requests.post(url, data=json.dumps(data), headers=headers, verify=False)
            returncode=str(blockiplist)+"is deny in shenxinfu fanghuoqiang by waflog"
    return returncode


###获取token
sxftoken=gettoken()
###获取高位攻击ip列表
lgname ='{ip}_'+datetime.now().strftime('%Y-%m-%d')+".log"
blocklist= getblockiplist(lgname)

########封锁高危ip###并且打印出来
denylog=blockip(sxftoken,blocklist)
print(denylog)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

配置

1.修改服务器agent配置：
vi /etc/zabbix/zabbix_agentd.conf 添加

UnsafeUserParameters=1
UserParameter=waf,/usr/bin/python3 -W ignore /scripts/waf.py
1
2

2.Zabbix 主机添加监控项
添加监控（注意信息类型日志格式）
在这里插入图片描述

3.添加触发器

如果是3.0版本的zabbix触发器要特殊配置（日志中是否匹配到deny这个值进行判断，要么会报错）
在这里插入图片描述

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/知新_RL/article/detail/704885