配置反向外壳检测
在 SRX 系列防火墙上配置反向外壳检测
反向外壳允许攻击者绕过防火墙和其他安全机制,打开目标系统的端口。它利用目标系统中的漏洞启动 shell 会话并远程访问系统。反向外壳检测可帮助您检测外壳攻击并防止潜在的数据盗窃。有关更多信息,请参阅 《瞻博网络高级威胁防御云用户指南》。
要在 SRX 系列防火墙上启用反向外壳检测,请包括以下 CLI 配置:
-
配置 SecIntel 配置文件和策略。
[edit] user@host# set services security-intelligence profile RevShellProfile category Reverse-Shell user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 7 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 8 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 9 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 match threat-level 10 user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 then action permit user@host# set services security-intelligence profile RevShellProfile rule RevShellRule1 then log user@host# set services security-intelligence policy secintel_policy Reverse-Shell RevShellProfile
-
将 SecIntel 策略分配给安全防火墙策略。
[edit] user@host# set security policies from-zone trust to-zone untrust policy atp_policy then permit application-services security-intelligence-policy secintel_policy user@host# set security policies from-zone untrust to-zone trust policy atp_policy then permit application-services security-intelligence-policy secintel_policy
使用该 show services security-intelligence statistics 命令查看安全智能统计信息。
显示服务 安全智能统计信息
user@host> show services security-intelligence statistics
Logical system: root-logical-system
Category Whitelist:
Profile Whitelist:
Total processed sessions: 1816
Permit sessions: 0
Reverse shell permit sessions: 0
Category Blacklist:
Profile Blacklist:
Total processed sessions: 1816
Block drop sessions: 0
Category CC:
Profile feed-cc-log-only:
Total processed sessions: 0
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Profile secintel_profile:
Total processed sessions: 116
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Category Infected-Hosts:
Profile ih_profile:
Total processed sessions: 116
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Category Reverse-Shell:
Profile RevShellProfile:
Total processed sessions: 116
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
使用该 show services security-intelligence category summary 命令查看安全智能类别的摘要。
显示服务安全智能类别摘要
user@host> show services security-intelligence category summary
Category name :Whitelist
Status :Enable
Description :Whitelist data
Update interval :300s
TTL :3456000s
Feed name :whitelist_domain
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230714.1
Objects number:0
Create time :2023-07-14 10:05:33 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :N/A
Expired :Yes
Status :Active
Options :N/A
Feed name :whitelist_ip
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230714.1
Objects number:0
Create time :2023-07-14 10:05:31 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :N/A
Expired :Yes
Status :Active
Options :N/A
Feed name :whitelist_reverse_shell_domain
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230629.2
Objects number:1
Create time :2023-08-22 21:05:02 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A
Feed name :whitelist_reverse_shell_ip
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20230823.2
Objects number:1
Create time :2023-08-22 21:04:48 PDT
Update time :2023-09-06 13:21:14 PDT
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A