Security Onion是一个免费和开放的Linux发行版,用于威胁搜索、企业安全监控和日志管理。
易于使用的设置向导允许你在几分钟内为你的企业建立一支分布式传感器部队
Security Onion包括一个原生的网络界面,其内置的工具可供分析师用于响应警报、威胁狩猎、将证据编入案例、监控网格性能等
一、准备服务器环境,当前环境:
1.Centos7.9 32G 8C 300G 两块网卡
2.准备加速工具,执行安装拉取镜像不加速会失败,开启加速工具后需要将主机名、127.0.0.1、localhost,排除在外不然会导致无法写入es容器数据,导致容器启动失败。
二、开始安装,首先配置加速器
1.开启加速器,我这里使用的是v2ray,其他需要各位自己解决,进入v2ray目录,配置好config.json文件,启动加速器。
[root@220-220 ~]# cd /usr/local/src/v2ray/[root@220-220 v2ray]# ls
config.json geosite.dat v2ctl v2ray v2ray.log vpoint_socks_vmess.json
geoip.dat systemd v2ctl.sig v2ray-linux-64.zip v2ray.sig vpoint_vmess_freedom.json
[root@220-220 v2ray]# mkdir log[root@220-220 v2ray]# ./v2ray >> ./log/v2ray.log 2>&1 & #后台运行日志存放log/v2ray.log下
2.查看加速器端口,配置本地代理
[root@220-220 v2ray]# netstat -lntup|grep v2ray
tcp 00127.0.0.1:10808 0.0.0.0:* LISTEN 4426/./v2ray
tcp 00127.0.0.1:10809 0.0.0.0:* LISTEN 4426/./v2ray
[root@220-220 v2ray]# vim /etc/profile79no_proxy_192=$(echo192.168.220.{1..255}|sed's/ /,/g')#不加速的地址,必须包括本地地址,根据自己要求修改80exportno_proxy="220-220,${no_proxy_192}"#不加速生效,包括220-220主机名和以上私网地址81exporthttps_proxy=127.0.0.1:10809 #https通过本地10809加速82exporthttp_proxy=127.0.0.1:10809 #https通过本地10809加速
3.git拉取项目
[root@220-220 ~]# git clone https://github.com/Security-Onion-Solutions/securityonion[root@220-220 v2ray]# tailf log/v2ray.log #查看加速日志
V2Ray 4.28.2 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.15.2 linux/amd64)
A unified platform for anti-censorship.
2023/04/10 09:42:32 Using default config: /usr/local/src/v2ray/config.json
2023/04/10 09:42:32 [Info] v2ray.com/core/common/platform/ctlcmd: <v2ctl message>
v2ctl> Read config: /usr/local/src/v2ray/config.json
2023/04/10 09:42:32 [Warning] v2ray.com/core: V2Ray 4.28.2 started
2023/04/10 09:46:41 127.0.0.1:45420 accepted //google.com:443 [proxy]2023/04/10 09:47:31 127.0.0.1:45428 accepted //github.com:443 [proxy]2023/04/10 09:47:32 127.0.0.1:45432 accepted //github.com:443 [proxy]
4.安装security onion
[root@220-220 v2ray]# cd /root/securityonion/[root@220-220 securityonion]# ./so-setup-network
选择YES
选择EVAL
填写AGREE
填写主机名
选择YES
选择Ok
选择流量镜像接口网卡,Ok
选择自动更新
写入地址
选择安装的插件
Docker 容器ip保持默认
填写管理员邮箱地址
输入两次管理员密码
使用IP地访问WEB页面
选择YES
填写需要访问的地址0.0.0.0/0为所有地址可以访问
确认填写的信息
等待安装
[root@220-220 ~]# tailf sosetup.log #查看安装日志
[root@220-220 ~]# while sleep 3; do docker images | grep ghcr.io | wc -l;done5#查看当前已经pull多少镜像[root@220-220 ~]# docker images| grep -v 220-220 | wc -l #共需要下载32个镜像32[root@220-220 ~]# docker ps |grep -v ID |wc -l #共启动30个容器30[root@220-224 ~]# so-allow #开放端口
Choose the role for the IP or Range you would like to allow
[a] - Analyst - 80/tcp, 443/tcp
[b] - Logstash Beat - 5044/tcp
[e] - Elasticsearch REST API - 9200/tcp
[f] - Strelka frontend - 57314/tcp
[o] - Osquery endpoint - 8090/tcp
[s] - Syslog device - 514/tcp/udp
[w] - Wazuh agent - 1514/tcp/udp
[p] - Wazuh API - 55000/tcp
[r] - Wazuh registration service - 1515/tcp
Please enter your selection: a #a 80/443端口
Enter a single ip address or range to allow (ex: 10.10.10.10 or 10.10.0.0/16): 192.168.28.0/24 #允许访问的地址
Adding 192.168.28.0/24 to the analyst role. This can take a few seconds...
[root@220-220 ~]# so-status #查看各组件状态
Checking Docker status
Docker ----------------------------------------------------------------------------------------------------------------- [ OK ]
Checking container statuses
so-aptcacherng --------------------------------------------------------------------------------------------------------- [ OK ]
so-curator ------------------------------------------------------------------------------------------------------------- [ OK ]
so-dockerregistry ------------------------------------------------------------------------------------------------------ [ OK ]
so-elastalert ---------------------------------------------------------------------------------------------------------- [ OK ]
so-elasticsearch ------------------------------------------------------------------------------------------------------- [ OK ]
so-filebeat ------------------------------------------------------------------------------------------------------------ [ OK ]
so-fleet --------------------------------------------------------------------------------------------------------------- [ OK ]
so-grafana ------------------------------------------------------------------------------------------------------------- [ OK ]
so-idstools ------------------------------------------------------------------------------------------------------------ [ OK ]
so-influxdb ------------------------------------------------------------------------------------------------------------ [ OK ]
so-kibana -------------------------------------------------------------------------------------------------------------- [ OK ]
so-kratos -------------------------------------------------------------------------------------------------------------- [ OK ]
so-mysql --------------------------------------------------------------------------------------------------------------- [ OK ]
so-nginx --------------------------------------------------------------------------------------------------------------- [ OK ]
so-playbook ------------------------------------------------------------------------------------------------------------ [ OK ]
so-redis --------------------------------------------------------------------------------------------------------------- [ OK ]
so-sensoroni ----------------------------------------------------------------------------------------------------------- [ OK ]
so-soc ----------------------------------------------------------------------------------------------------------------- [ OK ]
so-soctopus ------------------------------------------------------------------------------------------------------------ [ OK ]
so-steno --------------------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-backend ----------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-coordinator ------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-filestream -------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-frontend ---------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-gatekeeper -------------------------------------------------------------------------------------------------- [ OK ]
so-strelka-manager ----------------------------------------------------------------------------------------------------- [ OK ]
so-suricata ------------------------------------------------------------------------------------------------------------ [ OK ]
so-telegraf ------------------------------------------------------------------------------------------------------------ [ OK ]
so-wazuh --------------------------------------------------------------------------------------------------------------- [ OK ]
so-zeek ---------------------------------------------------------------------------------------------------------------- [ OK ]
5、页面展示
登录页面
本文转载自: https://blog.csdn.net/DevonL/article/details/130017437
版权归原作者 DevonL77 所有, 如有侵权,请联系我们删除。
版权归原作者 DevonL77 所有, 如有侵权,请联系我们删除。