2/28/2010

Snort sniff honk !

Snort is an open source intrusion detection system (IDS). Its highly configurable and can be run in a number of modes and architectures, There are a small number of freely available rules to use. For more information refer to the Snort home page http://www.snort.org/. Here are some instructions on getting it setup on CentOS, these were adapted from the Snort Documentation by Patrick Harper at http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf;

  1. yum install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ php php-pear libpcap-devel
  2. vi /etc/httpd/conf/httpd.conf #Edit the httpd.conf file to suit
  3. /etc/rc.d/init.d/httpd start
  4. /etc/rc.d/init.d/mysqld restart
  5. /usr/bin/mysql_secure_installation
  6. cd /root
  7. mkdir snortinstall
  8. cd snortinstall
  9. wget http://dl.snort.org/snort-current/snort-2.8.5.3.tar.gz
  10. tar zxvf snort-2.8.5.3.tar.gz
  11. cd snort-2.8.5.3
  12. ./configure --with-mysql --enable-dynamicplugin # Fingers crossed it all goes well
  13. make
  14. make install
  15. /usr/sbin/groupadd snort
  16. /usr/sbin/useradd -g snort snort -s /sbin/nologin
  17. mkdir -p /etc/snort/rules
  18. mkdir -p /var/log/snort
  19. cd /root/snortinstall/snort-2.8.5.3/etc
  20. cp ./* /etc/snort/
  21. cd /root/snortinstall
  22. wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
  23. tar zxvf emerging.rules.tar.gz
  24. cd rules
  25. cp ./* /etc/snort/rules/
  26. vi /etc/snort/snort.conf # Edit the snort.conf file to suit
  27. /etc/rc.d/init.d/mysqld start
  28. mysql -u root -p mysql # Create the snort database and snort database user and set permissions
  29. cd  /root/snortinstall/snort-2.8.5.3/schemas
  30. mysql -u snort -p snort < create_mysql
  31. pear install -a Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
  32. cd /root/snortinstall/
  33. wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-510-for-php5/adodb510.tgz?use_mirror=transact
  34. wget http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.4/base-1.4.4.tar.gz?use_mirror=transact
  35. cd /var/www
  36. tar zxvf /root/snortinstall/adodb510.tgz
  37. mv adodb5/ adbodb
  38. cd /var/www/html/
  39. tar zxvf /root/snortinstall/base-1.4.4.tar.gz
  40. mv base-1.4.4/ base
  41. cd base
  42. cp base_conf.php.dist base_conf.php
  43. vi base_conf.php # Edit the file to suit
  44. # Load http://SERVERNAME/base in a browser and click on the setup link
  45. # Click on Create BASE AG button
  46. # Click on the Main Page link
SQL
  1. create database snort;
  2. create user 'snort'@'localhost' identified by '';
  3. grant create, insert, select, delete, update on snort.* to snort@localhost;
  4. grant create, insert, select, delete, update on snort.* to snort;

    2/21/2010

    Timing is everything...

    Having the correct clock timestamp is very important for logging, maintenance, troubleshooting and even forensic analysis. Timing provides a very important frame of reference for network devices, such as hosts, routers and switches. It would be almost impossible to construct a reliable model of an environment without having a standard and accurate frame of reference, thus timing is everything...

    The Hardening Cisco Routers book provides a good reference for Network Time Protocol (NTP) important, and can be found at http://oreilly.com/catalog/hardcisco/chapter/ch10.html. NTP is a very popular way to synchornise system clocks with a central trusted server. Here's a rough guide to getting NTP running on a Linux server;

    1. sudo yum install ntp # Install the NTP client
    2. sudo vi /etc/ntp.conf # Edit the configuration file to use the nearest server pool. Refer to www.ntp.org to get the pools.
    3. sudo mv /etc/localtime /etc/localtime~ # Backup the locatime file
    4. sudo ln -s /usr/share/zoneinfo// /etc/localtime # Ensure that the correct locatime file is set for your city
    5. sudo ntpdate # Set the date using NTP using the pool specified*
    6. sudo /etc/rc.d/init.d/ntp start # Start the NTP client daemon
    7. ntpstat # Check that the system clock is synchronised
    8. date # Check that the system date is set correctly
    9. sudo hwclock -w # Set the hardware clock to the system date
    *Note: Ensure that the host allows traffic on port 123 for the NTP protocol to work.

    2/20/2010

    Linux Jump Box VPN

    With the Linux Desktop out of the way, and my impending studies in Network Security coming up, I thought I'd preempt the studies with some initial ground work on my old Linux Server. Previously we had an old server at home, that was used mostly as a web proxy (Squid) and Windows (Samba) server to share files and the home printer.

    Well, it was time for a change and I decided to rebuilt it into a bastion jump box, with a restructure of the home network as well. I started off by installing a second Network Interface Card (NIC) on it. Then installed a bare CentOS on it. I did a yum update on it to ensure the latest patches and stable packages we installed. Next went through the services and disabled all the unnecessary stuff.

    The idea is to separate the internal network from the De-militarized Zone (DMZ). The purpose of the jump box is to sit on the DMZ between the access and choke routers. The jump box will provide Virtual Private Network (VPN) access into the network, as well as providing proxy services such as web proxy, syslog, ssh  and other services.

    In the network, both the access and choke router perform Network Address Translation (NAT), Quality of Serverice (QoS), as well as stateful packet inspection (SPI) firewall functions. In addition to SPI, the choke also performs some port forwards to the jump box and the sip phone. All other traffic is dropped.

    So to get home from university, I need to VPN in, then use SCP to transfer my files (assignments, reports, etc) and get out again.

    To install OpenVPN, perform the following tasks;
    1. sudo wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
    2. sudo yum --enablerepo=kbs-CentOS-Testing install openvpn
    3. sudo find / -name "easy-rsa" # returns something like "/usr/share/openvpn/easy-rsa/"
    4. sudo cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
    5. sudo cd /etc/openvpn/easy-rsa/2.0/
    6. sudo mkdir keys
    7. sudo vi ./vars
    8. Change the following variables
      1. export KEY_SIZE=2048
      2. export KEY_COUNTRY=""
      3. export KEY_PROVINCE=""
      4. export KEY_CITY=""
      5. export KEY_ORG=""
      6. export KEY_EMAIL=""
    9. sudo bash
    10. source ./vars
    11. ./clean-all
    12. ./build-ca
    13. ./build-key-server server #server is the unique name to identify the server
    14. ./build-key client #client is the unique name to identify the client (repeat for each client)
    15. ./build-dh
    16. find / -name "server.conf" # returns something like "/usr/share/doc/openvpn-2.1/sample-config-files/server.conf"
    17. cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
    18. Edit the file to suit
    19. Copy the Diffie-Hellman pem file (dh2048.pen), the server key file (server.key), and the CA certificate file (ca.crt) to the working directory and start the OpenVPN server (/etc/rc.d/init.d/openvpn start).