4/04/2013

CentOS 6.4 VirtualBox VM won't boot up after doing an update/upgrade!!!

Often times, I employ a CentOS VirtualBox virtual machine (VM) as a development, testing and staging environment, I love the flexibility of virtual environments for testing and development work before moving my work to production environments.

Recently I ran a yum update and yum upgrade on a CentOS 6.4 VM and subsequently rebooted it, only to be greeted by a blank screen following bootup. A quick search of virtual TTY terminals yielded a login prompt.

Search of the usual logs (/var/log/messages and /var/log/dmesg) did not yield anything useful, however, the /var/log/Xorg.0.log displayed some interesting messages. Of particular interest were;

"... (EE) Failed to load module "vboxvideo" (module requirement mismatch, 0)"
... (EE) No drivers available."
Fatal server error:"
... no screens found"

A bit of Google revealed "http://www.centos.org/modules/newbb/print.php?form=1&topic_id=41799&forum=55&order=ASC&start=0" So I followed suit and backed up the /etc/X11/xorg.conf file and rebooted :) All is well...

3/28/2013

Snort 2.9 on CentOS 6.3 (continued) with Barnyard2

This is a continuation of the post on installing Snort 2.9 on CentOS 6.4 (http://nkush.blogspot.com.au/2013/03/snort-29-on-centos-63.html). This post installs Barnyard2 on the host.

Barnyard is an output system for Snort. If effectively allows better snort performance by enabling Snort to produce binary output which is then processed by Barnyard.

Barnyard processes the binary Snort output files (unified2 binary) and stores the processed data into a database back-end, for example MySQL. The advantage of using Barnyard instead of the database output from Snort is that Barnyard is able to "cache" the data in case the database is unavailable.

Barnyard is able to be executed in three modes, this example employs the continual mode with bookmarking. A bookmark (waldo) file is employed to keep track of the progress of Barnyard processing. In case of Barnyard failure, it can resume where it left off based on the bookmark file.

Installation:

  1. Install and configure MySQL
    1. yum -y install mysql mysql-server mysql-devel mysql-bench
    2. service mysqld start
    3. /usr/bin/mysql_secure_installation
  2. Download and install Barnyard2 from http://securixlive.com/barnyard2/download.php
    1. wget http://securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
    2. tar zxvf barnyard2-1.9.tar.gz
    3. cd barnyard2-1.9
    4. ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
    5. make
    6. make install
  3. Configure Barnyard to process Snort output
    1. Change Snort config to output to the unified file format
      1. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
    2. Change the Barnyard config (/usr/local/etc/barnyard2.conf)
      1. config logdir: /var/log/barnyard2
      2. config hostname:    localhost
      3. config interface:    ethX
      4. config daemon
      5. config set_gid:nnnn
      6. config set_uid:nnnn
      7. config show_year
      8. config umask: 066
      9. config waldo_file: /var/log/snort/barnyard2.waldo
      10. input unified2
      11. output database: log, mysql, user=snort password=password dbname=barnyard2 host=localhost
  4. Create the MySQL database for Barnyard
    1. mysqladmin -u root -p create barnyard2
    2. mysql -u root -p -D barnyard2 < ./schemas/create_mysql
  5. Grant privileges to database
    1. mysql -u root -p
    2. GRANT ALL PRIVILEGES ON barnyard2.* TO snort@localhost WITH GRANT OPTION;
    3. SET PASSWORD FOR snort@localhost=PASSWORD('password');
  6. Prepare Barnyard2
    1. touch /var/log/snort/barnyard2.waldo
    2. chown -R snort:snort /var/log/snort
  7. Run Barnyard then Snort
    1. barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort/ -w /var/log/snort/barnyard2.waldo -f merged.log -u snort -g snort -D
    2. snort -c /etc/snort/snort.conf -i eth4 -u snort -g snort -D

If all goes well then you should see events being logged into your event table in the barnyard2 database.

Errors:
  1. ERROR: unable to find mysqlclient library (libmysqlclient.*)
    1. ./configure --with-mysql-libraries=/usr/lib64/mysql/
  2. ERROR: Unable to open directory '' (No such
     file or directory)
    ERROR: Unable to find the next spool file!
    1.  Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)
  3. WARNING: Can't extract timestamp extension from 'alert'using base ''
    1. Ensure that the unified2 file is specified (by the -f option included as a command line argument or in the config file)
  4. FATAL ERROR: Absdir is not a subset of the logdir
    1.  Ensure that the logdir is configured in the Barnyard configuration file
  5. FATAL ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
    1. Ensure that the MySQL service/daemon is running

3/16/2013

Snort 2.9 on CentOS 6.3

Snort is a signature based network intrusion detection system (NIDS) which has become a defacto standard for NIDS. In addition to being used as a NIDS, Snort may also be used as a simple network traffic packet sniffer or logger.

A number of Snort dynamic preprocessors are available which enables the development of rules to attack detection.

Snort is an open source product and available for most popular network operating systems. Snort rules are also available commercially from Sourcefire.

The following instruction detail the installation of Snort 2.9.4 on a CentOS 6.3 64bit host. The installation instructions include the installation of Snort rules available to registered Snort users, as well as third party rules available from EmergingThreats.

Installation:
  1. Install dependencies
    1. yum -y update 
    2. yum -y install gcc flex bison wget make
    3. yum -y install zlib zlib-devel
    4. yum -y install libpcap libpcap-devel
    5. yum -y install pcre pcre-devel
    6. rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm #(or rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm for 32 bit machines) 
    7. yum -y update
    8. yum -y install libdnet libdnet-devel
  2. Download and install DAQ
    1. cd /root/
    2. wget http://www.snort.org/downloads/2216 -O daq-2.0.0.tar.gz
    3. tar zxvf daq-2.0.0.tar.gz
    4. cd daq-2.0.0
    5. ./configure
    6. make
    7. make install
  3. Download and install Snort
    1. wget http://www.snort.org/downloads/2225 -O snort-2.9.4.1.tar.gz
    2. tar zxvf snort-2.9.4.1.tar.gz
    3. cd snort-2.9.4.1
    4. ./configure --enable-sourcefire
    5. make
    6. make install
  4. Download and install Snort Rules
    1. mkdir -p /etc/snort/rules
    2. mkdir -p /var/log/snort 
    3. cd /etc/snort
    4. Manually download the rules file to /etc/snort/ (You need to be signed in to get the registered user rules). In this case it was snortrules-snapshot-2940.tar.gz
    5. tar zxvf snortrules-snapshot-2940.tar.gz
    6. mv ./etc/* /etc/snort/
    7. rmdir /etc/snort/etc
  5. OPTIONAL: Download and install Emerging Threats rules
    1. wget http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz -O emerging.rules.tar.gz
    2. tar zxvf emerging.rules.tar.gz
  6. Create Snort accounts
    1. groupadd snort
    2. useradd snort -g snort -d /var/log/snort -s /sbin/nologin -m
    3. chown -R snort:snort /etc/snort
    4. chown -R snort:snort /var/log/snort 
  7. Edit the Snort configuration file
    1. vi /etc/snort/snort.conf
      1. ipvar HOME_NET x.x.x.x/x/
      2. ipvar EXTERNAL_NET !$HOME_NET
      3. var RULE_PATH rules
      4. var SO_RULE_PATH so_rules
      5. var PREPROC_RULE_PATH preproc_rules
      6. var WHITE_LIST_PATH rules
      7. var BLACK_LIST_PATH rules 
      8. OPTIONAL: include $RULES_PATH/emerging.conf
  8. Test the Snort installation
    1. snort -u snort -g snort -c /etc/snort/snort.conf -T
    2. If all goes well you should see this
Snort successfully validated the configuration!
Snort exiting


I plan to have a subsequent blog post to record instructions for installing and configuring barnyard, oinkmaster and BASE. Instructions in a previous post using an older version of Snort and CentOS can be found at http://nkush.blogspot.com.au/2011/10/installing-snort-2912-on-centos-57.html

References
  1. http://fedoraproject.org/wiki/EPEL
  2. http://snort.org/docs
  3. http://nkush.blogspot.com.au/2011/10/installing-snort-2912-on-centos-57.html
Common Errors:
  1. ERROR: /etc/snort/snort.conf(253) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
    1. mkdir -p /usr/local/lib/snort_dynamicrules
  2. ERROR: /etc/snort/snort.conf(511) => Unable to open address file /etc/snort/rules/white_list.rules, Error: No such file or directory
    1.  touch /etc/snort/rules/white_list.rules
  3. ERROR: /etc/snort/snort.conf(511) => Unable to open address file /etc/snort/rules/black_list.rules, Error: No such file or directory
    1. touch /etc/snort/rules/black_list.rules

3/03/2013

Installing and Configuring OpenVPN 2.3 on Microsoft Windows Small Business Server 2003

My previous posts (http://nkush.blogspot.com.au/2012/08/installing-openvpn-22-on-centos-63-64bit.html and http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html) have been on installing OpenVPN on Linux.

This post is slightly different as it installs and configures OpenVPN on a Microsoft Windows Small Business Server (SBS). The SBS installation is also different from the previous write-ups since this configuration uses Ethernet bridging instead of tunneling.

Although SBS comes with Layer2 Tunneling Protocol (L2TP) and Point-to-point Tunelling Protocol (PPTP) for Virtual Private Network (VPN), some users may want to use an Secure Sockets Layer (SSL) based VPN such as OpenVPN. The default installation location, i.e. C:\Program Files\OpenVPN\ is used in the instructions below

Installation:
  1. Before downloading and installing OpenVPN, the server needs to have IP forwarding enabled. This is trivial in *nix based systems, but requires a hack in the Windows registry. Edit the parameters and set IPEnableRouter to 1
    1. HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
    2. Reboot the server to ensure the changes made above take effect
  2. Download and install the OpenVPN application[1] from http://openvpn.net/index.php/open-source/downloads.html
  3. Open a command prompt and change to the default installation directory
    1. Start> Run> cmd
    2. cd C:\Program Files\OpenVPN
  4. Ensure that the path C:\Program Files\OpenVPN\bin\ is added to the system environment PATH
    1. set PATH=%PATH%;C:\Program Files\OpenVPN\bin\
  5. Copy the file C:\Program Files\OpenVPN\easy-rsa\vars.bat.sample to C:\Program Files\OpenVPN\easy-rsa\vars.bat
    1. cd C:\Program Files\OpenVPN\easy-rsa\
    2. copy vars.bat.sample vars.bat OR run the init-config.bat script
  6. Edit the file (edit) and change the following
    1. Since key lengths less than 2048 are not recommended[2], change the key size to be 4096
      1. set KEY_SIZE=4096
    2. Configure the following
      1. KEY_COUNTRY
      2. KEY_PROVINCE
      3. KEY_CITY
      4. KEY_ORG
      5. KEY_EMAIL
      6. KEY_CN
      7. KEY_NAME
      8. KEY_OU
      9. PKCS11_MODULE_PATH
      10. PKCS11_PIN
  7. Setup environment variables by executing the vars.bat script
  8. Initialise the keys directory and empty the keys database and serial number by executing clean-all.bat. WARNING: this will delete any existing keys
  9. Create certificate for the certificate authority (CA), this will generate the certificate signing request, the CA certificate (ca.crt) and CA key (ca.key).
    1. build-ca.bat
  10. Create the Diffie Hellman files. These files are used for the key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while
    1. build-dh.bat
  11. Create the server certificate and key and commit them
    1. build-key-server.bat <SERVER-NAME>
  12. Create user machine certificates and keys and commit them (one for each user/machine)
    1. build-key.bat <USER-MACHINE>
    2. Note: when generating individual user/machine certificate and keys ensure that the common names are unique and for maintenance reasons, its easier if you match the user/machine and the common name
  13. Copy the server configuration file to the configuration directory
    1. cd C:\Program Files\OpenVPN\sample-config
    2. copy server.ovpn ..\config\
  14. Edit the server config file. You may use the full path of the certificates and keys, or copy them into the same directory as your configuration file.
    1. cd  C:\Program Files\OpenVPN\config
    2. edit server.ovpn
      1. port 1194
      2. proto udp
      3. dev tap
      4. dev-node MyTap
      5. ca ca.crt
      6. cert <SERVER-NAME>.crt
      7. key <SERVER-NAME>.key
      8. dh dh<KEY_SIZE>.pem
      9. ifconfig-pool-persist ipp.txt
      10. server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
      11. push "route <LAN-NETWORK> <LAN-NETMASK>"
      12. keepalive 10 120
      13. comp-lzo
      14. max-clients 5
      15. status openvpn-status.log
      16. log-append  openvpn.log
      17. verb 3
      18. mute 5
  15. Change the TAP adapter 
    1. Rename to suit the configured name above, in the case of this example "MyTap"
    2. Set a static IPv4 address of 10.8.0.4 (or whatever is specified in 14.11 in the server-bridge setting
  16. Start the OpenVPN service and check the logs for any errors
Routing changes:
  1. You may also need to make routing changes. Depending on your router the settings may differ, but the basic requirement is to add a static route to the VPN tunnel network, i.e. 10.8.0.0/24 to the OpenVPN server.
  2. If the server does not have a WAN IP address and is located behind a router performing NAT, then port forwarding rules should be implemeneted to port formward traffic on UDP port 1194 to the VPN server.
Client Configuration:

  1. client
  2. dev tap
  3. proto udp
  4. remote <SERVER-WAN> 1194
  5. resolv-retry infinite
  6. nobind
  7. persist-key
  8. persist-tun
  9. ca ca.crt
  10. cert <USER-MACHINE>.crt
  11. key <USER-MACHINE>.key
  12. comp-lzo
  13. verb 3
  14. route-method exe
  15. route-delay 5
Note: SBS running as the Domain Controller (DC) only allows Terminal Services to run in Administration mode, i.e. only two concurrent Remote Desktop Protocol (RDP) sessions, and one local console session. It does not run in Application mode, which allows additional licenses to be installed

References:
  1. http://openvpn.net/index.php/open-source/downloads.html
  2. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf