PCAP or it didn't happen

"PCAP or it didn't happen" is a good network security philosophy. The primary idea being to capture network traffic for analysis. In a non-corporate environment where a CentOS-based Linux host has been used as a dual homed firewall (refer to the lame ASCII art network diagram below), tcpdump was used for continuous traffic capture.
    _                                       _
  _( )______     ________     +-----+     _( )__
 ( Internet )---/ Router \----| F/W |----( DMZ  )
(____________)  \________/    +-----+   (________)


Firstly, we create a location to save the pcap files. Next, since contemporary version of tcpdump are baked with the -Z switch which causes tcpdump to drop into a less privileges account (tcpdump in the case of this particular version of CentOS) we change ownership and permissions to the location, and change permissions to allow the tcpdump user and group to have full read and write permission.

We then execute the tcpdump command to dump traffic on the interface connected to the router (-i eth1) without resolving names (-n), only slightly verbose output (-v), capturing the full frame, i.e. snap length of 0 (-s 0), with a maximum file size of 512MB (-C 512), limit the number of files to keep to 10 (-W 10) and write to the file /var/log/traffic/capture.pcap (-w /var/log/traffic/capture.pcap).

Since the login was an interactive one, we employ the nohup command to prevent hang-up, i.e redirect input and output from stdin and stdout, and the & operator to  detach the command from the current terminal and send it into the background.

1. mkdir -p /var/log/traffic
2. chown -R tcpdump:tcpdump /var/log/traffic
3. chmod -R 775 /var/log/traffic
4.  nohup /usr/sbin/tcpdump -i eth1 -n -v -s 0 -C 512 -W 10 -w /var/log/traffic/capture.pcap &

Finally to ensure that the command is executed if the server is rebooted after any hardware maintenance, we can copy the command in step 4 above into the /etc/rc.d/rc.local file without the preceding nohup. We now should have a series of pcap files, totaling up to 5GB of network traffic, depending on requirements and available resources the parameters can be tweaked to suit the number and size of files required. 

Configuring RANCID on CentOS 6.5

RANCID stands for really awesome new cisco configuration differ[1] and polls Cisco devices to get a copy of the configuration and an inventory of the hardware and commits the details to a version control system such a CVS or SVN. The version control is used to maintain a history of the changes, and any changes to the configuration are reported. There are a number of guides available for installing RANCID[2,4,5], but I've documented the steps I took here for my reference.

Pre-requisites
You must have and use the EPEL repositories. Note that at the time this post was made, the current version was version 3.1[3]. However, the version available via EPEL was only 2.3.6.

Installation

1. yum -y update
2. yum -y upgrade
3. yum -y install rancid

Configuration

1. Edit the /etc/rancid/rancid.conf file to create a list of groups for your devices to change the LIST_OF_GROUPS variable e.g., LIST_OF_GROUPS="routers switches", change the CVSROOT if you are using SVN i.e., CVSROOT=$BASEDIR/SVN; export CVSROOT and change the RCS system if changing to SVN i.e., RCSSYS=svn; export RCSSYS
1. vi  /etc/rancid/rancid.conf 
2. Create e-mail aliases for the groups, note that the names should match. Edit the /etc/aliases file. Ensure that the newaliases command is execute after the file has been modified
1. vi /etc/aliases
2. newaliases
3. The rancid group and users should already be created. The home directory for the rancid user corresponds with the BASEDIR in the configuration file viz. /var/rancid. Generate the svn repository for the configuration, group directories, and the log directories by running the rancid-cvs script
1.  /usr/bin/rancid-cvs
4. Add devices to each group to specify their IP address, the make or type, and their status i.e., up or down. Edit the router.db file in each group directory. e.g., c7206-core-router:cisco:up
1. vi /var/rancid/routers/router.db
5. Next the login credentials for each node is to be specified in the .cloginrc. Copy the file from the sample documentation, and edit the file to provide the login credentials. I prefer to explicitly set the node address, and user
1. cp /usr/share/doc/rancid-2.3.6/cloginrc.sample /var/rancid/.cloginrc
2. vi /var/rancid/.cloginrc
3. chmod 600 .cloginrc
6. Configure a user using TACACS or on your Cisco device to only have privilege to view the  config 
1. username rancid privilege 3 secret <SECRET>
2. privilege exec level 3 show start-config
7. Change ownership of all files and directories in the rancid users home directory to the rancud group and user
1. chown -R rancid:rancid /var/rancid
8. Test the clogin as the rancid user
1. su - rancid
2. /usr/libexec/rancid/clogin c7206-core-router
9. If all goes well, run rancid manually for the first time. This will generate config files for each define in the group in the config directory
1. /usr/bin/rancid-run
10. Schedule rancid and the cleanup by setting up cron jobs as the rancid user, crontab -e

# Minute   Hour   Day of Month   Month              Day of Week      Command

# (0-59)   (0-23) (1-31)         (1-12 or Jan-Dec)  (0-6 or Sun-Sat) /...

# shedule to run rancid every 15 minute

*/15 * * * * /usr/bin/rancid-run

# schedule to remove rancid log files over 2 days old at 8am

0 8 * * * /bin/find /var/rancid/logs -type f -mtime +2 -exec rm {} \;

References

1. http://www.shrubbery.net/rancid/
2. http://www.shrubbery.net/rancid/RhysEvans_overview_0.3.pdf
3. ftp://ftp.shrubbery.net/pub/rancid/
4. http://networklore.com/rancid-getting-started/
5. http://fakrul.wordpress.com/2013/11/20/rancid-websvn-centos-howto/

CentOS 6.4 VirtualBox VM won't boot up after doing an update/upgrade!!!

Often times, I employ a CentOS VirtualBox virtual machine (VM) as a development, testing and staging environment, I love the flexibility of virtual environments for testing and development work before moving my work to production environments.

Recently I ran a yum update and yum upgrade on a CentOS 6.4 VM and subsequently rebooted it, only to be greeted by a blank screen following bootup. A quick search of virtual TTY terminals yielded a login prompt.

Search of the usual logs (/var/log/messages and /var/log/dmesg) did not yield anything useful, however, the /var/log/Xorg.0.log displayed some interesting messages. Of particular interest were;

"... (EE) Failed to load module "vboxvideo" (module requirement mismatch, 0)"
... (EE) No drivers available."
Fatal server error:"
... no screens found"

A bit of Google revealed "http://www.centos.org/modules/newbb/print.php?form=1&topic_id=41799&forum=55&order=ASC&start=0" So I followed suit and backed up the /etc/X11/xorg.conf file and rebooted :) All is well...

Snort 2.9 on CentOS 6.3 (continued) with Barnyard2

This is a continuation of the post on installing Snort 2.9 on CentOS 6.4 (http://nkush.blogspot.com.au/2013/03/snort-29-on-centos-63.html). This post installs Barnyard2 on the host.

Barnyard is an output system for Snort. If effectively allows better snort performance by enabling Snort to produce binary output which is then processed by Barnyard.

Barnyard processes the binary Snort output files (unified2 binary) and stores the processed data into a database back-end, for example MySQL. The advantage of using Barnyard instead of the database output from Snort is that Barnyard is able to "cache" the data in case the database is unavailable.

Barnyard is able to be executed in three modes, this example employs the continual mode with bookmarking. A bookmark (waldo) file is employed to keep track of the progress of Barnyard processing. In case of Barnyard failure, it can resume where it left off based on the bookmark file.

Installation:

1. Install and configure MySQL
1. yum -y install mysql mysql-server mysql-devel mysql-bench
2. service mysqld start
3. /usr/bin/mysql_secure_installation
2. Download and install Barnyard2 from http://securixlive.com/barnyard2/download.php
1. wget http://securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
2. tar zxvf barnyard2-1.9.tar.gz
3. cd barnyard2-1.9
4. ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
5. make
6. make install
3. Configure Barnyard to process Snort output
1. Change Snort config to output to the unified file format
1. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
2. Change the Barnyard config (/usr/local/etc/barnyard2.conf)
1. config logdir: /var/log/barnyard2
2. config hostname:    localhost
3. config interface:    ethX
4. config daemon
5. config set_gid:nnnn
6. config set_uid:nnnn
7. config show_year
8. config umask: 066
9. config waldo_file: /var/log/snort/barnyard2.waldo
10. input unified2
11. output database: log, mysql, user=snort password=password dbname=barnyard2 host=localhost
4. Create the MySQL database for Barnyard
1. mysqladmin -u root -p create barnyard2
2. mysql -u root -p -D barnyard2 < ./schemas/create_mysql
5. Grant privileges to database
1. mysql -u root -p
2. GRANT ALL PRIVILEGES ON barnyard2.* TO snort@localhost WITH GRANT OPTION;
3. SET PASSWORD FOR snort@localhost=PASSWORD('password');
6. Prepare Barnyard2
1. touch /var/log/snort/barnyard2.waldo
2. chown -R snort:snort /var/log/snort
7. Run Barnyard then Snort
1. barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort/ -w /var/log/snort/barnyard2.waldo -f merged.log -u snort -g snort -D
2. snort -c /etc/snort/snort.conf -i eth4 -u snort -g snort -D

If all goes well then you should see events being logged into your event table in the barnyard2 database.

Errors:

1. ERROR: unable to find mysqlclient library (libmysqlclient.*)
1. ./configure --with-mysql-libraries=/usr/lib64/mysql/
2. ERROR: Unable to open directory '' (No such
    file or directory)
   ERROR: Unable to find the next spool file!
1.  Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)
3. WARNING: Can't extract timestamp extension from 'alert'using base ''
1. Ensure that the unified2 file is specified (by the -f option included as a command line argument or in the config file)
4. FATAL ERROR: Absdir is not a subset of the logdir
1.  Ensure that the logdir is configured in the Barnyard configuration file
5. FATAL ERROR: database: mysql_error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)
1. Ensure that the MySQL service/daemon is running

Installing OpenVPN 2.2 on CentOS 6.3 64bit

This post is just an update of a previous post that used CentOS 5.7 and OpenVPN 2.2 (http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.html). The basic instructions are the same, however this post uses some newer packages which may have been relocated to new URLs. Again this blog and the posts are mostly for my own reference and not intended as step-by-step instuctions for other systems/network administrators

Install RPMForge or RepoForge as it's now known[1]

1. wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
2. rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
3. yum update

Install and set-up the OpenVPN Server[2]

1. yum -y install openvpn 
2. cd /etc/openvpn/
3. cp /usr/share/doc/openvpn-*/sample-config-files/server.conf .
4. mkdir -p /etc/openvpn/easy-rsa/keys
5. cd /etc/openvpn/easy-rsa
6. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
7. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req

 Set-up the OpenVPN Server environment, keys and certificates

1. vi /etc/openvpn/easy-rsa/vars
1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
3. I used  PKCS11_MODULE_PATH=/ and a random PIN value
2. Create a link to the openssl config file as openssl.cnf
1. ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf   
3. Create certificate for the server
1. ./build-key-server NAME_OF_SERVER
2. Answer the questions and commit the certificate into the database
4. Create the Diffie Hellman files
1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel. Based on the length of the key used (KEY_SIZE) it may take a while.
2. ./build-dh
5. Create the certificate for each client
1. ./build-key CLIENT
6. Edit the server configuration file 
1. vi /etc/openvpn/server.conf
2. Check/change
1. local
2. proto
3. dev
4. port
5. ca
6. cert
7. key
8. dh
9. max-clients
10. user
11. group
12. log-append
13. verb
7. Start everything
1. /etc/rc.d/init/openvpn start
2. chkconfig --level 235 openvpn on

Future post may include instructions on configuration of client as well as set-up of firewall rules for specific topologies (time permitting)

References

1. http://wiki.centos.org/AdditionalResources/Repositories/RPMForge/#head-f0c3ecee3dbb407e4eed79a56ec0ae92d1398e01
2. http://nkush.blogspot.com.au/2011/10/installing-openvpn-22-on-centos-57.htm 

I had to do some maintenance work on a Linux based server

I had to do some maintenance work on a Linux based server. It was mainly just archiving some files around and updating packages and configurations. However, as part of the maintenance I took the opportunity to put in some simple technical security controls in place and documented some of them here for my reference.

MySQL Database
There was a MySQL server running that was only needed for the local host, but a "netstat -ltn" indicated that it was not bound to any specific IP, i.e. listening on 0.0.0.0, so I bound it to the localhost IP of 127.0.0.1 by editing the /etc/my.cnf file using the entry bind-address=127.0.0.1

vi /etc/my.cnf
bind-address=127.0.0.1

RKHunter Rootkit Anti-malware
I installed the new version of rkhunter and modified the configuration file to suit.

yum install rkhunter
vi /etc/rkhunter.conf
PKGMGR=RPM
ENABLE_TESTS="all"
DISABLE_TESTS="none"
SCAN_MODE_DEV=THOROUGH 
rkhunter --propupd --update --check --sk -l
vi /etc/rkhunter.conf
ALLOWHIDDENDIR=
ALLOWDEVFILE=

IPTables Firewall
Strangely enough there was no firewall configured on the host, so I quickly knocked up an script and saved it. Here's a snippet of the script that simply resets the rules, sets the default policies to drop and allows all local communications. There are additional parts that allow specific traffic through, but I have not put this up here to obscure the services and IP addresses being used.

#!/bin/bash

#
# Global script variables
#

# Commands
IPTABLES=/sbin/iptables

# Network interfaces and addresses
LOOP_IFACE=lo
LAN=192.168.100.0/24
LAN_ADDR=192.168.100.201
LAN_IFACE=eth0

# Port numbers
NAMED_PORT=53
NETFLOW_PORT=9996
NTP_PORT=123
PRIV_PORTS=1:1024
SMB_PORTS=137:139
SSHD_PORT=4022
UNPRIV_PORTS=1025:65535


#
# Manage kernel parameters
#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Configure default table policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#
# Initialise tables - flush rules, remove chains, zero counts
#

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat

$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

$IPTABLES -Z


#
# Allow all local loopback traffic
#

$IPTABLES -A INPUT -i $LOOP_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOP_IFACE -j ACCEPT


#
# Allow all traffic that is part of a related or established connection in
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#
# Politely reject SMB traffic
#

$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport $SMB_PORTS -j REJECT
$IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport $SMB_PORTS -j REJECT


#
# Allow icmp pings
#

$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -d $LAN_ADDR -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -s $LAN_ADDR -d $LAN -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT


#
# *** DELETED SERVICES SPECIFIC RULES TO IMPLEMENT SECURITY BY OBSCURITY ***

# 


#
# Debugging - log all other traffic *** DO NOT USE IN PRODUCTION ENVIRONMENT ***
#
#
#$IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-prefix "rc.firewall "
#

ClamAV Anti-virus
ClamAV is an open source anti-virus software for Linux. I installed this using the yum package manager and configured the AV to scan daily, and used freshclam to ensure that the virus definitions are updated hourly.

yum install clamav clamd clamav-db

vi /etc/cron.hourly/freshclam
#!/bin/bash
/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log

vi /etc/cron.daily/clamscan
#!/bin/bash
/usr/bin/clamscan -r / --exclude-dir=/proc --quiet --infected --log=/var/log/clamd/clamscan

Fail2Ban Intrusion Prevention
fail2ban is an interesting intrusion prevention system that parses system logs to dynamically update firewall rules to stop potential intrusion attempts. It supports several other mechanism, but I was only interested in the firewall and SSH access

yum install fail2ban
vi /etc/ssh/sshd_config
SyslogFacility LOCAL5
LogLevel INFO

vi /etc/syslog.conf
local5.info                                     /var/log/sshd/sshd.log

vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=*DELTED*, sender=*DELETED*]
logpath  = /var/log/sshd/sshd.log
maxretry = 2

Legal notices
The client wanted some legal notices and disclaimers on the host for various reasons, one of them being to notify employees that their usage was being monitored. I stuck the disclaimer from their legal department (it looked pretty generic though) into /etc/issue and created a link from /etc/issue.net to it.

Installing OpenVPN 2.2 on Centos 5.7

OpenVPN is an SSL based VPN. There are other VPN solutions such as IPsec, etc. but OpenVPN provides a cost effective alternative. I like OpenVPN as it support two-way authentication, i.e. both the client and server authenticate using certificates. To install OpeVPN on CentOS we need a number of cryptographic libraries. The simplest way is to use the DAG/RPMForge repository.

Set-up the RPMForge repository [1], as this contains the packages necessary for the installation and the instructions are provided below. The instructions below are just to document this specific installation and therefore this blog post is not to be misinterpreted as a best practises guide. The instructions are adapted from the OpenVPN website [2], but this blog post is intended more as a quick and dirty guide to getting OpenVPN running on CentOS 5.7. Additionally the set-up and configuration of the client is considered beyond the scope of this blog post.

1. Install packages
1. rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
2. yum -y update
3. yum -y openvpn
2. Set-up configuration files
1. cd /etc/openvpn/
2. cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf .
3. mkdir -p /etc/openvpn/easy-rsa/keys
4. cd /etc/openvpn/easy-rsa
5. cp -rf /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* .
6. chmod o+x,g+x clean-all, build-* vars whichopensslcnf pkitool inherit-inter list-crl revoke-full sign-req
3. Edit the PKI configuration
1. vi /etc/openvpn/easy-rsa/vars
1. Also consider setting the key length using KEY_SIZE variable, 1024 is the default 2048 is better, but slows down the TLS, but I am paranoid and use 4096 bit keys
2. Set the country (KEY_COUNTRY), state (KEY_PROVINCE), locality (KEY_CITY), organisation name (KEY_ORG), and support email (KEY_EMAIL)
4. Set-up the PKI infrastructure. This involves make a certificate authority and then generate the server certificate and any client machine certificates
1. Create the certificate authority
1. . ./vars
2. ./clean-all
3. ./build-ca
4. The CA key and certificate should not be in the keys directory inside the easy-rsa directory.
2. Create certificate for the server
1. ./build-key-server NAME_OF_SERVER
2. Answer the questions and commit the certificate into the database
3. Create the Diffie Hellman files
1. These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
2. ./build-dh
4. Create the certificate for each client
1. When doing this for clients, I generate one for each device a client may use, that way if a device is stolen or goes missing, I only have to revoke a single certificate and the others keep working as they do. Not sure if this a good approach, but its definitely my quick and dirty (lazy) approach.
2. ./build-key LAPTOP
3. ./build-key HOME-DESKTOP
4. ./build-key PDA
5. Edit the server configuration file 
1. vi /etc/openvpn/server.conf
2. Check/change
1. local
2. proto
3. dev
4. port
5. ca
6. cert
7. key
8. dh
9. max-clients
10. user
11. group
12. log-append
13. verb
6. Start everything
1. /etc/rc.d/init/openvpn start
2. chkconfig --level 235 openvpn on

Possible Errors:

1. If the OpenVPN server fails to start, ensure that logging is enabled, i.e. refer to log-append in the configuration file and examine the log. A common error is that OpenVPN fails to open certain files, check that the paths to these files are specified correctly.

References:

1. http://dag.wieers.com/rpm/FAQ.php
2. http://openvpn.net/howto.html

Installing OSSEC on Centos 5.7

OSSEC is an open source host-based IDS that performs log analysis, and is able to correlate and analyse logs for a number of Linux (and Windows, but that is outside the scope of this blog post) servers. The software architecture of OSSEC and the use of agents, lends OSSEC to flexible deployment and management [1].

Set-up the Atomic repository that already has the appropriate OSSEC packages and install them would be the easiest way. However I have a strong dislike for the use of the /var partition (most system administrators, hmm... well at-least I have always, set this up as a separate partition for ease of management and security reasons) as an install location, esp. when it has been specified as a "noexec" partition.

Please Note: 
Firstly, there are a number of dependencies of some of the set-up below, such as Apache, PHP, MySQL, but the installation and secure configuration of these services are beyond the scope of this blog post. Secondly, the configuration below is only to set-up OSSEC as a monitor and not run it in IPS, i.e. as an active response alert handler.

Installation using the repository

1. wget https://www.atomicorp.com/installers/atomic -O atomic.sh
2. . ./atomic.sh
3. yum -y update
4. yum -y install ossec-hids ossec-hids-server ossec-wui

Installation using the tar ball source

1. Download, compile and install the source
1. wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
2. tar zxvf ossec-hids-2.6.tar.gz
3. cd ossec-hids-2.6/src
4. make clean
5. make setdb
6. make all
7. cd ..
8. ./install.sh
1. en
2. local
3. /opt/ossec
4. y
5. user@domain
6. mx.domain
7. y
8. y
9. n
2. Setup mysql DB for logging
1. Grant access to database
1. mysql -u root -p
2. grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@localhost;
3. set password for ossecuser@localhost=PASSWORD('PASSWD');
4. quit;
2. Create database and tables
1. mysqladmin -u root -p create ossec
2. mysql -u root -p ossec < src/os_dbd/mysql.schema
3. Edit the /opt/ossec/etc/ossec.conf file
1. Check the wiki to setup logging to the database and syslog [2]
3. Install the Web User Interface, you will need Apache and php
1. Again, the installation and secure configuration of Apache is beyond the scope of this blog post. 
2. wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
3. tar zxvf ossec-wui-0.3.tar.gz
4. mkdir -p /var/www/html/ossec-wui
5. cp -rf ./ossec-wui-0.3/* /var/www/html/ossec-wui/
6. cd /var/www/html/ossec-wui/
7. ./setup.sh
8. Edit the ossec_conf.php to point to the ossec installation completed in the previous stage
1. $ossec_dir="/opt/ossec";
4. Start the OSSEC services
1. /opt/ossec/bin/ossec-control enable database
2. /opt/ossec/bin/ossec-control enable client-syslog
3. /opt/ossec/bin/ossec-control start

Possible Errors:

1. When executing OSSEC-WUI you may get a page that displays. "Unable to access OSSEC directory". Ensure that the user that your Apache web server runs as, e.g. httpd or apache is added to the ossec group
1. usermod -a -G ossec apache.
2. "Unable to retrieve alerts". Ensure that you web server is able to open the alerts file. This issue is two fold, firstly ensure that the web server has permissions to open the file and secondly that the fopen command is enabled in PHP.
1. safe_mode Off
2. safe_mode_gid On
3. These two are no so much error, but warning that will be annoy your syslog server, but depend on your PHP configuration.
1. PHP Warning:  shell_exec() has been disabled for security reasons - This is because of a uname -a query in the /var/www/html/ossec-wui/lib/os_lib_agent.php script;
1. //$agent_list[$agent_count]{'os'} = `uname -a`;
2. $agent_list[$agent_count]{'os'} = "Linux";
2. PHP Warning:  fseek() expects parameter 3 to be long - This may be a simple programming error in the /var/www/html/ossec-wui/lib/os_lib_alerts.php
1. //fseek($fp, $seek_place, "SEEK_SET");
2. fseek($fp, $seek_place );

References:

1. http://en.wikipedia.org/wiki/OSSEC
2. http://www.ossec.net/wiki

Installing Snort 2.9.1.2 on CentOS 5.7

CentOS 5.7 uses an older version of libpcap (0.9.4), but Snort's Data Acquisition Library (daq) needs a newer version of libpcap (>=1.0.0). The latter is not an issue with the CentOS 6.0. Vishesh Kumar [1] provides an excellent instructions to getting Snort 2.9 to run on RHEL 5 (http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html). The purpose of this post is not to duplicate his efforts, but to extend it slightly to include instructions for a complete Snort set-up.

1. libpcap - http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz [3]
2. daq : http://www.snort.org/downloads/1221 [2]
3. snort : http://www.snort.org/downloads/1207 [2]

Download and install the libraries and software as per the instructions below;

1. Enable the Extra Packaged for Enterprise Linux (EPEL) repository to enable the installation of additional packages not available under the standard repositories
1. rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
2. yum -y update
3. yum -y upgrade
2. Install developments to compile the libraries and source code, and additional libraries and header files that are required later on
1. yum -y groupinstall 'Development Tools'
2. yum -y install pcre-devel
3. yum -y install libdnet-devel
4. yum -y install zlib-devel
5. yum -y install mysql mysql-server mysql-devel mysql-bench
3. Download, compile and install libpcap
1. wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
2. cd libpcap-1.1.1
3. ./configure --prefix=/usr
4. make && make install
4. Download, compile and install daq
1. wget http://www.snort.org/downloads/1221 -O daq-0.6.2.tar.gz
2. cd daq-0.6.2
3. ./configure
4. make && make install
5. Download, compile and install snort
1. wget http://www.snort.org/downloads/1207 -O snort-2.9.1.2.tar.gz
2. cd snort-2.9.1.2
3. ./configure --with-mysql
4. make && make install
6. Download, compile and install Barnyard2
1. wget --no-check-certificate https://github.com/firnsy/barnyard2/tarball/master -O firnsy-barnyard2-405761e.tar.gz
2. tar zxvf firnsy-barnyard2-405761e.tar.gz
3. cd firnsy-barnyard2-405761e
4. ./autogen.sh
5. ./configure --with-mysql
6. make && make install
7. Create the snort database on the mysql enginer
1. mysqladmin -u root -p create snort
2. mysql -u root -p -D snort < schemas/create_mysql
3. mysql -u root -p
1. GRANT CREATE,INSERT ON root.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
2. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE ON snort.* TO snort@localhost IDENTIFIED BY 'PASSWORD';
8. To get the current registered user rules, you need to sign up and obtain an Oinkcode. The Oinkcode will be used for downloading the rules and used with pulledpork.
1. Sign in or request an account from https://www.snort.org/login
2. Get your oinkcode after signing in from https://www.snort.org/account/oinkcode
3. cd etc
4. wget http://www.snort.org/reg-rules/snortrules-snapshot-.tar.gz/OINKCODE -O snortrules-snapshot-LATEST.tar.gz
5. tar zxvf snortrules-snapshot-LATEST.tar.gz
9. Setup the configuration and rules files for snort
1. mkdir -p /etc/snort
2. mv -f etc/* .
3. rmdir etc/
4. mv snortrules-snapshot-LATEST.tar.gz ../../
5. rm -f Makefile Makefile.am Makefile.in
6. cp -rf * /etc/snort/
10. Edit the snort configuration
1. vi /etc/snort/snort.conf
1. ipvar HOME_NET
2. var RULE_PATH rules
3. var SO_RULE_PATH so_rules
4. var PREPROC_RULE_PATH preproc_rules
5. output database: log, mysql, user=snort password=PASSWORD dbname=snort host=localhost
6. output alert_syslog: LOG_LOCAL6 LOG_ALERT
11. Edit the syslog.conf file to log alerts to separate file and restart the syslog daemon
1. Include the line in syslog.conf "local6.*        /var/log/snort/alerts.log"
2. /etc/rc.d/init.d/syslog restart
12. Test the snort installation, and set-up environment to run snort if all OK
1. snort -c /etc/snort/snort.conf -T
2. useradd -G snort snort -s /bin/false
3. chown -R root:snort /var/log/snort
4. chmod -R g+w /var/log/snort
13. Configure barnyard [4]
1. mkdir -p /var/log/barnyard2
2. chmod 666 /var/log/barnyard2
3. touch /var/log/snort/barnyard2.waldo
4. cp etc/barnyard2.conf /etc/snort/
5. Edit the /etc/snort/barnyard2.conf
1. output database: log, mysql, user=snort password= dbname=snort host=localhost
2. config hostname:   localhost
3. config interface:  eth0
14. You can get snort to start automatically, but writing a customer script to start/stop/restart the daemon or simply kicking it off to start up when the machine boots. Edit the rc.local file and out the following in
1. /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
2. /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

Common Errors:

1. ERROR: parser.c(5261) Could not stat dynamic module path "/usr/local/lib/snort_dynamicrules": No such file or directory.
   Fatal Error, Quitting..
1. mkdir -p /usr/local/lib/snort_dynamicrules
2. cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/
2. ERROR: /etc/snort/rules/web-misc.rules(555) Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content.
   Fatal Error, Quitting..
1. The fast_pattern option cannot be used with the http_method string. Edit the web-misc.rules file and remove it from the snort rule. Do a search for "2010-0388" and remove the alert option fast_pattern from the alert rule.
3. ERROR: /etc/snort/snort.conf(244) => 'compress_depth' and 'decompress_depth' should be set to max in the default policy to enable 'unlimited_decompress'
   Fatal Error, Quitting..
1. Edit the /etc/snort/snort.conf file and set the http_inspect compress_depth and decompress_depth to 65535 from 20480.
4. ERROR: ByteExtract variable 'bugtraq' in rule [3:13897] is used before it is defined
1. Ensure that the shared libraries copied above using "cp /etc/snort/so_rules/precompiled/DIST/i386/2.9.0.0/* /usr/local/lib/snort_dynamicrules/" are for the correct distribution
2. Ensure that the rules being used are for the version of snort being used.

Please note: 

1. These instruction are for 32bit hardware, for 64bit machines you will need to select appropriate 64bit RPM packages or configure and compile with appropriate compiler switches. These are considered beyond the scope of this post.
2. All instructions are executed with root privileges.

References:

1. http://www.linuxmantra.com/2010/10/install-snort-29-on-rhel-5.html
2. http://www.snort.org/snort-downloads?
3. http://www.tcpdump.org/#latest-release
4. http://www.snort.org/assets/145/Install_Snort_2.8.6_on_CentOS_5.5.pdf

Gnu Screen

Running some experiment on a VM server I rapidly ran out of patience having to wait for commands to run, and/or switching back and forth using Ctrl+Z, bg, and fg. My thoughts went back to Nick Black who had introduced me to Gnu Screen several years back, alas I has forgotten the short-cuts, Thankfully Google and the man page came to the rescue.

Since the VM server was a CentOS 6.0 box, with minimal install, I had to install Gnu Screen using;

1. yum -y install screen

Here's a summary of the shortcuts that may be useful;

• Ctrl+A, c : create a new screen
• Ctrl+A, A : set a name for the screen instead of the default shell name (bash)
• Ctrl+A, " : lists the screens available
• Ctrl+A, n : toggle to next screen
• Ctrl+A, p : toggle to previous screen

References:

1. http://www.gnu.org/s/screen/

iCTF - UCSB International Capture The Flag

I was fortunate enough to be invited to join the QUT iCTF team. The objective of the contest is to ensure that a set of required services remain available and un-compromised. In preparation for this task, I decided to setup a dedicated laptop for the contest. I would have been far easier to install a distribution such as BackTrack, but I decided to take the painful path.

First, a friend sold me his old laptop, which was far better than my current notebook. It was a Sony VAIO SZ34GP. I installed CentOS 5.5 on this notebook, just a base install with development libraries and tools. The instructions below provide a brief list of tools and their associated configurations. 

Repositories
There's a need to set-up some additional repositories for CentOS to enable the installation of additional thir party applications. For more information refer to References 3Section.

1. sudo bash
2. cd /etc/yum.repos.d/
3. wget -q -O - http://www.atomicorp.com/installers/atomic |sh
4. wget http://dries.eu/pub/dries-el.repo
5. wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
6. rpm -ivh rpmforge-release-0.5.1-1.el5.rf.i386.rpm
7. yum update

Installation

Install tools to be used for the competition. Most of the tools are penetration testing tools I have used in the past. I made a point of installing the development libraries and tools during the CentOS installation. This would be useful for developing and testing possible exploits.

1. sudo yum -y install nmap
2. sudo yum -y install amap
3. sudo yum -y install hydra
4. sudo yum -y install aide
5. sudo yum -y install snort
6. sudo yum -y install nikto
7. sudo yum -y install ntop
8. sudo yum -y install fail2ban
9. sudo yum -y install tcptrack
10. sudo yum -y install dsniff
11. sudo yum -y install ngrep
12. sudo yum -y install fragroute
13. sudo yum -y install hping
14. sudo yum -y install scapy
15. sudo yum -y install tcptraceroute
16. sudo yum -y install firewalk
17. sudo yum -y install iptraf
18. sudo yum -y install kismet
19. sudo yum -y install ettercap

ChaosReader

1. Download latest version from source forge (http://chaosreader.sourceforge.net)
2. sudo mkdir -p /opt/chaosreader
3. sudo cp chaoreader0.94 /opt/chaosreader/
4. sudo chmod 755 /opt/chaosreader/chaoreader0.94
5. sudo ln -s /opt/chaosreader/chaoreader0.94 /usr/local/bin/

John the Ripper

1. wget http://www.openwall.com/john/g/john-1.7.6.tar.gz
2. tar zxvf john-1.7.6.tar.gz
3. cd john-1.7.6
4. cd src
5. make
6.  clean linux-x86-any
7. sudo mv ../run /opt/john-1.7.6
8. sudo chown -R root:root opt/john-1.7.6
9. mv /opt/john-1.7.6/john.conf /opt/john-1.7.6/john.ini
10. sudo ln -s /opt/john-1.7.6/john /usr/local/sbin/
11. sudo ln -s /opt/john-1.7.6/john.ini /usr/local/sbin/

OpenVAS

1. sudo yum -y install openvas-server openvas-client openvas-scanner
2. sudo openvas-mkcert
3. sudo /usr/sbin/openvas-nvt-syn # Add as a cron job - refer to OpenVAS documentation
4. sudo /etc/rc.d/init.d/openvas-scanner restart
5. sudo /usr/sbin/openvas-adduser # Add rules "default accept" if unsure

Skipfish

1. wget http://skipfish.googlecode.com/files/skipfish-1.81b.tgz
2. tar zxvf skipfish-1.81b.tgz
3. sudo mv skipfish-1.81b /opt/
4. sudo ln -s /opt/skipfish-1.81b/skipfish /usr/local/sbin/
5. sudo ln -s /opt/skipfish-1.81b/sfscandiff /usr/local/sbin/
6. sudo chown -R root:root /opt/skipfish-1.81b

VMWare Server

1. Download the latest VMWare Server, at the time of this blog it was version 2.0.2
2. tar zxvf VMware-server-2.0.2-203138.i386.tar.gz
3. cd vmware-server-distrib
4. sudo ./vmware-install.pl

References:

1. http://ictf.cs.ucsb.edu/
2. http://rpmrepo.org/RPMforge
3. http://www.backtrack-linux.org/
4. http://wiki.centos.org/AdditionalResources/Repositories
5. http://www.openvas.org/
6. http://www.alienvault.com/free_nessus_feed.php
7. http://www.hacktoolrepository.com/

Fake ARP Daemon

The Fake ARP Daemon, or FARPD, provides the implementation of a fake ARP daemon for use with HoneyD. It responds to ARP requests for IP addresses modelled using HoneyD, to a specific interface MAC address. FARPD is required to set up HoneyD networks on the test bed. However it has been initially develop for the BSD platform, as a result installation on SysV systems needs a bit of work if compileing from a source tar ball.

1. wget http://farpd.sourcearchive.com/downloads/0.2-10/farpd 0.2.orig.tar.gz
2. wget http://farpd.sourcearchive.com/downloads/0.2-10/farpd 0.2-10.diff.gz
3. tar zxvf farpd 0.2.orig.tar.gz
4. gunzip farpd 0.2-10.diff.gz
5. cd farpd-0.2
6. patch -p1 ¡ ../farpd 0.2-10.diff
7. mkdir -p /usr/lib/bin
8. ln -s /usr/bin/dnet-config /usr/lib/bin/dnet-config
9. ln -s /usr/bin/dnet-config /usr/lib/bin/dumbnet-config
10. ./configure –with-libdumbnet=/usr/lib –with-libevent=/usr
11. ln -s /usr/include/dnet.h /usr/include/dumbnet.h
12. make
13. sudo make install

Actual unpublished research project can be found at http://eprints.qut.edu.au/39098/

Yum via a proxy

In case you need to force yum on a Redhat or CentOS system via proxy and authenticate, the quickest way I found was to set the following environment variable, i.e. export from .bash_profile or the likes;
export http_proxy=http://username:password@proxy_server:proxy_port

Snort sniff honk !

Snort is an open source intrusion detection system (IDS). Its highly configurable and can be run in a number of modes and architectures, There are a small number of freely available rules to use. For more information refer to the Snort home page http://www.snort.org/. Here are some instructions on getting it setup on CentOS, these were adapted from the Snort Documentation by Patrick Harper at http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf;

1. yum install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ php php-pear libpcap-devel
2. vi /etc/httpd/conf/httpd.conf #Edit the httpd.conf file to suit
3. /etc/rc.d/init.d/httpd start
4. /etc/rc.d/init.d/mysqld restart
5. /usr/bin/mysql_secure_installation
6. cd /root
7. mkdir snortinstall
8. cd snortinstall
9. wget http://dl.snort.org/snort-current/snort-2.8.5.3.tar.gz
10. tar zxvf snort-2.8.5.3.tar.gz
11. cd snort-2.8.5.3
12. ./configure --with-mysql --enable-dynamicplugin # Fingers crossed it all goes well
13. make
14. make install
15. /usr/sbin/groupadd snort
16. /usr/sbin/useradd -g snort snort -s /sbin/nologin
17. mkdir -p /etc/snort/rules
18. mkdir -p /var/log/snort
19. cd /root/snortinstall/snort-2.8.5.3/etc
20. cp ./* /etc/snort/
21. cd /root/snortinstall
22. wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
23. tar zxvf emerging.rules.tar.gz
24. cd rules
25. cp ./* /etc/snort/rules/
26. vi /etc/snort/snort.conf # Edit the snort.conf file to suit
27. /etc/rc.d/init.d/mysqld start
28. mysql -u root -p mysql # Create the snort database and snort database user and set permissions
    
29. cd  /root/snortinstall/snort-2.8.5.3/schemas
30. mysql -u snort -p snort < create_mysql
31. pear install -a Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
32. cd /root/snortinstall/
33. wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-510-for-php5/adodb510.tgz?use_mirror=transact
34. wget http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.4/base-1.4.4.tar.gz?use_mirror=transact
35. cd /var/www
36. tar zxvf /root/snortinstall/adodb510.tgz
37. mv adodb5/ adbodb
38. cd /var/www/html/
39. tar zxvf /root/snortinstall/base-1.4.4.tar.gz
40. mv base-1.4.4/ base
41. cd base
42. cp base_conf.php.dist base_conf.php
43. vi base_conf.php # Edit the file to suit
44. # Load http://SERVERNAME/base in a browser and click on the setup link
45. # Click on Create BASE AG button
46. # Click on the Main Page link

SQL

1. create database snort;
2. create user 'snort'@'localhost' identified by '';
3. grant create, insert, select, delete, update on snort.* to snort@localhost;
4. grant create, insert, select, delete, update on snort.* to snort;

Timing is everything...

Having the correct clock timestamp is very important for logging, maintenance, troubleshooting and even forensic analysis. Timing provides a very important frame of reference for network devices, such as hosts, routers and switches. It would be almost impossible to construct a reliable model of an environment without having a standard and accurate frame of reference, thus timing is everything...

The Hardening Cisco Routers book provides a good reference for Network Time Protocol (NTP) important, and can be found at http://oreilly.com/catalog/hardcisco/chapter/ch10.html. NTP is a very popular way to synchornise system clocks with a central trusted server. Here's a rough guide to getting NTP running on a Linux server;

1. sudo yum install ntp # Install the NTP client
2. sudo vi /etc/ntp.conf # Edit the configuration file to use the nearest server pool. Refer to www.ntp.org to get the pools.
3. sudo mv /etc/localtime /etc/localtime~ # Backup the locatime file
4. sudo ln -s /usr/share/zoneinfo// /etc/localtime # Ensure that the correct locatime file is set for your city
5. sudo ntpdate # Set the date using NTP using the pool specified*
6. sudo /etc/rc.d/init.d/ntp start # Start the NTP client daemon
7. ntpstat # Check that the system clock is synchronised
8. date # Check that the system date is set correctly
9. sudo hwclock -w # Set the hardware clock to the system date

*Note: Ensure that the host allows traffic on port 123 for the NTP protocol to work.