2008年4月25日 星期五

Snort安裝步驟

安裝目的:Snort為IDS,我安裝的目的是拿來偵測公司網路環境內的異常行為,這些異常可能源自Hacker, Virus, Trojan, User
OS: Linux RedHat FC 8
Software: Snort v2.8.1 + Barnyard v0.2.0 + BASE v1.3.9

★Start the Apache service
# chkconfig httpd on
# service httpd start
然後以瀏覽器開啟http://yourhostip/

★更新相關套件
# yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ libpcap-devel php php-pear yum-utils
若要全系統套件更新,請輸入yum -y update,會非常多

★Create the installation folder
# cd /root
# mkdir snortinstall
# cd snortinstall

★Snort install
# wget http://snort.org/dl/current/snort-2.8.1.tar.gz
# tar -zxvf snort-2.8.1.tar.gz# cd snort-2.8.1
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
# cd /root/snortinstall/snort-2.8.1/etc/
# cp * /etc/snort
# groupadd snort
# useradd -g snort snort –s /sbin/nologin
# cd /root/snortinstall
連上http://www.sonrt.org,註冊
註冊完成,方可download:Sourcefire VRT Certified Rules (registered user release)
點選下載snortrules-snapshot-2.8.tar.gz
下載後,將檔案傳送到Snort Server的/root/snortinstall
# tar -zxvf snortrules-snapshot-2.8.tar.gz
# cd /root/snortinstall/rules
# cp * /etc/snort/rules
# vi /etc/snort/snort.conf
修改以下:
var HOME_NET 10.0.0.0/8 (HOME_NET:內部網段)
var EXTERNAL_NET !$HOME_NET (EXTERNAL_NET:外部網段,此設定非內即外)
var RULE_PATH /etc/snort/rules
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
存檔
# cd /etc/rc.d/init.d
# wget http://internetsecurityguru.com/snortinit/snort
# chmod 755 snort
# chkconfig snort on

★Set up MySQL
chkconfig mysqld on
service mysqld start
# mysql
mysql> set password for root@localhost=password(snort);
mysql> create database snort;
mysql> grant insert,select on root.* to snort@localhost;
mysql> set password for snort@localhost=password('snort');
mysql> grant create,insert,select,delete,update on snort.* to snort@localhost;
mysql> grant create,insert,select,delete,update on snort.* to snort;
mysql> exit

★barnyard install
# cd /root/snortinstall
# wget http://snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
# tar –zxvf barnyard-0.2.0.tar.gz # cd barnyard-0.2.0
# ./configure --enable-mysql
# make
# make install
# cd /root/snortinstall/barnyard-0.2.0/etc/
# cp barnyard.conf /etc/snort
# vi /etc/snort/barnyard.conf
修改以下:
config daemonconfig hostname: ATT1IDS
config interface: eth0
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password snort
output log_acid_db: mysql, database snort, server localhost, user root, password snort, detail full
存檔,並啟動snort測試
# snort –c /etc/snort/snort.conf
停在Not Using PCAP_FRAMES不動,表示運作正常,這時按Ctrl+c中斷
# ls -l /var/log/snort
應該會有兩個檔案,類似:
snort.alert.1209025984
snort.log.1209025984
# cd /etc/rc.d/init.d
# wget http://www.internetsecurityguru.com/barnyard
# chmod 755 barnyard
# chkconfig barnyard on
# service barnyard start

★BASE install
# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
# cd /root/snortinstall
# wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgz
# wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
# cd /var/www
# tar -zxvf /root/snortinstall/adodb504a.tgz
# mv adodb5 adodb
# cd /var/www/html
# tar -zxvf /root/snortinstall/base-1.3.9.tar.gz
# mv base-1.3.9 base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
修改以下:
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password_from_snort_conf";
/* Archive DB connection parameters */
$archive_exists = 0; # Set this to 1 if you have an archive DB
存檔
# service snort start
開啟IE測試https://YourHostIP/base
Click the “setup page” link
Click the "Create BASE AG" button
成功的話會跑出一堆紅色成功訊息
Goto the "Main page"檢視
Snort安裝完成!

★Securing the BASE directory:
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords admin
這是建立一個帳號admin,然後會讓你輸入password
# vi /etc/httpd/conf/httpd.conf
找到下面這段:
<>
Options FollowSymLinks
AllowOverride None

新增For /var/www/html/base的設定:

AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user admin

存檔,然後重啟Apache
# service httpd restart

★設定e-mail通知Alarm(可選擇不作)
# vi /etc/aliases
修改以下(要輸入管理者的信箱):
# Person who should get root's mail
root: me@mydomain.com
存檔並執行newaliases
# newaliases(vi /usr/share/logwatch/default.conf/logwatch.conf 修改信件寄送等級)

★NTOP install(尚待測試)
# yum install ntop

★兩張網卡設定
sniffing interface: eth0
management interface: eth1

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
修改以下:
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0D:60:A8:9D:1D
ONBOOT=yes
TYPE=Ethernet

#vi /etc/sysconfig/network-scripts/ifcfg-eth1
修改以下:
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
HWADDR=00:04:75:83:fe:62
TYPE=Ethernet
HOSTNAME=ATT1IDS.att.amkor.com
IPADDR=10.1.1.50
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=yes
GATEWAY=10.1.1.254
IPV6INIT=no

2008年4月21日 星期一

IP衝突處理步驟

網管最討厭的就是有User自行設定固定IP,然後跟DHCP Client相衝突,這種User當然要找出來給他死。

★IP衝突徵狀:DHCP Client 網路時通時不通
(DHCP Client MAC address: 00-11-25-4B-96-F8)
(DHCP Client IP address: 10.1.1.99)

★確認方式:檢查Core Switch ARP table (請注意格式及要用小寫)
Core#show arp include 10.1.1.99
Internet 10.1.1.99 7 0800.3712.f2ad ARPA Vlan36
該IP與DHCP Client MAC不同,所以IP衝突的判斷成立

★輔助工具:可連上MAC address lookup的網站查一下該MAC addree 網卡是哪家公司出的,可以輔助判斷該台機器可能是哪個廠牌。
MAC address lookup(http://www.coffer.com/mac_find/)

★找出牠(禽獸):
Step 1: 從Core Switch開始追查
Core>show mac-address-table address 0800.3712.f2ad
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
36 0800.3712.f2ad dynamic ip,ipx,other GigabitEthernet4/1

Step 2:來源為G4/1,再查G4/1是否為網路設備:
Core>show cdp neighbors
SWITCH3524-2 Gig 4/1 129 T S WS-C3524-XGig0/1
得知來源是從1台3524 G0/1來的

Step 3: 連至該台3524繼續追查,方式同Step1~2,不斷向下追查,直到來源不再是Switch

Step 4: 如果貴公司有by port管理user那至此就可以查出,如果沒有,那就進機房查該Port是連接到哪1個網點編號,配合Cabling分佈圖,查出該User坐位,然後去警告牠。

Step 5: 如果貴公司網點編號不確實或根本沒有,在機房茫茫線海中無從找起,那…你可以讓他來找你,直接把線拔了,或把Port down下來或鎖MAC,他就會來找你了。

Step 6: IP衝突解決後,Core switch上的ARP table會存在一段時間,要立即清除該筆錯誤的ARP,可以用:
Core#clear ip arp 10.1.1.99
(注意不要將Core switch上的ARP全清,會造成全面網路瞬斷)

2008年4月15日 星期二

Ntop 3.3 安裝步驟

建置Ntop的目的: 此工具主要在依IP address & TCP/UDP port來Monitor網路流量狀況,可以快速發現網路變慢的問題點在哪?是網路管理者必備工具,而且…它不用花錢。

設置點:看你要Monitor哪裡的封包,通常設置於LAN <--> Internet之間,或是分公司<-->分公司之間,還可以在Core switch上視狀況機動將某個port的流量導入作監控,非常方便。

使用版本: Ntop 3.3
作業系統:Linux Fedora core 8 (需兩張網卡,Monitor & Management)

安裝步驟:
(參考http://forum.icst.org.tw/phpBB2/viewtopic.php?p=47187&sid=5c8f8f7004d72113238af02ee28657e5)

wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.2.27.tar.gz
#Don't use libtool-2.2.2.tar.gz, ntop make will failed
wget http://ftp.gnu.org/gnu/libtool/libtool-1.5.tar.gz
wget http://ftp.gnu.org/gnu/automake/automake-1.9.6.tar.gz
wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.62.tar.gz
# rrdtool need libpcap-devel libpng-devel libart_lgpl-devel zlib-devel freetype-devel
# ntop need libtool, automake, autoconf gcc-c++ gdbm-devel; automake need autoconf yum -y install gcc gcc-c++ httpd gdbm-devel libpcap-devel libpng-devel libart_lgpl-devel zlib-devel freetype-devel

tar -zvxf rrdtool-1.2.27.tar.gz
cd rrdtool-1.2.27
./configure
make
make install
cd ..

ln -s /usr/local/rrdtool-1.2.27/bin/rrdtool /usr/local/bin/rrdtool
ln -s /usr/local/rrdtool-1.2.27 /usr/local/rrdtool

tar -zxvf libtool-1.5.tar.gz
cd libtool-1.5
./configure
make
make install
cd ..

tar -zxvf autoconf-2.62.tar.gz
cd autoconf-2.62
./configure
make
make install
cd ..

tar -zxvf automake-1.9.6.tar.gz
cd automake-1.9.6
./configure
make
make install
cd ..

tar -zxvf ntop-3.3.tar.gz
cd ntop-3.3
./autogen.sh
make
make install

mkdir /usr/local/var/ntop/rrd

service httpd restart
chkconfig httpd on

ntop -A

http://YourHostIP:3000/

看到ntop畫面

再到Core switch(Cisco 4510 switch)將封包導至Ntop Server 的Monitor port:
3/1 PROXY
3/2 Firewall
3/48 NTOP
monitor session 1 source interface Gi3/1 , Gi3/2
monitor session 1 destination interface Gi3/48

2008年4月1日 星期二

ASA Firewall access rules for VPN client

★Cisco IPSec VPN client:
預設的IPSec/UDP:
UDP port 500
UDP port 4500

★PPTP(Point-to-Point Tunneling Protocol) VPN client:
TCP port 1723
IP protocol 47(GRE)
security policy >> service policy rule >> edit Globat policy >> Rule Actions >> protocal inspection >> PPTP 打勾就行了