Click here for "Error Codes for Commercial Air Conditioners".

Debian10; SNORT, Tripwire installation

1. SNORT installation

Install an IDS (Intrusion Detection System) to detect unauthorized access by crackers.
We will install Snort, a representative of open source network IDS.

1. 1 SNORT installation

①Install

# apt install snort

②Configure Snort to run in NIDS mode.
You need to configure Snort on your system. This includes editing some of the configuration files, downloading the rules that Snort follows, and running Snort to run tests.
Use the command below to start the process of updating the shared library.

# ldconfig

1. 2 Set up user names and folder structure

To safely run Snort in Debian without root access, you will need to create a new unprivileged user and a new user group to run the daemon.

# groupadd snort
# useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Then create the folder structure to house the Snort configuration, just copy over the commands below./etc/snort/rules
/var/log/snort
/usr/lib/snort_dynamicrules

The directory is created at the time of installation, and access permissions and ownership can be changed.
# chmod -R 5775 /etc/snort
# chmod -R 5775 /var/log/snort
# chmod -R 5775 /usr/lib/snort_dynamicrules
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
# chown -R snort:snort /usr/lib/snort_dynamicrules
Create the following file
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules

1. 3 Setting up detection rules

①Use of community rules

# Get community rules
# wget https://www.snort.org/rules/community -O ~/community.tar.gz
Extract the rules and copy them to the configuration folder
# tar -xvf ~/community.tar.gz -C ~/
# cp ~/community-rules/* /etc/snort/rules
Comment out unnecessary lines.
# sed -i ‘s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

②Get registered user rules
You can register on the Snort website. Once registered, you can use an Oink code to download the registered user rules. The code can be found in your Snort user account details.
Replace oinkcode with your personal code in the following command

# wget https://www.snort.org/downloads/registered/snortrules-snapshot-29130.tar.gz?oinkcode=<oinkcode> -O ~/registered.tar.gz

Extract rules to configuration directory
# tar -xvf ~/registered.tar.gz -C /etc/snort

1.4 Configure network sets and rule sets.

After deploying the configuration file and rule file, edit snort.conf.

# vi /etc/snort/snort.conf

Find the following section and change it as follows
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.11.82/32   ← IP192.168.11.82 is the lokal IP of my server in the example.

# Set up the external network addresses. Leave as “any” in most situations
ipvar EXTERNAL_NET !$HOME_NET

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Scroll down to Step #6.
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128

Scroll to the bottom of the file.
include $RULE_PATH/local.rules

Add community rules if you are using them
include $RULE_PATH/community.rules

1.5 Verify the configuration

Test the configuration and enable the test mode.

# snort -T -c /etc/snort/snort.conf

When you run the configuration test, you will see a message similar to the following example

–== Initialization Complete ==–

,,_ -*> Snort! <*-
o” )~ Version 2.9.12 GRE (Build 325)
”” By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.8

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0
Preprocessor Object: SF_POP Version 1.0
Preprocessor Object: SF_MODBUS Version 1.1
Preprocessor Object: SF_DNP3 Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: appid Version 1.1
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_GTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Preprocessor Object: SF_IMAP Version 1.0
Preprocessor Object: SF_SDF Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_SIP Version 1.1
Preprocessor Object: SF_REPUTATION Version 1.1

Snort successfully validated the configuration!
Snort exiting

1.6 Testing the configuration

To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.

# vi /etc/snort/rules/local.rules

Add the following to the end of the file
alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000001; rev:001;)

You need to select the correct network interface with the server’s public IP address (eno1, eth1, etc.).
# snort -A console -i <interface名> -u snort -g snort -c /etc/snort/snort.conf

If you keep the above command “# snort -A console -i <interface name> -u snort -g snort -c /etc/snort/snort.conf” and ping the server from another PC in the same network (e.g. Windows), you will see the following message You will see the following notification for each ICMP call.
07/12-11:20:33.501624 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 83.136.252.118 -> 80.69.173.202

When an alert appears, press Ctrl+C to stop Snort.

Snort records alerts in a log under /var/log/snort/snort.log.<timestamp>. The log can be read by the command below.

# snort -r /var/log/snort/snort.log.<id_number>

1.7 Run Snort in the background.

Add a startup script for Snort to run the service in the background.

# vi /lib/systemd/system/snort.service

New File Contents
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eno1

[Install]
WantedBy=multi-user.target

Reload the systemctl daemon.

# systemctl daemon-reload
# systemctl start snort

Check the status of the service.

# systemctl status snort

2.Tripwire Installation

tripwire is a host-based intrusion detection system (IDS) for Linux environments. tripwire IDS’s primary function is to detect and report unauthorized changes (files and directories) on Linux systems. After the installation of tripwire, a baseline database is initially created to monitor and detect changes such as the addition/creation of new files, changes to files, and users who have modified them. If the changes are legitimate, you can accept the changes to update the tripwire database.

2.1 Install

# apt install tripwire

①Create a site key
Tripwire requires a site passphrase to secure the “tw.cfg” tripwire configuration file and the “tw.pol” tripwire policy file. The specified passphrase will be used to encrypt both files. The site passphrase is also required for a single instance of tripwire。

②local key passphrase
A local passphrase is required to protect the tripwire database and report files; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the /etc/tripwire/twcfg.txt file. It is used to generate the encrypted configuration file tw.cfg.

④tripwire Policy Path
tripwire stores its policies in the /etc/tripwire/twpol.txt file. This is used to generate the encrypted policy file tw.pol which is used by tripwire.


You will be asked to enter your site key passphrase again.

You will be asked to enter the lokal key passphrase again.


Installation will proceed.

2.2 Configuration file settings

①Tripwire configuration file (twcfg.txt)
The details of the tripwire configuration file (twcfg.txt) are as follows The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostname local.key), etc. are as follows

ROOT =/usr/sbin executable file
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd data pace file
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/usr/bin/editor
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
SYSLOGREPORTING =true
MAILMETHOD =SMTP
SMTPHOST =localhost
SMTPPORT =25
TEMPDIRECTORY =/tmp

②Initial setup for key creation, database creation, etc.

# cd /etc/tripwire
# vi twcfg.txt

contents

Per line 9
Add “#” to the beginning of the line and “LOOSEDIRECTORYCHECKING =true” to the line below it. If the setting is false, when a file in the directory is deleted or changed, two warnings will be reported, one for the file and the other for the changes in the directory.
#LOOSEDIRECTORYCHECKING =false
LOOSEDIRECTORYCHECKING =true
# Line 12: change as needed (report level: 4 is the maximum)

REPORTLEVEL =4
# Configuration file generation
# cd /etc/tripwire
# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase: <Site key password>
Wrote configuration file: /etc/tripwire/tw.cfg

③Create a policy optimization script to optimize the policy.

# vi twpolmake.pl

Script contents

#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.
# —————————————————————-
# Usage:
# perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;

Optimize.

# cd /etc/tripwire
# perl twpolmake.pl twpol.txt > twpol.txt.new

# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.newPlease enter your site passphrase: <Site key password>
Wrote policy file: /etc/tripwire/tw.pol

④Database creation

# tripwire -m i -s -c tw.cfg
Please enter your local passphrase: <local key password>

2.3 Check Tripwire operation

①Create a test file

# echo test > /root/test.txt

②Check Tripwire operation

# tripwire -m c -s -c /etc/tripwire/tw.cfg

It will appear as follows

Open Source Tripwire(R) 2.4.3.1 Integrity Check Report

Report generated by: root
Report created on: Thu Nov 29 19:04:52 2018
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: dlp.srv.world
Host IP address: 10.0.0.30
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/dlp.srv.world.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name Severity Level Added Removed Modified
——— ————– —– ——- ——–
Other binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Other libraries 66 0 0 0
Root file-system executables 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
Root file-system libraries 100 0 0 0
(/lib)
Critical system boot files 100 0 0 0
Other configuration files 66 0 0 0
(/etc)
Boot Scripts 100 0 0 0
Security Control 66 0 0 0
Root config files 100 0 0 0
Devices & Kernel information 100 0 0 0
(/dev)
Invariant Directories 66 0 0 0

Total objects scanned: 20051
Total violations found: 1

===============================================================================
Object Summary:
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/var/lib/tripwire/dlp.srv.world.twd)
Severity Level: 100
——————————————————————————-

Added:
“/var/lib/tripwire/dlp.srv.world.twd”

===============================================================================
Error Report:
===============================================================================

No Errors

——————————————————————————-
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

③Delete the test file

# rm -f /root/test.txt

2.4 Tripwire Autorun Script

①Script creation

# cd ~/
# vi tripwire.sh

Script contents

#!/bin/bash

#=========================================================================
# Job Name : Tripwire Periodic Execution Script
# Description : Run Tripwire periodically.
# Owner Dept. : korodes.com
#=========================================================================

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Set passphrase
LOCALPASS=xxxxxxxx # local passphrase
SITEPASS=xxxxxxxx # Site passphrase

cd /etc/tripwire

# Run a Tripwire check
tripwire -m c -s -c tw.cfg|mail -s “Tripwire(R) Integrity Check Report in `hostname`” root

# Update policy files
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

②Give permissions and register with Cron

# chmod 700 tripwire.sh
# crontab -e
The following memo
0 3 * * * ~/tripwire.sh

 

タイトルとURLをコピーしました