Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Rocky Linux8.4 ; Tripwire, Chkrootkit and Snort installed

1.Tripwire Installation

1.1 Download and install

[root@Lepard ~]# cd /usr/local/src
src]# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm
If you get a dependency error, enter the following
src]# wget https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm
src]# yum install compat-openssl10-1.0.2o-3.el8.x86_64.rpm
again
src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

1-2. initialization

[root@Lepard ~]# cd /usr/local/src
src]# tripwire-setup-keyfiles
———————————————-
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
———————————————-
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
←Enter any “Site Passphrase”.
Verify the site keyfile passphrase: ←Enter the same “Site Passphrase” again
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←Enter any “Local Passphrase”.
Verify the local keyfile passphrase: ←Enter the same “Local Passphrase” again.
Generating key (this may take several minutes)…Key generation complete.
———————————————-
Signing configuration file…
Please enter your site passphrase: ←Enter “Site Passphrase”.
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
———————————————-
Signing policy file…
Please enter your site passphrase: ←Enter “Site Passphrase”.
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
~abbreviation~
default values from the current configuration file are used

1-3. Configuring Tripwire

[root@Lepard ~]# vi /etc/tripwire/twcfg.txt
■Per line 9
Add “#” to the beginning of the line and “LOOSEDIRECTORYCHECKING =true” to the line below it.
■Per line 13
Add “#” to the beginning of the line, and add “REPORTLEVEL =4” to the line below it.
Level 4 shows the most detailed report of the five levels from “0” to “4”.
#REPORTLEVEL =3
REPORTLEVEL =4

1-4. Create a Tripwire configuration file (cryptographically signed version)

[root@Lepard ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←Enter the site passphrase you set.
Wrote configuration file: /etc/tripwire/tw.cfg

1-5. Policy file settings

[root@Lepard ~]# cd /etc/tripwire/
tripwire]# vi twpolmake.pl    ←Create a new policy file with the following contents
#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.
# —————————————————————-
# Usage:
# perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;

1-6. Policy file optimization

tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1-7. Create policy file (cryptographically signed version)

tripwire]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key
/etc/tripwire/twpol.txt.new
Please enter your site passphrase:     ←Enter your site passphrase
Wrote policy file: /etc/tripwire/tw.pol
Delete policy file (text version)
tripwire]# rm -f /etc/tripwire/twpol.txt*

1-8. Create a database

Create a database
tripwire]# tripwire -m i -s -c /etc/tripwire/tw.cfg /etc/tripwire/twpol.txt.new
Please enter your local passphrase: ←Enter your local passphrase

1-9. Tripwire Periodic Execution Script

①Create a Tripwire autorun script (tripwire.sh)

tripwire]# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# Set passphrase
LOCALPASS=xxxxxxxx # local passphrase
SITEPASS=xxxxxxxxx  # Site passphrase
cd /etc/tripwire
# Run a Tripwire check
tripwire -m c -s -c tw.cfg|mail -s “Tripwire(R) Integrity Check Report in `hostname`” root
# Update policy files
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
tripwire]# chmod 700 tripwire.sh

➁Add Tripwire to cron to be run periodically

2.chkrootkit installation

2.1 Download and install chkrootkit

]# cd /usr/local/src
src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
src]# tar zxvf chkrootkit.tar.gz
src]# mv chkrootkit-0.50/chkrootkit /root/bin

2.2 Check chkrootkit

src]#  chkrootkit | grep INFECTED
Searching for Suckit rootkit… Warning: /sbin/init INFECTED
The “/sbin/init” is a false positive, so it’s not a problem.

2.3 Create a chkrootkit script and change its permissions (in this case, create it in /opt, but it is optional).

opt]# vi chkrootkit.sh

#!/bin/bash
PATH=/usr/bin:/bin:/root/binTMPLOG=`mktemp`
# Run chkrootkit

chkrootkit > $TMPLOG
# Log output

cat $TMPLOG | logger -t chkrootkit
# Handling of SMTPS bindshell false positives

if [ ! -z “$(grep 465 $TMPLOG)” ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i ‘/465/d’ $TMPLOG
fi
# Addressed Suckit false positive when updating upstart package.

#if [ ! -z “$(grep Suckit $TMPLOG)” ] && \
# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
# sed -i ‘/Suckit/d’ $TMPLOG
#fi
# Send mail to root only when rootkit is detected

[ ! -z “$(grep INFECTED $TMPLOG)” ] && \
grep INFECTED $TMPLOG | mail -s “chkrootkit report in `hostname`” rootrm -f $TMPLOG
opt]# chmod 700 chkrootkit.sh
Set cron to run chkrootkit periodically.
opt]# crontab -e
0 2 * * * /opt/chkrootkit.sh
(Startup time can be set arbitrarily.)

3.SNORT Installation

Snort is an open source network intrusion detection system that can perform real-time traffic analysis and packet logging on IP networks.

It can perform “protocol analysis”, “content search”, and “matching”, and can be used to detect a variety of attacks such as “buffer overflow”, “stealth port scan”, “CGI attack”, “SMB probe”, “OS fingerprinting attempt”, “semantic URL attack”, and “server message block probe”.

3.1 Install the required libraries.

[root@Lepard ~]# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel
[root@Lepard ~]# mkdir /var/src

3.2 Install DAQ

[root@Lepard ~]# cd /var/src
src]# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
src]# tar zxvf daq-2.0.7.tar.gz
src]# zxvf daq-2.0.7.tar.gz
src]# cd daq-2.0.7
daq-2.0.7]# autoreconf -f -i
daq-2.0.7]# ./configure
daq-2.0.7]# make
daq-2.0.7]# make install

3.3 Install Snort OpenAppID

[root@Lepard ~]# cd /var/src
src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
src]# tar -zxvf LuaJIT-2.0.5.tar.gz
src]# cd LuaJIT-2.0.5
LuaJIT-2.0.5]# make
LuaJIT-2.0.5]# make install

3.4 Install a temporary release file to use the RPC library

[root@Lepard ~]# /bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOT

3.5 Download and install SNORT.

[root@Lepard ~]# cd /var/src
src]# wget https://snort.org/downloads/snort/snort-2.9.18.1.tar.gz
src]# tar -zxvf snort-2.9.18.1.tar.gz
src]# cd snort-2.9.18.1
snort-2.9.18.1]# ./configure –enable-sourcefire
snort-2.9.18.1]# make
snort-2.9.18.1]# make install

3.6 Remove the temporary release file installed in 3.3.

[root@Lepard ~]# /bin/rm /etc/fedora-release

3.7 SNORT user and group creation

[root@Lepard ~]# groupadd snort
[root@Lepard ~]# useradd -g snort -s /sbin/nologin snort
[root@Lepard ~]# passwd -l snort

3.8 Create SNORT directory and rule files

[root@Lepard ~]# mkdir /etc/snort
[root@Lepard ~]# mkdir /etc/snort/rules
[root@Lepard ~]# mkdir /etc/snort/rules/iplists
[root@Lepard ~]# mkdir /etc/snort/pulledpork
[root@Lepard ~]# mkdir /var/log/snort
[root@Lepard ~]# mkdir /var/log/snort/pcap
[root@Lepard ~]# chown -R snort /var/log/snort
[root@Lepard ~]# touch /etc/snort/rules/iplists/default.whitelist
[root@Lepard ~]# touch /etc/snort/rules/iplists/default.blacklist
[root@Lepard ~]# cp /var/src/snort*/etc/* /etc/snort
[root@Lepard ~]# ln -s /usr/local/bin/snort /sbin/snort

3.9 PulledPork rule management policy

[root@Lepard ~]# yum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch
[root@Lepard ~]# wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl
[root@Lepard ~]# chmod 755 /usr/local/bin/pulledpork.pl

3.10 Build the PulledPork configuration file.

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|OINKCODE
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/etc/snort/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-8-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
snort_version=2.9.14.1
disablesid=/etc/snort/pulledpork/disablesid.conf
enablesid=/etc/snort/pulledpork/enablesid.conf
version=0.8.0
EOT

3.11 Create a PulledPork disabled rule file

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf
EOT

3.12 Run the PulledPork script.

[root@Lepard ~]# /usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.conf

3.13 Build the Snort threshold file

[root@Lepard ~]# /bin/cat << EOT >>/etc/snort/threshold.conf
#suppress gen_id 119, sig_id 14
EOT

3.14 Build the local rule file

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/rules/local.rules
# ————
# LOCAL RULES
# ————
#
EOT

3.15 Build the capture filter file.

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/filter.bpf
( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )
EOT

3.16 Build the ipvar include file

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/ipvar.conf
ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60] #
ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128] #
ipvar HOME_NET [\$REAL_NET] #
ipvar DARK_NET [!\$HOME_NET] #
ipvar EXTERNAL_NET [!\$HOME_NET] #
ipvar DNS_SERVERS \$HOME_NET
ipvar SMTP_SERVERS \$HOME_NET
ipvar HTTP_SERVERS \$HOME_NET
ipvar SQL_SERVERS \$HOME_NET
ipvar TELNET_SERVERS \$HOME_NET
ipvar SSH_SERVERS \$HOME_NET
ipvar FTP_SERVERS \$HOME_NET
ipvar SIP_SERVERS \$HOME_NET
#
ipvar DRK_IGNORE_SRC [10.1.1.1/32] ipvar DRK_IGNORE_DST [192.168.0.1/32] #
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,
205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] EOT

 3.17 Snort configuration file editing

[root@Lepard ~]# /bin/sed -i “s/^ipvar/#ipvar/” /etc/snort/snort.conf
/bin/sed -i ‘/protecting/i include ipvar.conf’ /etc/snort/snort.conf
/bin/sed -i “s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/” /etc/snort/snort.conf
/bin/sed -i “s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/” /etc/snort/snort.conf
/bin/sed -i “s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/” /etc/snort/snort.conf
/bin/sed -i “s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/” /etc/snort/snort.conf
/bin/sed -i “s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/” /etc/snort/snort.conf
/bin/sed -i “s/white_list.rules/default.whitelist/” /etc/snort/snort.conf
/bin/sed -i “s/black_list.rules/default.blacklist/” /etc/snort/snort.conf
/bin/sed -i “s/^dynamicdetection/#dynamicdetection/” /etc/snort/snort.conf
/bin/sed -i “s/^preprocessor normalize/#preprocessor normalize/” /etc/snort/snort.conf
/bin/sed -i “s/^# preprocessor sfportscan/preprocessor sfportscan/” /etc/snort/snort.conf
/bin/sed -i “s/memcap { 10000000/memcap { 20000000/” /etc/snort/snort.conf
/bin/sed -i “s/server_ports { 22/server_ports { 22 5224/” /etc/snort/snort.conf
/bin/sed -i “s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/” /etc/snort/snort.conf
/bin/sed -i ‘/^# syslog/a output alert_fast: \/var\/log\/snort\/alert’ /etc/snort/snort.conf
/bin/sed -i ‘/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap’ /etc/snort/snort.conf
/bin/sed -i “s/^include \$RULE_PATH/#include \$RULE_PATH/” /etc/snort/snort.conf
/bin/sed -i ‘/site specific rules/a include $RULE_PATH\/snort.rules’ /etc/snort/snort.conf

3.18 Creating the Snort Service

[root@Lepard ~]# /bin/cat << EOT >/usr/lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target[Service]
Type=simple
ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort –pid-path /var/log/snort –no-interface-pidfile –nolock-pidfile
ExecStop=/bin/kill -9 $MAINPID
PrivateTmp=true
PidFile=/var/log/snort/snort.pid[Install]
WantedBy=multi-user.target
EOT
[root@Lepard ~]# systemctl enable –now snort

3.19 Create a Snort log rotation configuration file

[root@Lepard ~]# /bin/cat << EOT >/etc/logrotate.d/snort
/var/log/snort/alert
{
weekly
rotate 13
missingok
compress
sharedscripts
postrotate
/bin/systemctl restart snort 1>/dev/null || true
endscript
}
EOT

3.20 Create a Snort rule update script

[root@Lepard ~]# mkdir /script
[root@Lepard ~]# /bin/cat <<\EOT >/script/snort_update.sh
#!/bin/bash
#
# snort_update.sh
# Snort signature update script
#
# Command Variables
CONF=/etc/snort/pulledpork/pulledpork.conf
LOGDIR=/var/log/snort
PULL=/usr/local/bin/pulledpork.pl
SYSTEMCTL=/bin/systemctl
#
$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf
$SYSTEMCTL restart snort
#
# Cleanup
cd $LOGDIR
/bin/ls -t $LOGDIR | /bin/grep “alert\.” | /bin/tail -n +14 | /bin/xargs -d ‘\n’ rm — >/dev/null 2>&1
cd $LOGDIR/pcap
/bin/ls -t $LOGDIR/pcap | /bin/grep “snort\.pcap\.” | /bin/tail -n +14 | /bin/xargs -d ‘\n’ rm — >/dev/null 2>&1
#
exit
EOT
[root@Lepard ~]# chmod 700 /script/snort_update.sh

3.21 Periodic execution of Snort rule update script

[root@Lepard ~]# crontab -l | { cat; echo “0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1”; } | crontab –
タイトルとURLをコピーしました