「業務用エアコンのエラーコード」はこちら

Rocky Linux8.4でサーバー構築 Tripwire,Chkrootkit,Snort インストール

Contents

1.サーバー構築の前準備 Tripwire インストール

1.1ダウンロード、インストール

[root@Lepard ~]# cd /usr/local/src
src]# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm
依存性エラーが出た場合次を入れる
src]# wget https://repo.almalinux.org/almalinux/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm
src]# yum install compat-openssl10-1.0.2o-3.el8.x86_64.rpm
再度
src]# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

1-2.初期設定

[root@Lepard ~]# cd /usr/local/src
src]# tripwire-setup-keyfiles
———————————————-
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
———————————————-
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
←任意の「サイトパスフレーズ」を入力
Verify the site keyfile passphrase: ←再度任意の「サイトパスフレーズ」を入力
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←任意の「ローカルパスフレーズ」を入力
Verify the local keyfile passphrase: ←再度任意の「ローカルパスフレーズ」を入力
Generating key (this may take several minutes)…Key generation complete.
———————————————-
Signing configuration file…
Please enter your site passphrase: ←「サイトパスフレーズ」を入力
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
———————————————-
Signing policy file…
Please enter your site passphrase: ←「サイトパスフレーズ」を入力
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
~中略~
default values from the current configuration file are used

1-3.Tripwire の設定

[root@Lepard ~]# vi /etc/tripwire/twcfg.txt
■9 行目あたり
行頭に「#」を追加し、その下の行に「LOOSEDIRECTORYCHECKING =true」を追加します。
■13 行目あたり
行頭に「#」を追加し、その下の行に「REPORTLEVEL =4」を追加します。
レベル4 にすることで「0 」~「4 」までの5 段階中、最も詳細なレポートが表示されます。
#REPORTLEVEL =3
REPORTLEVEL =4

1-4.Tripwire 設定ファイル(暗号署名版)を作成

[root@Lepard ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←設定したサイトパスフレーズを入力
Wrote configuration file: /etc/tripwire/tw.cfg

1-5.ポリシーファイル設定

[root@Lepard ~]# cd /etc/tripwire/
tripwire]# vi twpolmake.pl    ←ポリシーファイルを新規に下記の内容で作成
#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.
# —————————————————————-
# Usage:
# perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;

1-6.ポリシーファイル最適化

tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1-7.ポリシーファイル(暗号署名版)作成

tripwire]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key
/etc/tripwire/twpol.txt.new
Please enter your site passphrase:     ←サイトパスフレーズを入力
Wrote policy file: /etc/tripwire/tw.pol
ポリシーファイル(テキスト版)削除
tripwire]# rm -f /etc/tripwire/twpol.txt*

1-8.データベースを作成、動作確認

データベースを作成
tripwire]# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←ローカルパスフレーズを入力
テスト用ファイルを作成
tripwire]# echo tripwire_ test > /root/tripwire_test.txt
テスト用ファイルを削除
tripwire]# rm -f /root/tripwire_test.txt

1-9.Tripwire 定期実行スクリプト

①Tripwire 自動実行スクリプト(tripwire.sh)の作成

# cd /var/www/system
# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# パスフレーズ設定
LOCALPASS=xxxxxxxx # ローカルパスフレーズ
SITEPASS=xxxxxxxxx  # サイトパスフレーズ
cd /etc/tripwire# Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s “Tripwire(R) Integrity Check Report in `hostname`” root
# ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
# chmod 700 tripwire.sh

➁Tripwire が定期的に実行されるようcron に追加する
# crontab -e
0 1 * * * /var/www/system/clamscan.sh > /dev/null 2>&1
0 3 * * * /var/www/system/tripwire.sh

実際に
# /var/www/system/tripwire.sh  を実行するとmailコマンドがないと表示される場合
# yum install mailx
# systemctl start postfix
を実行

2.サーバー構築の前準備 chkrootkit インストール

2.1chkrootkit をダウンロード、インストール

]# cd /usr/local/src
src]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
src]# tar zxvf chkrootkit.tar.gz
src]# mv chkrootkit-0.50/chkrootkit /root/bin

2.2 chkrootkit を確認

src]#  chkrootkit | grep INFECTED
Searching for Suckit rootkit… Warning: /sbin/init INFECTED
「/sbin/init」は誤検知なので問題ありません

2.3 chkrootkit 定期実行スクリプトの作成と権限変更(今回は/optの中に作成するが任意です)

opt]# vi chkrootkit.sh

#!/bin/bash
PATH=/usr/bin:/bin:/root/binTMPLOG=`mktemp`
# chkrootkit実行

chkrootkit > $TMPLOG
# ログ出力

cat $TMPLOG | logger -t chkrootkit
# SMTPSのbindshell誤検知対応

if [ ! -z “$(grep 465 $TMPLOG)” ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i ‘/465/d’ $TMPLOG
fi
# upstartパッケージ更新時のSuckit誤検知対応

#if [ ! -z “$(grep Suckit $TMPLOG)” ] && \
# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
# sed -i ‘/Suckit/d’ $TMPLOG
#fi
# rootkit検知時のみroot宛メール送信

[ ! -z “$(grep INFECTED $TMPLOG)” ] && \
grep INFECTED $TMPLOG | mail -s “chkrootkit report in `hostname`” rootrm -f $TMPLOG
opt]# chmod 700 chkrootkit.sh
chkrootkit が定期実行されるようcron に設定
opt]# crontab -e
0 2 * * * /opt/chkrootkit.sh
(起動時刻は任意に設定)

3.サーバー構築の前準備 SNORT インストール

Snortは、IPネットワーク上でリアルタイムのトラフィック分析とパケットロギングを実行できるオープンソースのネットワーク侵入検知システムです。

「プロトコル分析」「コンテンツ検索」「マッチング」を実行でき、「バッファオーバーフロー」「ステルスポートスキャン」「CGI攻撃」「SMBプローブ」「OSフィンガープリント試行」「セマンティックURL攻撃」「サーバメッセージブロック探査」など、さまざまな攻撃検出に使用できます。

3.1 必要なライブラリーをインストール

[root@Lepard ~]# dnf -y install bison flex libpcap-devel pcre-devel openssl-devel libdnet-devel libtirpc-devel libtool nghttp2 libnghttp2-devel
[root@Lepard ~]# mkdir /var/src

3.2 DAQをインストール

[root@Lepard ~]# cd /var/src
src]# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
src]# tar zxvf daq-2.0.7.tar.gz
src]# zxvf daq-2.0.7.tar.gz
src]# cd daq-2.0.7
daq-2.0.7]# autoreconf -f -i
daq-2.0.7]# ./configure
daq-2.0.7]# make
daq-2.0.7]# make install

3.3 Snort OpenAppIDをインストール

[root@Lepard ~]# cd /var/src
src]# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
src]# tar -zxvf LuaJIT-2.0.5.tar.gz
src]# cd LuaJIT-2.0.5
LuaJIT-2.0.5]# make
LuaJIT-2.0.5]# make install

3.4 RPC libraryを使用するため仮release fileインストール

[root@Lepard ~]# /bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOT

3.5 SNORTをダウンロード、インストール

[root@Lepard ~]# cd /var/src
src]# wget https://snort.org/downloads/snort/snort-2.9.18.1.tar.gz
src]# tar -zxvf snort-2.9.18.1.tar.gz
src]# cd snort-2.9.18.1
snort-2.9.18.1]# ./configure –enable-sourcefire
snort-2.9.18.1]# make
snort-2.9.18.1]# make install

3.6 3.3でインストールした仮release file を削除

[root@Lepard ~]# /bin/rm /etc/fedora-release

3.7 SNORTユーザー、グループ作成

[root@Lepard ~]# groupadd snort
[root@Lepard ~]# useradd -g snort -s /sbin/nologin snort
[root@Lepard ~]# passwd -l snort

3.8 SNORTディレクトリー、ルールファイル作成

[root@Lepard ~]# mkdir /etc/snort
[root@Lepard ~]# mkdir /etc/snort/rules
[root@Lepard ~]# mkdir /etc/snort/rules/iplists
[root@Lepard ~]# mkdir /etc/snort/pulledpork
[root@Lepard ~]# mkdir /var/log/snort
[root@Lepard ~]# mkdir /var/log/snort/pcap
[root@Lepard ~]# chown -R snort /var/log/snort
[root@Lepard ~]# touch /etc/snort/rules/iplists/default.whitelist
[root@Lepard ~]# touch /etc/snort/rules/iplists/default.blacklist
[root@Lepard ~]# cp /var/src/snort*/etc/* /etc/snort
[root@Lepard ~]# ln -s /usr/local/bin/snort /sbin/snort

3.9 PulledPork ルール管理ポリシー

[root@Lepard ~]# yum -y install perl-libwww-perl.noarch perl-Sys-Syslog.x86_64 perl-Archive-Tar.noarch perl-LWP-Protocol-https.noarch
[root@Lepard ~]# wget https://raw.githubusercontent.com/shirkdog/pulledpork/master/pulledpork.pl -O /usr/local/bin/pulledpork.pl
[root@Lepard ~]# chmod 755 /usr/local/bin/pulledpork.pl

3.10 PulledPork 構成ファイルをビルド

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/rules/|snortrules-snapshot-29180.tar.gz|OINKCODE
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://talosintelligence.com/documents/ip-blacklist|IPBLOCKLIST|open
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/etc/snort/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-8-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
snort_version=2.9.14.1
disablesid=/etc/snort/pulledpork/disablesid.conf
enablesid=/etc/snort/pulledpork/enablesid.conf
version=0.8.0
EOT

3.11 PulledPork 無効ルールファイルを作成

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/pulledpork/disablesid.conf
EOT

3.12 PulledPork スクリプトを実行

[root@Lepard ~]# /usr/local/bin/pulledpork.pl -W -P -c /etc/snort/pulledpork/pulledpork.conf

3.13 Snort しきい値ファイルをビルド

[root@Lepard ~]# /bin/cat << EOT >>/etc/snort/threshold.conf
#suppress gen_id 119, sig_id 14
EOT

3.14 ローカルルールファイルをビルド

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/rules/local.rules
# ————
# LOCAL RULES
# ————
#
EOT

3.15 キャプチャフィルタファイルをビルド

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/filter.bpf
( net 192.168.0.0/24 or net fdaa:0:0:0::/60 )
EOT

3.16 ipvar インクルード ファイルをビルド

[root@Lepard ~]# /bin/cat << EOT >/etc/snort/ipvar.conf
ipvar NETWORK [192.168.0.0/24,fdaa:0:0:0::/60] #
ipvar REAL_NET [192.168.1.10/32,fdaa:0:0:0::a/128] #
ipvar HOME_NET [\$REAL_NET] #
ipvar DARK_NET [!\$HOME_NET] #
ipvar EXTERNAL_NET [!\$HOME_NET] #
ipvar DNS_SERVERS \$HOME_NET
ipvar SMTP_SERVERS \$HOME_NET
ipvar HTTP_SERVERS \$HOME_NET
ipvar SQL_SERVERS \$HOME_NET
ipvar TELNET_SERVERS \$HOME_NET
ipvar SSH_SERVERS \$HOME_NET
ipvar FTP_SERVERS \$HOME_NET
ipvar SIP_SERVERS \$HOME_NET
#
ipvar DRK_IGNORE_SRC [10.1.1.1/32] ipvar DRK_IGNORE_DST [192.168.0.1/32] #
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,
205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] EOT

 3.17 Snort 構成ファイル編集

[root@Lepard ~]# /bin/sed -i “s/^ipvar/#ipvar/” /etc/snort/snort.conf
/bin/sed -i ‘/protecting/i include ipvar.conf’ /etc/snort/snort.conf
/bin/sed -i “s/RULE_PATH ..\/rules/RULE_PATH \/etc\/snort\/rules/” /etc/snort/snort.conf
/bin/sed -i “s/SO_RULE_PATH ..\/so_rules/SO_RULE_PATH \/etc\/snort\/so_rules/” /etc/snort/snort.conf
/bin/sed -i “s/PREPROC_RULE_PATH ..\/preproc_rules/PREPROC_RULE_PATH \/etc\/snort\/preproc_rules/” /etc/snort/snort.conf
/bin/sed -i “s/WHITE_LIST_PATH ..\/rules/WHITE_LIST_PATH \/etc\/snort\/rules\/iplists/” /etc/snort/snort.conf
/bin/sed -i “s/BLACK_LIST_PATH ..\/rules/BLACK_LIST_PATH \/etc\/snort\/rules\/iplists/” /etc/snort/snort.conf
/bin/sed -i “s/white_list.rules/default.whitelist/” /etc/snort/snort.conf
/bin/sed -i “s/black_list.rules/default.blacklist/” /etc/snort/snort.conf
/bin/sed -i “s/^dynamicdetection/#dynamicdetection/” /etc/snort/snort.conf
/bin/sed -i “s/^preprocessor normalize/#preprocessor normalize/” /etc/snort/snort.conf
/bin/sed -i “s/^# preprocessor sfportscan/preprocessor sfportscan/” /etc/snort/snort.conf
/bin/sed -i “s/memcap { 10000000/memcap { 20000000/” /etc/snort/snort.conf
/bin/sed -i “s/server_ports { 22/server_ports { 22 5224/” /etc/snort/snort.conf
/bin/sed -i “s/sensitive_data: alert_threshold 25/sensitive_data: alert_threshold 50/” /etc/snort/snort.conf
/bin/sed -i ‘/^# syslog/a output alert_fast: \/var\/log\/snort\/alert’ /etc/snort/snort.conf
/bin/sed -i ‘/^# pcap/a output log_tcpdump: \/var\/log\/snort\/pcap\/snort.pcap’ /etc/snort/snort.conf
/bin/sed -i “s/^include \$RULE_PATH/#include \$RULE_PATH/” /etc/snort/snort.conf
/bin/sed -i ‘/site specific rules/a include $RULE_PATH\/snort.rules’ /etc/snort/snort.conf

3.18 Snortサービスの作成

[root@Lepard ~]# /bin/cat << EOT >/usr/lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target[Service]
Type=simple
ExecStart=/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf -F /etc/snort/filter.bpf -u snort -g snort –pid-path /var/log/snort –no-interface-pidfile –nolock-pidfile
ExecStop=/bin/kill -9 $MAINPID
PrivateTmp=true
PidFile=/var/log/snort/snort.pid[Install]
WantedBy=multi-user.target
EOT
[root@Lepard ~]# systemctl enable –now snort

3.19 Snort ログローテーション構成ファイルを作成

[root@Lepard ~]# /bin/cat << EOT >/etc/logrotate.d/snort
/var/log/snort/alert
{
weekly
rotate 13
missingok
compress
sharedscripts
postrotate
/bin/systemctl restart snort 1>/dev/null || true
endscript
}
EOT

3.20 Snort ルール更新スクリプトを作成

[root@Lepard ~]# mkdir /script
[root@Lepard ~]# /bin/cat <<\EOT >/script/snort_update.sh
#!/bin/bash
#
# snort_update.sh
# Snort signature update script
#
# Command Variables
CONF=/etc/snort/pulledpork/pulledpork.conf
LOGDIR=/var/log/snort
PULL=/usr/local/bin/pulledpork.pl
SYSTEMCTL=/bin/systemctl
#
$PULL -W -P -c /etc/snort/pulledpork/pulledpork.conf
$SYSTEMCTL restart snort
#
# Cleanup
cd $LOGDIR
/bin/ls -t $LOGDIR | /bin/grep “alert\.” | /bin/tail -n +14 | /bin/xargs -d ‘\n’ rm — >/dev/null 2>&1
cd $LOGDIR/pcap
/bin/ls -t $LOGDIR/pcap | /bin/grep “snort\.pcap\.” | /bin/tail -n +14 | /bin/xargs -d ‘\n’ rm — >/dev/null 2>&1
#
exit
EOT
[root@Lepard ~]# chmod 700 /script/snort_update.sh

3.21 Snort ルール更新スクリプト定期実行

[root@Lepard ~]# crontab -l | { cat; echo “0 0 * * 1-5 /script/snort_update.sh >/dev/null 2>&1”; } | crontab –
タイトルとURLをコピーしました