Powered by GitBook

CentOS 6 Setup Guide

NIDS

In computer security, a Network Intrusion Detection System (NIDS) is an intrusion detection system that attempts to discover unauthorized access to a computer network by analyzing traffic on the network for signs of malicious activity. Source: http://en.wikipedia.org/wiki/Network_intrusion_detection_system

As the Wikipedia article points out, NIDS software is a good way to identify attackers before they manage to break into our system. It does so by analyzing firewall messages logged by Shorewall (in our case) and detection uncommon behaviour. As soon as a break-in attempt is detected, the attacker gets completely blocked, thus, preventing him to enter the system.

Installing psad

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. Source: http://cipherdyne.org/psad/

First we need to install some dependencies:

yum install gcc iptables-ipv6 perl-IPTables-ChainMgr y

We can continue with the download of the latest sources from http://cipherdyne.org/psad/download/:

cd /usr/local/src
wget http://cipherdyne.org/psad/download/psad-2.2.3.tar.gz
tar -xzvf psad-2.2.3.tar.gz

And run the install.pl script inside the unpacked archive. Answer the questions as follow:

[+] Would you like alerts sent to a different address ([y]/n)? n // we use forwarding so it's OK
Would you like psad to only parse specific strings in iptables
messages (y/[n])? n
First, is it ok to leave the HOME_NET setting as "any" ([y]/n)? y
[+] Enable psad at boot time ([y]/n)? y

Now change the configuration file:

nano /etc/psad/psad.conf

ALERTING_METHODS            noemail; // logwatch will include a summary
HOSTNAME                    {{hostname}};
PORT_RANGE_SCAN_THRESHOLD   5;
MAX_SCAN_IP_PAIRS           50000;
FW_SEARCH_ALL               N;
FW_MSG_SEARCH               Shorewall:net2all:DROP:;
FW_MSG_SEARCH               Shorewall:net2dmz:DROP:;
FW_MSG_SEARCH               Shorewall:net2fw:DROP:;
FW_MSG_SEARCH               Shorewall:net2lan:DROP:;
FW_MSG_SEARCH               Shorewall:net2loc:DROP:;

IGNORE_PORTS                tcp/22;  // sshd

ENABLE_SCAN_ARCHIVE         Y;

MIN_DANGER_LEVEL            2;
EMAIL_ALERT_DANGER_LEVEL    3;

ENABLE_AUTO_IDS             Y;       // block the bad guys with IPTables
AUTO_IDS_DANGER_LEVEL       3;

AUTO_BLOCK_DL1_TIMEOUT      300;     // default is 1h
AUTO_BLOCK_DL2_TIMEOUT      900;

Finally, whitelist the IPs you never want to block:

nano /etc/psad/auto_dl

127.0.0.1                 0; // localhost
::1                       0;
213.133.98.98             0; // ISP DNS server
213.133.99.99             0;
213.133.100.100           0;
2a01:4f8:0:a111::add:9898 0; // IPv6
2a01:4f8:0:a102::add:9999 0;
2a01:4f8:0:a0a1::add:1010 0;

Make sure do include the IPs of your DNS servers. In most cases blindly copying the values above is not what you want.

Installing fwsnort

fwsnort helps us parsing Snort rules to IPTables and plays very very nice together with psad. Please read about it anyway before installing, as it can lead to massive problems.

The download and install process is rather simple:

cd /usr/local/src
wget http://cipherdyne.org/fwsnort/download/fwsnort-1.6.4.tar.gz
tar -xzvf fwsnort-1.6.4.tar.gz

yum install perl-ExtUtils-MakeMaker // dependencies

./install.pl
rm -rf fwsnort-1.6.4*

Next we should whitelist some IP addresses of services we always want to allow (since they may get blocked by accident).

nano /etc/fwsnort/fwsnort.conf

WHITELIST 127.0.0.1, ::1, 213.133.98.98, 213.133.99.99, 213.133.100.100 2a01:4f8:0:a111::add:9898 2a01:4f8:0:a111::add:9999 2a01:4f8:0:a111::add:1010; // Hetzner DNS

Since fwsnort doesn't ship/run as a daemon we create a cron script that will refresh its rules once a day:

nano /etc/cron.daily/fwsnort

#!/bin/sh
# Script to daily run fwsnort
# Old rules are purged and new ones applied

FWSNORT="/usr/sbin/fwsnort"

${FWSNORT} --update-rules >> /dev/null
${FWSNORT} --no-ipt-test >> /dev/null
${FWSNORT} --ipt-flush >> /dev/null
${FWSNORT} --ipt-apply >> /dev/null

and another one for 3rd-party Snort rules:

nano /etc/cron.daily/fwsnort-rules

#!/bin/sh
# Downloads 3rd-party Snort rules to be used with fwsnort

cd /tmp

# download
wget https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz >> /dev/null
wget http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz >> /dev/null

# unpack
tar -xzvf community-rules.tar.gz >> /dev/null
tar -xzvf bleeding.rules.tar.gz >> /dev/null

# move
mv -f community-rules/* /etc/fwsnort/snort_rules
mv -f rules/* /etc/fwsnort/snort_rules

# cleanup
rm -f community-rules.tar.gz
rm -f bleeding.rules.tar.gz
rm -rf community-rules
rm -rf rules

Since those scripts only run once a day and we have no init script for fwsnort, we need to manually run them on startup:

crontab -e

@reboot /etc/cron.daily/fwsnort >> /dev/null