Friday, July 5, 2013

Installing SNORT IPS/IDS in Backtrack 6

Snort: A Network Based Intusion Detection System(IDS)
Snort is an open source network-based intrusion detection system (NIDS). That can analyses the real-time traffic and can log packets on Internet Protocol (IP) networks. Snort can perform protocol analysis, content searching, and content matching. It also can be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans

There are three modes in which the can be configured:
1)Sniffer
2)Packet logger
3)Network intrusion detection.
In sniffer mode, It reads the network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

In this  Article, we will learn how to configure snort on backtrack.

Snort is installed in backtrack by default. So you only need to configure it according to your infra
First of all Start Snort Service to test if there is any problem with the installation.
Step1
To accomplish this, Click on Application menu,=> click on backtrack menu, => click on services and then click on snort service.

Step2
Now edit the configuration file named snort.conf located in /etc/snort directory using vim or any other text editor and change...
var HOME_NET any to var HOME_NET <target ip/nw add>
var EXTERNAL_NET any to var EXTERNAL_NET <attacker ip address>
save the file and restart snort service using /etc/init.d/snort restart command on terminal


Step3
Now open terninal and type the command below

snort -q -A console -i eth0 -c /etc/snort/snort.conf
Where -
       -q is for quiet:- not to show banner and status report
       -A is to set alert mode in this case, it is console
       -i is to specify interface and
       -c is to tell snort the location of configuration file



Step4
Now to test the functionality of snort, perform a DOS attack using LOIC..

Your Snort  alarm should ring

Note:You can download LOIC from the link below
http://sourceforge.net/projects/loic/files/latest/download
Now perform Nmap scan,,,,
snort should display the logs again...
 source: http://security.koenig-solutions.com

For more information on configuring Intrusion Prevention System (IPS) using SNORT, please visit link below:
http://www.aboutdebian.com/snort.htm
Posted by at No comments:

Intrusion Prevention System (IPS) in Linux!

Fail2ban Intrusion Prevention System(IPS) in Linux

Fail2ban is an open source free intrusion prevention framework developed in python programming language.Fail2ban operates by monitoring log files such as /var/log/pwdfail, /var/log/auth.log, /var/log/secure etc. and bans the IP address after too many password failure attempts. It used to update iptable firewall rules to reject the IP address for a specified amount of time.
 
This article shows you how to install and configure Fail2ban under RHEL 6.3/6.2/6.1/6.0/5.8 CentOS 6.3/6.2/6.1/6.0/5.8 and Fedora 17,16,15,14,13,12 systems. Fail2ban runs as a daemon that uses python scripts to parse log files for system intrusion attempts and adds a custom rules to iptables configuration file to ban the access to certain ip addresses.
 
Before heading up for installation and configuration of Fail2Ban, I would like to tell you that most of the attackers trying to gain root access via SSH. So, I recommend you to pay close attention to things such as disable ssh root logins and use pair of ssh keys for authentication etc.

Installing Fail2Ban in RHEL, CentOS and Fedora

By default Fail2Ban is not available under Linux systems, so you will need to add and enable third party RPMForge repository or EPEL repository in your Linux box. Once you’ve added repository, install it using following YUM command.
# yum install fail2ban

Configuring Default section for Fail2Ban

The master Fail2Ban configuration file is located under /etc/fail2ban/jail.conf. So, open it using VI editor or any editor that you feel comfortable.
# vi /etc/fail2ban/jail.conf
Now, you will see default section with some basic rules that are followed by fail2ban itself. If you want to add some extra layer of protection to your server, then you can customize the each rule section as per your needs.
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3
Let me describe each rule section with their description and what purpose we use these rules.
  1. ignoreip : IgnoreIP section allows you to white list certain IP addresses from blocking. Here, you can specify list of IP addresses with space separated and make sure you include your address.
  2. bantime : The number of seconds that a host would be banned from the server. The default is set for 600 (600 seconds = 10 minutes), you may increase this to an hour or higher if you like.
  3. findtime : The amount of time that a host has to log in. The default is set to 10 minutes, it means that if a host attempts, and fails, to log in more than the maxretry number of times, they will be banned.
  4. maxretry : The number of failed login attempts before a host is blocked for the length of the ban time.

Configuring ssh-iptables section for Fail2Ban

The following section is the default ssh-iptables section and it is turned on by default. So, you don’t need to make any changes to this section,
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5
You can find the details of each rule described below.
  1. enabled : This section refers that SSH protection is on. You can turn it off by changing the word “true” to “false“.
  2. filter : This section by default set to sshd and refers the config file (/etc/fail2ban/filter.d/sshd.conf) containing the rules that fail2ban uses to find matches.
  3. action : This action tells the fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file. If your server have mail setup, you can add email address, where fail2ban sends you a email alerts whenever it bans an IP address. The sender section refers to file /etc/fail2ban/action.d/sendmail-whois.conf file.
  4. logpath : The log path is the location of logs where fail2ban will track.
  5. maxretry : The max retry section is the same definition as the default option that we discussed above.

Restarting Fail2Ban Service

Once you’ve made the changes to the fail2ban config file, then always make sure to restart Fail2Ban service.
# chkconfig --level 23 fail2ban on
# service fail2ban start
Starting fail2ban:                                         [  OK  ]

Verifying Fail2Ban iptables rules

Check the rules that fail2ban added in effect within the IP table section.
# iptables -L
I have made some failed login attempts from one of our server to the server where fail2ban installed and it works. You see the banned IP address of my server.
Message from syslogd@tecmint at Nov 23 13:57:53 ...
fail2ban.actions: WARNING [ssh-iptables] Ban 15.13.14.40
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp multiport dports 5901:5903,6001:6003
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP all -- 15.113.134.40 anywhere
RETURN     all  --  anywhere             anywhere

Watch Failed SSH login attempts

To see the current ssh failed login attempts, run the following command it will display a list of failed attempts attempted by hosts.
# cat /var/log/secure | grep 'Failed password' |  sort | uniq -c
1 Nov 19 16:53:37 tecmint sshd[28185]: Failed password for root from 172.16.25.125 port 1302 ssh2
1 Nov 23 13:57:43 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Nov 23 13:57:46 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Nov 23 13:57:50 tecmint sshd[19079]: Failed password for root from 115.113.134.40 port 57599 ssh2
1 Oct 18 14:11:58 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:03 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:11 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:16 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:22 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:28 tecmint sshd[8711]: Failed password for root from 172.16.18.249 port 4763 ssh2
1 Oct 18 14:12:47 tecmint sshd[10719]: Failed password for root from 172.16.18.249 port 4774 ssh2

Remove IP Address from Fail2Ban

To remove the banned IP address from the fail2ban iptable rules. Run the following command.
# iptables -D fail2ban-ssh 1
For any additional information, please visit Fail2ban official page. If you are having any questions any comments about this article, please tell us via comments.
 
Posted by at No comments:

Simple Bandwidth Monitoring tool for Linux!

IFTOP - Bandwidth Monitoring Tool -CentOS, RHEL, Fedora

IFTOP shows a real time updated list of network connections based on their network usage ordered on every 2, 10 and 40 seconds average. In this post we are going to see the installation and how to use IFTOP with examples.
Install iftop in Linux
Install iftop in RHEL / CentOS / Fedora

IFTOP Pre-requisite

  1. libpcap : module provides a user-level network packet capture information and statistics.
  2. libncurses : is a API programming library that enables programmers to provide text-based interfaces in a terminal.

Install libpcap and libncurses

Installation of the libpcap and libncurses library with YUM command as shown below for error-free iftop installation.
# yum -y install libpcap libpcap-devel ncurses ncurses-devel

Download and Install IFTOP

Download iftop from it’s website with Wget command as shown below.
# wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Follow the below all commands to install iftop.
# tar -zxvf iftop-0.17.tar.gz
# cd iftop-0.17
# ./configure
# make
# make install

Basic usage of Iftop

Once installation done, go to your console and type iftop command.
# iftop
Sample output of iftop command which shows bandwidth of default interface as shown below.
iftop command
iftop screenshot

Monitoring Specific Interface

You can give a specific interface to monitor with -i option.
# iftop -i eth0
iftop eth0 command
iftop eth0 command Screenshot

Iftop Options and Usage

While running iftop you can use the keys like S, D to see more information like source, destination etc. Please do man iftop if you want to explore more options and tricks. Press ‘q‘ to quit from running windows.
In this article we have seen how to install and usage of iftop. if you want to know more about it please visit iftop website.

Source: http://www.tecmint.com
Posted by at 1 comment:
Subscribe to: Posts (Atom)