Reading time: 4 – 6 minutes

This is the 1th part of a number of how tos that I just decide to type in my blog:

How To IDS ( Intrusion Detection System ) using Mandriva 2008.1 Part One

First we will need some packages as IpTables and Psad to build the first part of our IDS that eventually will give as total power to defend us versus atakers.
1- As r00t we do:
[root@hestia ~]# urpmi iptables
[root@hestia ~]# urpmi psad
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "main")
perl-Bit-Vector 6.4 5mdv2008.1 x86_64
perl-Carp-Clan 6.00 1mdv2008.1 noarch
perl-Date-Calc 5.5.1 8mdv2008.1 x86_64
perl-IPTables-ChainMgr 2.1.1 1mdv2008.1 x86_64
perl-IPTables-Parse 2.1.1 1mdv2008.1 x86_64
perl-Net-IPv4Addr 0.10 10mdv2008.1 noarch
perl-Unix-Syslog 1.0 2mdv2008.1 x86_64
psad 2.1.1 1mdv2008.1 x86_64
3.5MB of additional disk space will be used.
847KB of packages will be retrieved.
Proceed with the installation of the 8 packages? (Y/n) Y
----------------------
----------------------
.. Adding psadfifo line to /etc/syslog.conf
.. Restarting syslogd
.. You can edit the EMAIL_ADDRESSES variable in
/etc/psad/psad.conf to have email alerts sent to
an address other than root@localhost

Configuring IpTables:

[root@hestia ~]# vi /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [20:1972]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [188445620:158565732972]
:BLOCK - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m pkttype --pkt-type multicast -j DROP

-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
### state tracking rules
-A INPUT -j LOG --log-ip-options --log-level 4 -m limit --limit 1/m
-A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
### anti-spoofing rules
-A INPUT -i eth0 -s ! 192.168.90.0/24 -j LOG --log-prefix "SPOOFED PKT "
### default INPUT LOG rule
-A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
-A INPUT -j BLOCK
# NO MSN
-A FORWARD -p tcp --dport 1863 -j DROP
-A FORWARD -j BLOCK
-A BLOCK -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BLOCK -i eth0 -s 192.168.90.0/24 -m state --state NEW -j ACCEPT
-A BLOCK -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [950732:67110098]
:POSTROUTING ACCEPT [358007:23159608]
:OUTPUT ACCEPT [416350:28627231]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

In this case we made Tables to write namespace ( syslog ) this only to read what is going on at the firewall.
Now we are going to configure PSAD our IDS
DOWNLOAD the psad.conf FILE HERE

now we edit:
vi /etc/psad/auto_dl
and add:
192.168.90.0/24 0;
In case we want to detect scans from inside our network we remove this line.
————————————————
Now we type this:
[root@hestia psad]# iptables -F
[root@hestia psad]# service iptables start
[root@hestia psad]# /etc/init.d/psad stop
Shutting down the psad psadwatchd daemon: [FAILED]
Shutting down the psad daemon: [FAILED]

/etc/init.d/psad start
Starting psad: [ OK ]

/etc/init.d/psad restart
Shutting down the psad psadwatchd daemon: [ OK ]
Shutting down the psad daemon: [ OK ]
Shutting down the psad kmsgsd daemon: [ OK ]
Starting psad: [ OK ]

**** If you go to psad.conf file you can see some level numbers changed from the default values to a high ones, this is to stop receiving so much e-mail messages
DANGER_LEVEL1 800; #5; ### Number of packets.
DANGER_LEVEL2 500; #15;
DANGER_LEVEL3 1500; #150;
DANGER_LEVEL4 4000; #1500;
DANGER_LEVEL5 10000;

This is an e-mail that shows an ataker trying to do something nasty at our firewall:
[psad-alert] DL2 src: 204-144-130-244.rockynet.com dst: static.customer-201-116-xxx-xxx
Danger level: [2] (out of 5)

Scanned tcp ports: [3128: 1 packets]
tcp flags: [SYN: 1 packets, Nmap: -sT or -sS]
Netfilter chain: INPUT, 1 packets

Source: 204.144.130.244
DNS: sta-204-144-130-244.rockynet.com

Current interval: Sun Jul 13 16:13:34 2008 (start)
Sun Jul 13 16:13:35 2008 (end)

Overall scan start: Sun Jul 13 16:13:34 2008
Total email alerts: 0
Complete tcp range: [3128]

chain: interface: tcp: udp: icmp:
INPUT eth1 1 0 0

[+] tcp scan signatures:

"BACKDOOR DoomJuice file upload attempt"
dst port: 3128 (no server bound to local port)
flags: SYN
sid: 2375
chain: INPUT
packets: 1
classtype: trojan-activity
reference: (url) http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html

I hope you just configure some e-mail server if it is not the case install sendmail xD
[root@hestia psad]# urpmi sendmail
Configure it !!
/etc/init.d/sendmail start
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]

Check your local mail to see psad outputs.

*** Be ready por part TWO …. defending V/S Attakers auto Block using ipTables, Psad & Swatch

 IMPRÍMELO
votar   

Si te ha gustado, por favor considera subscribirte al blog. También puedes ayudarme a promocionar mi trabajo y crear comunidad, votándolo en Bitácoras.com o compartiéndolo en Twitter con tus amigos y seguidores.


, , , , -->
Trackback

no comment untill now

Add your comment now


· coogee theme
· 2009-2010 un blog de Adrián Navarro
· Contenido publicado bajo la licencia Creative Commons 3.0 (Reconocimiento)
· Este sitio funciona gracias a Wordpress y Aleux México
IBSN: Internet Blog Serial Number 010-101-010-9