Wednesday, March 28, 2012

Snort: 5 Steps to Install and Configure Snort on Linux


Snort is a free lightweight network intrusion detection system for both UNIX and Windows.
In this article, let us review how to install snort from source, write rules, and perform basic testing.

1. Download and Extract Snort

Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.
# cd /usr/src

# wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116

# tar xvzf snort-2.8.6.1.tar.gz
Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)

2. Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.
# apt-cache policy libpcap0.8-dev
libpcap0.8-dev:
  Installed: 1.0.0-2ubuntu1
  Candidate: 1.0.0-2ubuntu1

# apt-cache policy libpcre3-dev
libpcre3-dev:
  Installed: 7.8-3
  Candidate: 7.8-3
Follow the steps below to install snort.
# cd snort-2.8.6.1

# ./configure

# make

# make install

3. Verify the Snort Installation

Verify the installation as shown below.
# snort --version

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

4. Create the required files and directory

You have to create the configuration file, rule file and the log directory.
Create the following directories:
# mkdir /etc/snort

# mkdir /etc/snort/rules

# mkdir /var/log/snort
Create the following snort.conf and icmp.rules files:
# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules

# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
The above basic rule does alerting when there is an ICMP packet (ping).
Following is the structure of the alert:
<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)
Table: Rule structure and example
StructureExample
Rule Actionsalert
Protocolicmp
Source IP Addressany
Source Portany
Direction Operator->
Destination IP Addressany
Destination Portany
(rule options)(msg:”ICMP Packet”; sid:477; rev:3;)

5. Execute snort

Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.
# head /var/log/snort/alert
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64
209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO
Alert Explanation
A couple of lines are added for each alert, which includes the following:
  • Message is printed in the first line.
  • Source IP
  • Destination IP
  • Type of packet, and header information.
If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.
# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon

Add -D option to run snort as a daemon.
# snort -D -c /etc/snort/snort.conf -l /var/log/snort/

Additional Snort information


Posted by at No comments:
Labels:

UNIX / Linux: 2 Ways to Add Swap Space Using dd, mkswap and swapon


Question: I would like to add more swap space to my Linux system. Can you explain with clear examples on how to increase the swap space?
Answer: You can either use a dedicated hard drive partition to add new swap space, or create a swap file on an existing filesystem and use it as swap space.

How much swap space is currently used by the system?

Free command displays the swap space. free -k shows the output in KB.
# free -k
             total       used       free     shared    buffers     cached
Mem:       3082356    2043700    1038656          0      50976    1646268
-/+ buffers/cache:     346456    2735900
Swap:      4192956          0    4192956
Swapon command with option -s, displays the current swap space in KB.
# swapon -s
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1
Swapon -s, is same as the following.
# cat /proc/swaps
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1

Method 1: Use a Hard Drive Partition for Additional Swap Space

If you have an additional hard disk, (or space available in an existing disk), create a partition using fdisk command. Let us assume that this partition is called /dev/sdc1
Now setup this newly created partition as swap area using the mkswap command as shown below.
# mkswap /dev/sdc1
Enable the swap partition for usage using swapon command as shown below.
# swapon /dev/sdc1
To make this swap space partition available even after the reboot, add the following line to the /etc/fstab file.
# cat /etc/fstab
/dev/sdc1               swap                    swap    defaults        0 0
Verify whether the newly created swap area is available for your use.
# swapon -s
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1
/dev/sdc1                       partition       1048568 0       -2

# free -k
             total       used       free     shared    buffers     cached
Mem:       3082356    3022364      59992          0      52056    2646472
-/+ buffers/cache:     323836    2758520
Swap:      5241524          0    5241524
Note: In the output of swapon -s command, the Type column will say “partition” if the swap space is created from a disk partition.

Method 2: Use a File for Additional Swap Space

If you don’t have any additional disks, you can create a file somewhere on your filesystem, and use that file for swap space.
The following dd command example creates a swap file with the name “myswapfile” under /root directory with a size of 1024MB (1GB).
# dd if=/dev/zero of=/root/myswapfile bs=1M count=1024
1024+0 records in
1024+0 records out

# ls -l /root/myswapfile
-rw-r--r--    1 root     root     1073741824 Aug 14 23:47 /root/myswapfile
Change the permission of the swap file so that only root can access it.
# chmod 600 /root/myswapfile
Make this file as a swap file using mkswap command.
# mkswap /root/myswapfile
Setting up swapspace version 1, size = 1073737 kB
Enable the newly created swapfile.
# swapon /root/myswapfile
To make this swap file available as a swap area even after the reboot, add the following line to the /etc/fstab file.
# cat /etc/fstab
/root/myswapfile               swap                    swap    defaults        0 0
Verify whether the newly created swap area is available for your use.
# swapon -s
Filename                        Type            Size    Used    Priority
/dev/sda2                       partition       4192956 0       -1
/root/myswapfile                file            1048568 0       -2

# free -k
             total       used       free     shared    buffers     cached
Mem:       3082356    3022364      59992          0      52056    2646472
-/+ buffers/cache:     323836    2758520
Swap:      5241524          0    5241524
Note: In the output of swapon -s command, the Type column will say “file” if the swap space is created from a swap file.
If you don’t want to reboot to verify whether the system takes all the swap space mentioned in the /etc/fstab, you can do the following, which will disable and enable all the swap partition mentioned in the /etc/fstab
# swapoff -a

# swapon -a

Posted by at No comments:
Labels: ,

How To Use Squid Proxy Cache Server To Control Internet Access


Squid is a proxy caching server. If you are Linux sysadmin, you can use squid to control internet access at your work environment.
This beginners guide will give a jump-start on how to setup squid on Linux to restrict internet access in an network.

Install Squid

You should install the following three squid related packages on your system.
  • squid
  • squid-common
  • squid-langpack
On Debian and Ubuntu, use aptitude to install squid as shown below. On CentOS, use yum to install the squid package.
$ sudo aptitude install squid

Check Configuration and Startup scripts

Apart from installing the squid related packages, it also creates the /etc/squid/squid.conf and /etc/init.d/squid startup script.
By default Squid runs on 3128 port. You can verify this from the squid.conf file. You can also set the visible_hostname parameter in your squid.conf, which will be used in error_log. If you don’t define, squid gets the hostname value using gethostname() function.
# vim /etc/squid/squid.conf
visible_hostname ubuntuserver
httpd_port 3128
Note: The http port number (3128) specified in the squid.conf should be entered in the proxy setting section in the client browser. If squid is built with SSL, you can use https_port option inside squid.conf to define https squid.

Start Squid and View Logs

Start the Squid proxy caching server as shown below.
# service squid start
squid start/running, process 11743
Squid maintains three log files (access.log, cache.log and store.log) under /var/log/squid directory.
From the /var/log/squid/access.log, you can view who accessed which website at what time. Following is the format of the squid access.log record.
time elapsed remotehost code/status bytes method URL rfc931     peerstatus/peerhost
To disable logging in squid, update the squid.conf with the following information.
# to disable access.log
cache_access_log /dev/null

# to disable store.log
cache_store_log none

# to disable cache.log
cache_log /dev/null

Squid Usage 1: Restrict Access to Specific Websites

This is how you can restrict folks from browsing certain website when they are connected to your network using your proxy server.
Create a file called restricted_sites and list all sites that you would want to restrict the access.
# vim /etc/squid/restricted_sites
www.yahoo.com
mail.yahoo.com
Modify the squid.conf to add the following.
# vim /etc/squid/squid.conf
acl RestrictedSites  dstdomain "/etc/squid/restricted_sites"
http_access deny RestrictedSites
Note: You can also configure squid as a transparent proxy server, which we’ll discuss in a separate article. Also, refer to our earlier article on how to block ip-address using fail2ban and iptables.

Squid Usage 2: Allow Access to Websites Only During Specific Time

Some organization might want to allow employees to surf or download from the internet only during specific timeperiods.
The squid.conf configuration shown below will allow internet access for employees only between 9:00AM and 18:00 during weekdays.
# vim /etc/squid/squid.conf
acl official_hours time M T W H F 09:00-18:00
http_access deny all
http_access allow official_hours

Squid Usage 3 : Restrict Access to Particular Network

Instead of restricting specific sites, you can also provide access only to certain network and block everything else. The example below, allows access only to the 192.168.1.* internal network.
# vim /etc/squid/squid.conf
acl branch_offices src 192.168.1.0/24
http_access deny all
http_access allow branch_offices
For a Linux based intrusion detection system, refer to our tripwire article.

Squid Usage 4 : Use Regular Expression to Match URLs

You can also use regular expression to allow or deny websites.
First create a blocked_sites files with a list of keywords.
# cat /etc/squid/blocked_sites
soccer
movie
www.example.com
Modify the squid.conf to block any sites that has any of these keywords in their url.
# vim /etc/squid/squid.conf
acl blocked_sites url_regex -i "/etc/squid/blocked_sites"
http_access deny blocked_sites
http_access allow all
In the above example, -i option is used for ignoring case for matching. So, while accessing the websites, squid will try to match the url with any of the pattern mentioned in the above blocked_sites file and denies the access when it matches.

SARG – Squid Analysis Report Generator

Download and install SARG to generate squid usage reports.
Use the sarg-reports command to generate reports as shown below.
# to generate the report for today
sarg-report today

# on daily basis
sarg-report daily

# on weekly basis
sarg-report weekly

# on monthly basis
sarg-report monthly
Note: Add the sarg-report to the crontab.
The reports generated by sarg are stored under /var/www/squid-reports. These are html reports can you can view from a browser.
$ ls /var/www/squid-reports
Daily  index.hyml

$ ls /var/www/squid-reports/Daily
2010Aug28-2010Aug28  images  index.html


Posted by at No comments:
Labels:

Tuesday, March 27, 2012

How To: 5 Steps to Install phpMyAdmin on Linux


Do you have a MySQL database in your environment? Did you know that the easy (and most effective) way to manage MySQL database is using phpMyAdmin?
phpMyAdmin is a web-based tool written in PHP to manage the MySQL database. Apart from viewing the tables (and other db objects), you can perform lot of DBA functions through the web based interface. You can also execute any SQL query from the UI.
This article will provide step-by-step instructions on how to install and configure phpMyAdmin on Linux distributions.

1. phpMyAdmin Pre requisites

Make sure you have PHP 5 (or above) installed.
# php -v
PHP 5.3.2 (cli) (built: May 19 2010 03:43:49)
Make sure you have MySQL 5 (or above) installed.
# mysql -V
mysql  Ver 14.14 Distrib 5.1.47, for pc-linux-gnu (i686) using readline 5.1
Make sure Apache is installed and running.

PHP5 Modules

If you don’t have PHP, I recommend that you install PHP from source. Following is the configure command I executed while installing PHP from source. This includes all the required PHP modules for phpMyAdmin.
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql --with-bz2 --with-zlib --enable-zip --enable-mbstring --with-mcrypt
If you don’t compile PHP5 with the above options, you’ll get following error message from phpMyAdmin web interface.
  • GZip – GZip compression and decompression requires functions (gzencode) which are unavailable on this system.
  • Bzip2 – Bzip2 compression and decompression requires functions (bzopen, bzcompress) which are unavailable on this system.
  • ZIP – Zip decompression requires functions (zip_open) which are unavailable on this system.
  • ZIP – Zip compression requires functions (gzcompress) which are unavailable on this system.

2. Download and Install phpmyadmin in Apache DocumentRoot

Identify your Apache’s DocumentRoot.
# grep DocumentRoot /usr/local/apache2/conf/httpd.conf
DocumentRoot /usr/local/apache2/htdocs
Download the latest version of phpMyAdmin. Currently the stable version of phpMyAdmin is 3.3.7
# cd /usr/local/apache2/htdocs

# tar xvfz phpMyAdmin-3.3.7-all-languages.tar.gz

# mv phpMyAdmin-3.3.7-all-languages phpmyadmin

3. Secure the phpmyadmin Directory – Create phpmy user

Create phpmy Unix user.
# adduser phpmy

# passwd phpmy
Check which user and group is used by Apache.
# egrep 'User|Group' /usr/local/apache2/conf/httpd.conf
User daemon
Group daemon
Modify the phpmyadmin directory’s user ownership to phpmy user.
# cd /usr/local/apache2/htdocs

# chown -R phpmy.daemon phpmyadmin/

4. Update phpMyAdmin config.inc from Wizard

You need to setup the config.inc file properly for phpMyAdmin to work. You can either create and edit this file manually, or use the config phpMyAdmin installer setup wizard. I recommend that you use the setup wizard, as it is very straight forward. To do that, you should create the following dummy config.inc with proper permission.
# cd /usr/local/apache2/htdocs/phpmyadmin/

# mkdir config

# chmod o+rw config

# cp config.sample.inc.php config/config.inc.php

# chmod o+w config/config.inc.php
Now, invoke the phpMyAdmin setup wizard from the browser using the URL: http://{your-ip-address}/phpmyadmin/setup/index.php . This will show the following setup wizard.
Fig: phpMyAdmin Setup Wizard
Click on “New Server”, which will display following server wizard.
Fig: phpMyAdmin Create New Server
Fill-out following information in the new server screen. Leave other fields to default values.
  • Verbose Name of the Server – Give some descriptive server name.
  • Password for Config Auth – Enter the MySQL root password here.
  • Authentication Type – The default selection is cookie. Just use that.
Click on Save to save the configuration. You might see following warning messages. Ignore it for now.
  • Use SSL – You should use SSL connections if your web server supports it
  • PHP extension to use – You should use mysqli for performance reasons
  • Blowfish secret – You didn’t have blowfish secret set and have enabled cookie authentication, so a key was automatically generated for you. It is used to encrypt cookies; you don’t need to remember it.

5. Launch phpmyadmin

Invoke phpMyAdmin from the browser using the URL: http://{your-ip-address}/phpmyadmin/index.php
If you’ve installed phpMyAdmin on a Linux desktop distribution, you can also access phpMyAdmin using the localhost URL: http://localhost/phpmyadmin/index.php
Login with your MySQL root password. i.e use “root” for phpmyadmin username. Use MySQL root’s password for phpmyadmin password.
If you see the “Cannot load mcrypt extension. Please check your PHP configuration.” message, you didn’t compile your PHP with mcrypt. Make sure you have libmcrypt and libmcrypt-devel packages installed on your Linux before you compile PHP with –with-mcrypt option.
You will also see the message : “Directory config, which is used by the setup script, still exists in your phpMyAdmin directory. You should remove it once phpMyAdmin has been configured.”
Just like the message says, remove the config directory.
# cd /usr/local/apache2/htdocs/phpmyadmin

# rm -rf config
After moving the config directory, if you go to setup/index.php url, you’ll see following message. This is a good thing, as you’ve already configured the phpMyAdmin.
“Cannot load or save configuration. Please create web server writable folder config in phpMyAdmin top level directory as described in documentation. Otherwise you will be only able to download or display it.”
Once you’ve logged-in you should be able to manage all the MySQL databases from your browser.
Fig: phpMyAdmin DB Structures




Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)