Secure log Record server (1)

Environment RedHat 7.3
There are more and more hackers on the Internet, and more experts appear. How can we ensure that we can save a complete log? Hacker knows that the first thing that comes into the system is to clean up logs. The simplest and most direct way to detect intrusions is to view system records. now let's talk about how to set up a secure log server.
Think about how to change your log if intruders cannot connect to your log server? Now let's learn how to set up a log server without ip addresses.
Now, we will introduce how to use Snort to do three things:
· Stealth sniffer
· Stealth NIDS porbe
· Stealth logger
All this is used on a Server without ip addresses. NIDS is short for Network Intrusion Dectection Server, that is, the Intrusion detection Server.
Why stealth?
Running any service on the internet is dangerous. whether it is http or ftp or telnet, there will be a chance of hack intrusion. the uniqueness of stealth logger allows us to receive data without sending any data. in this way, external computers are infiltrated by hack, and the information received by the loger server cannot be changed. that is to say, it ensures the integrity of our information and the primitive nature. to ensure the security of the log server, it is best not to connect the log server to the network. that is to say, when you need to check what is on the logger server, you need to go to the computer and open the screen. instead of remote login. however, if you must connect to the network, use two interfaces. that is, two NICs. note that, first, IP forwarding must be disabled. second, the interface used for stealth logger is a network card without an ip address. This network card must not be in the same network with another network card with an ip address.
Set
First, make sure that your Nic is correctly installed and can be caught by the kernel. Then, write the module required by the NIC to the/etc/modules. conf file.
Now let's set up a NIC interface without ip addresses.

Edit file/etc/sysconfig/network-scripts/ifcfg-eth0vim/etc/sysconfig/network-scripts/ifcfg-eth0DEVICE = eth0USERCTL = noONBOOT = yesBOOTPROTO = BROADCAST = NETWORK = NETMASK = IPADDR =

After archiving, use ifconfig to activate our eth0 interface.
Stealth
Here we use the snort program. If you do not have this program on your computer, you can download it at www.snort.org.
Now we run
Snort-dvi eth0
Here, the-d option tells snort to decode the data)
-V tells snort to display the result on the screen
-I indicates the required interface.
You can use the-C option to tell snort to display only the ASCII part. Ignore hexadecimal data.

$snort -dviC eth0Log directory= /var/log/snortkernel filter, protocol ALL, TURBO mode(63 frames), raw packet socket --== Initializing Snort ==--Decoding Ethernet on interface eth0--== Initialization Complate ==---*> Snort! <*-Version 1.8.4 (Build 99)By Martin Roesch (roesch@sourcefire.com,www.snort.org)

NIDS intrusion detection) intrusion detection is a complex task. snort also provides powerful intrusion detection functions. here I will only make a brief introduction so that you can have a concept. if the real object is used as an NIDS. more complex actions are required. for example, set a better rules and regularly update snort. the rules defined in conf should be updated as soon as a new attack method appears)
First, you need to change/etc/snort. conf to your own machine.