Build a small Intrusion Detection System in the RedHat Linux 9 System

Source: Internet
Author: User

I. System Platform
  
Redhat9.0 release, install GCC and related library files, it is recommended not to install
  
Apache, PHP, and MySQL are compiled and installed using the source code. Security-based
  
You can set iptables to allow only SSH and WWW access.
  
  Ii. Software
  
Http://mysql.secsup.org mysql4.0.12
  
Snort2.0.0 http://www.snort.org
  
Http://www.apache.org apache2.0.45
  
Php4.3.1 http://www.php.net.
  
Adodbv3.30 http://phplens.com
  
Http://acidlab.sourceforge.net acid0.9.6b23
  
Http://flow.dl.sourceforge.net zlib1.1.4
  
Jpgraph1.11 http://jpgraph.techuk.com
  
Libpcap0.7.2 http://www.tcpdump.org
  
We recommend that you download http://ftp.cdut.edu.cn/pub/linux/NEW/ at this site
  
You can also go to the http://www.rpmfind.com to download the related XX. SRC. RPM compilation installation. If the RPM package is installed, You can forcibly uninstall it.
  
Rpm-e-nodeps xx. xx
  
  Iii. Installation (we recommend that you test all the package files in the same directory)
  
1. Install zlib1.1.4
  
Tar-xzvf zlib-xx.tar.gz
  
CD zlib-xx
  
/Configure; Make Test
  
Make install
  
CD ..
  
2. Install libpcap0.7.2
  
Tar-xzvf libpcap.tar.gz
  
CD libpcap-xx
  
/Configure
  
Make
  
Make install
  
CD ..
  
3. Install mysql4.0.12
  
3.1 create a MySQL group and a MySQL user
  
Groupadd MySQL
  
Useradd-G MySQL
  
Modify the. bash_profile line under/root:
  
Path =? $ Path :? $ Home/bin is
  
Path =? $ Path :? $ Home/bin:/usr/local/MySQL/bin
  
3.2 install MySQL
  
Tar-xzvf mysql-xx.tar.gz
  
CD mysql-xx
  
/Configure -- prefix =/usr/local/MySQL
  
Make
  
Make install
  
CD scripts
  
/Mysql_install_db
  
Chown-r root/usr/local/MySQL
  
Chown-r MySQL/usr/local/MySQL/var
  
Chgrp-r MySQL/usr/local/MySQL
  
CD./support-files/my-medium.cnf/etc/My. CNF
  
Add two lines to/etc/lD. So. conf:/usr/local/MySQL/lib/MySQL
  
/Usr/local/lib
  
Load to the database, execute
  
Ldconfig-V
  
3.3 test whether MySQL works:
  
CD/usr/local/MySQL/bin/
  
/Mysqld_safe -- user = MySQL &
  
# Ps-Ef | grep MySQL
  
Check whether mysql_safe is working
  
3.4 set MySQL to self-start:
  
In the support-Files directory under the MySQL installation directory
  
Copy the mysql. Server File to the/etc/init. d directory.
  
CP mysql. Server/etc/init. d/MySQL
  
Chmod 755/etc/init. d/MySQL
  
Create a hard link:
  
CD/etc/rc3.d (started in text mode)
  
Ln-S/etc/init. d/MySQL s85mysql
  
Ln-S/etc/init. d/MySQL k85mysql
  
CD/etc/rc5.d (Graphic startup)
  
Ln-S/etc/init. d/MySQL s85mysql
  
Ln-S/etc/init. d/MySQL k85mysql
  
4. Install apache2.0.45 and php4.3.1
  
Tar-zxvf httpd-2.0.xx.tar.gz
  
CD httpd_2.xx.xx
  
/Configure -- prefix =/WWW -- enable-so
  
Note: The Apache root directory is/www.
  
Make
  
Make install
  
CD ..
  
Tar-zxvf php-4.3.x.tar.gz
  
CD php-4.3.x
  
/Configure -- prefix =/www/PHP -- with-apxs2 =/www/bin/apxs -- With-config-filepath =/www/PHP -- enable-sockets -- With-mysql =/usr /local/MySQL -- With-zlibdir =/
  
Usr/local -- With-Gd
  
Note: There is no carriage return in the middle of a row.
  
Cp php. ini-Dist/www/PHP. ini
  
Edit httpd. conf (/www/conf ):
  
Add two rows
  
Loadmodule php4_module modules/libphp4.so
  
Addtype application/X-httpd-PHP. php
  
The content in httpd. conf is as follows:
  
#
  
# Loadmodule foo_module modules/mod_foo.so
  
Loadmodule php4_module modules/libphp4.so
  
# Addtype allows you to tweak mime. types without actually editing it, or? $
  
# Make certain files to be certain types.
  
#
  
Addtype application/X-tar. tgz
  
Addtype image/X-icon. ICO
  
Addtype application/X-httpd-PHP. php
  
Set Apache to self-start:
  
CP/www/bin/apachectl/etc/init. d/httpd
  
CD/etc/rc3.d
  
Ln-S/etc/init. d/httpd s85httpd
  
Ln-S/etc/init. d/httpd k85httpd
  
CD/etc/rc5.d
  
Ln-S/etc/init. d/httpd s85httpd
  
Ln-S/etc/init. d/httpd k85httpd
  
Test PHP:
  
CD/etc/init. d
  
/Httpd start
  
Create a file test. php under/www/htdocs
  
CD/www/htdocs
  
VI test. php
  
Join
  
Lt ;? PHP
  
Hpinfo ();
  
?>
  
Use a browser to access http: // ip_address/test. php.
  
System, Apache, and PHP Information
  
5. Install snort2.0
  
5.1 create an snort configuration file and log directory
  
Mkdir/etc/snort
  
Mkdir/var/log/snort
  
Tar-zxvf snort-2.x.x.tar.gz
  
CD snort-2.x.x
  
/Configure -- With-mysql =/usr/local/MySQL
  
Make
  
Make install
  
5.2 install rules and configuration files
  
CD Rules (in the Snort installation directory)
  
Cp */etc/snort
  
CD./etc
  
CP snort. CONF/etc/snort
  
Cp *. config/etc/snort
  
5.3 modify snort. conf (/etc/snort. conf)
  
VaR home_net 10.2.2.0/24
  
192.168.0.0/24)
  
VaR rule_path./rules to VaR rule_path/etc/snort/
  
Change logging database:
  
Output Database: log, MySQL, user = Root Password = your_password
  
Dbname = snort host = localhost
  
5.4 set snort to self-start:
  
Under the Snort installation directory
  
CD/contrib
  
CP s99snort/etc/init. d/snort
  
VI/etc/init. d/snort
  
Modify snort as follows:
  
Config =/etc/snort. conf
  
# Snort_gid = nogroup (comment out)
  
#8194; $ snort_path/snort-C? $ Config-I? $ Iface? $ Options
  
(Remove the-G? $ Snort_gid)
  
Chmod 755/etc/init. d/snort
  
CD/etc/rc3.d
  
Ln-S/etc/init. d/snort s99snort
  
Ln-S/etc/init. d/snort k99snort
  
CD/etc/rc5.d
  
Ln-S/etc/init. d/snort s99snort
  
Ln-S/etc/init. d/snort k99snort
  
4. Create a database in MySQL
  
/Usr/local/MySQL/bin/MySQL
  
Mysql> set password for root @ localhost = PASSWORD ('your _ password ');
  
Mysql> Create Database snort;
  
Mysql> grant insert, select on root. * to snort @ localhost;
  
Mysql> quit;
  
Go to the Snort installation directory:/usr/local/MySQL/bin/MySQL-P
GT; enter password:
  
Install the DB table: (in the contrib directory)
  
Zcat snortdb-extra.gz |/usr/local/MySQL/bin/MySQL-P snort
  
Go to the MySQL database and check the table in the Snort database:
  
/Usr/local/MySQL/bin/MySQL-P
  
GT; enter password:
  
Mysql> show databases;
  
+ ------------ +
  
| Database
  
+ ------------ +
  
| MySQL
  
| Snort
  
| Test
  
+ ------------ +
  
3 rows in SET (0.00 Sec)
  
Mysql> use Snort;
  
Mysql> show tables; these will be available:
  
+ ------------------ +
  
| Tables_in_snort |
  
+ ------------------ +
  
| Data
  
| Detail
  
| Encoding
  
| Event
  
| Flags
  
| Icmphdr
  
| Iphdr
  
| OPT
  
| Protocols
  
| Reference
  
| Reference_system
  
| Schema
  
| Sensor
  
| Services
  
| Sig_class
  
| Sig_reference
  
| Signature
  
| Tcphdr
  
| Udphdr
  
+ ------------------ +
  
19 rows in SET (0.00 Sec)
  
Mysql> exit
  
5. install and configure the web interface
  
Install jpgraph1.11
  
CP jpgraph-1.11.tar.gz/www/htdocs
  
CD/www/htdocs
  
Tar-xzvf jpgraph-1.xx.tar.gz
  
Rm-RF jpgrap-1.xx.tar.gz
  
CD jpgraph-1.11
  
Rm-RF readme
  
Rm-RF qpl.txt
  
Install ADODB:
  
CP adodb330.tgz/www/htdocs/
  
CD/www/htdocs
  
Tar-xzvf adodb330.tgz
  
Rm-RF adodb330.tgz
  
Install and configure acid:
  
CP acid-0.0.6b23.tar.gz/www/htdocs
  
CD/www/htdocs
  
Tar-xvzf acid-0.9.6b23.tar.gz
  
Rm-RF acid-0.9.6b23.tar.gz
  
CD/www/htodcs/acid/
  
Edit acid_conf.php and modify the configuration as follows:
  
#8194; $ dblib_path = "/www/htdocs/ADODB ";
  
/* The type of underlying alert Database
  
*
  
* MYSQL: "MySQL"
  
* Postgressql: "Postgres"
  
* Ms SQL SERVER: "MSSQL"
  
*/
  
#8194; $ dbtype = "MySQL ";
  
/* Alert dB connection Parameters
  
*-? $ Alert_dbname: MySQL Database Name of Snort alert DB
  
*-? $ Alert_host: Host on which the DB is stored
  
*-? $ Alert_port: port on which to access the DB
  
*-? $ Alert_user: login to the database with this user
  
*-? $ Alert_password: password of the DB user
  
*
  
* This information can be gleaned from the Snort Database
  
* Output plugin configuration.
  
*/
  
#8194; $ alert_dbname = "snort ";
  
#8194; $ alert_host = "localhost ";
  
#8194; $ alert_port = "";
  
#8194; $ alert_user = "root ";
  
#8194; $ alert_password = "your_password ";
  
/* Archive dB connection parameters */
  
#8194; $ archive_dbname = "snort ";
  
#8194; $ archive_host = "localhost ";
  
#8194; $ archive_port = "";
  
#8194; $ archive_user = "root ";
  
#8194; $ archive_password = "your_password ";
  
And a little further down
  
#8194; $ chartlib_path = "/www/htdocs/jpgraph-1.11/src ";
  
/* File format of charts ('png ', 'jpeg', 'gif ')*/
  
#8194; $ chart_file_format = "PNG ";
  
Go to the web page:
  
Http: // yourhost/acid/acid_main.php
  
Click "Setup page" link-> Create acid AG
  
Access http: // yourhost/acid to view the acid interface.
  
Vi. Test System
  
Restart the system or directly start related background programs:
  
/Etc/init. d/MySQL restart
  
/Etc/init. d/snort start
  
/Etc/init. d/httpd start
  
Use Nmap, Nessus, CIS or X-scan to scan the system,
  
Generates alert records.
  
Http: // yourhost/acid.
  
So far, a powerful IDs configuration has been completed. You can use the web interface
  
Remote Login, monitor the local area network of the host, and install phpMyAdmin to MySQL
  
Database Operations.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.