Build a small Intrusion Detection System in the RedHat Linux 9 System

I. System Platform
　　
Redhat9.0 release, install GCC and related library files, it is recommended not to install
　　
Apache, PHP, and MySQL are compiled and installed using the source code. Security-based
　　
You can set iptables to allow only SSH and WWW access.
　　
　　Ii. Software
　　
Http://mysql.secsup.org mysql4.0.12
　　
Snort2.0.0 http://www.snort.org
　　
Http://www.apache.org apache2.0.45
　　
Php4.3.1 http://www.php.net.
　　
Adodbv3.30 http://phplens.com
　　
Http://acidlab.sourceforge.net acid0.9.6b23
　　
Http://flow.dl.sourceforge.net zlib1.1.4
　　
Jpgraph1.11 http://jpgraph.techuk.com
　　
Libpcap0.7.2 http://www.tcpdump.org
　　
We recommend that you download http://ftp.cdut.edu.cn/pub/linux/NEW/ at this site
　　
You can also go to the http://www.rpmfind.com to download the related XX. SRC. RPM compilation installation. If the RPM package is installed, You can forcibly uninstall it.
　　
Rpm-e-nodeps xx. xx
　　
　　Iii. Installation (we recommend that you test all the package files in the same directory)
　　
1. Install zlib1.1.4
　　
Tar-xzvf zlib-xx.tar.gz
　　
CD zlib-xx
　　
/Configure; Make Test
　　
Make install
　　
CD ..
　　
2. Install libpcap0.7.2
　　
Tar-xzvf libpcap.tar.gz
　　
CD libpcap-xx
　　
/Configure
　　
Make
　　
Make install
　　
CD ..
　　
3. Install mysql4.0.12
　　
3.1 create a MySQL group and a MySQL user
　　
Groupadd MySQL
　　
Useradd-G MySQL
　　
Modify the. bash_profile line under/root:
　　
Path =? $ Path :? $ Home/bin is
　　
Path =? $ Path :? $ Home/bin:/usr/local/MySQL/bin
　　
3.2 install MySQL
　　
Tar-xzvf mysql-xx.tar.gz
　　
CD mysql-xx
　　
/Configure -- prefix =/usr/local/MySQL
　　
Make
　　
Make install
　　
CD scripts
　　
/Mysql_install_db
　　
Chown-r root/usr/local/MySQL
　　
Chown-r MySQL/usr/local/MySQL/var
　　
Chgrp-r MySQL/usr/local/MySQL
　　
CD./support-files/my-medium.cnf/etc/My. CNF
　　
Add two lines to/etc/lD. So. conf:/usr/local/MySQL/lib/MySQL
　　
/Usr/local/lib
　　
Load to the database, execute
　　
Ldconfig-V
　　
3.3 test whether MySQL works:
　　
CD/usr/local/MySQL/bin/
　　
/Mysqld_safe -- user = MySQL &
　　
# Ps-Ef | grep MySQL
　　
Check whether mysql_safe is working
　　
3.4 set MySQL to self-start:
　　
In the support-Files directory under the MySQL installation directory
　　
Copy the mysql. Server File to the/etc/init. d directory.
　　
CP mysql. Server/etc/init. d/MySQL
　　
Chmod 755/etc/init. d/MySQL
　　
Create a hard link:
　　
CD/etc/rc3.d (started in text mode)
　　
Ln-S/etc/init. d/MySQL s85mysql
　　
Ln-S/etc/init. d/MySQL k85mysql
　　
CD/etc/rc5.d (Graphic startup)
　　
Ln-S/etc/init. d/MySQL s85mysql
　　
Ln-S/etc/init. d/MySQL k85mysql
　　
4. Install apache2.0.45 and php4.3.1
　　
Tar-zxvf httpd-2.0.xx.tar.gz
　　
CD httpd_2.xx.xx
　　
/Configure -- prefix =/WWW -- enable-so
　　
Note: The Apache root directory is/www.
　　
Make
　　
Make install
　　
CD ..
　　
Tar-zxvf php-4.3.x.tar.gz
　　
CD php-4.3.x
　　
/Configure -- prefix =/www/PHP -- with-apxs2 =/www/bin/apxs -- With-config-filepath =/www/PHP -- enable-sockets -- With-mysql =/usr /local/MySQL -- With-zlibdir =/
　　
Usr/local -- With-Gd
　　
Note: There is no carriage return in the middle of a row.
　　
Cp php. ini-Dist/www/PHP. ini
　　
Edit httpd. conf (/www/conf ):
　　
Add two rows
　　
Loadmodule php4_module modules/libphp4.so
　　
Addtype application/X-httpd-PHP. php
　　
The content in httpd. conf is as follows:
　　
#
　　
# Loadmodule foo_module modules/mod_foo.so
　　
Loadmodule php4_module modules/libphp4.so
　　
# Addtype allows you to tweak mime. types without actually editing it, or? $
　　
# Make certain files to be certain types.
　　
#
　　
Addtype application/X-tar. tgz
　　
Addtype image/X-icon. ICO
　　
Addtype application/X-httpd-PHP. php
　　
Set Apache to self-start:
　　
CP/www/bin/apachectl/etc/init. d/httpd
　　
CD/etc/rc3.d
　　
Ln-S/etc/init. d/httpd s85httpd
　　
Ln-S/etc/init. d/httpd k85httpd
　　
CD/etc/rc5.d
　　
Ln-S/etc/init. d/httpd s85httpd
　　
Ln-S/etc/init. d/httpd k85httpd
　　
Test PHP:
　　
CD/etc/init. d
　　
/Httpd start
　　
Create a file test. php under/www/htdocs
　　
CD/www/htdocs
　　
VI test. php
　　
Join
　　
Lt ;? PHP
　　
Hpinfo ();
　　
?>
　　
Use a browser to access http: // ip_address/test. php.
　　
System, Apache, and PHP Information
　　
5. Install snort2.0
　　
5.1 create an snort configuration file and log directory
　　
Mkdir/etc/snort
　　
Mkdir/var/log/snort
　　
Tar-zxvf snort-2.x.x.tar.gz
　　
CD snort-2.x.x
　　
/Configure -- With-mysql =/usr/local/MySQL
　　
Make
　　
Make install
　　
5.2 install rules and configuration files
　　
CD Rules (in the Snort installation directory)
　　
Cp */etc/snort
　　
CD./etc
　　
CP snort. CONF/etc/snort
　　
Cp *. config/etc/snort
　　
5.3 modify snort. conf (/etc/snort. conf)
　　
VaR home_net 10.2.2.0/24
　　
192.168.0.0/24)
　　
VaR rule_path./rules to VaR rule_path/etc/snort/
　　
Change logging database:
　　
Output Database: log, MySQL, user = Root Password = your_password
　　
Dbname = snort host = localhost
　　
5.4 set snort to self-start:
　　
Under the Snort installation directory
　　
CD/contrib
　　
CP s99snort/etc/init. d/snort
　　
VI/etc/init. d/snort
　　
Modify snort as follows:
　　
Config =/etc/snort. conf
　　
# Snort_gid = nogroup (comment out)
　　
#8194; $ snort_path/snort-C? $ Config-I? $ Iface? $ Options
　　
(Remove the-G? $ Snort_gid)
　　
Chmod 755/etc/init. d/snort
　　
CD/etc/rc3.d
　　
Ln-S/etc/init. d/snort s99snort
　　
Ln-S/etc/init. d/snort k99snort
　　
CD/etc/rc5.d
　　
Ln-S/etc/init. d/snort s99snort
　　
Ln-S/etc/init. d/snort k99snort
　　
4. Create a database in MySQL
　　
/Usr/local/MySQL/bin/MySQL
　　
Mysql> set password for root @ localhost = PASSWORD ('your _ password ');
　　
Mysql> Create Database snort;
　　
Mysql> grant insert, select on root. * to snort @ localhost;
　　
Mysql> quit;
　　
Go to the Snort installation directory:/usr/local/MySQL/bin/MySQL-P
GT; enter password:
　　
Install the DB table: (in the contrib directory)
　　
Zcat snortdb-extra.gz |/usr/local/MySQL/bin/MySQL-P snort
　　
Go to the MySQL database and check the table in the Snort database:
　　
/Usr/local/MySQL/bin/MySQL-P
　　
GT; enter password:
　　
Mysql> show databases;
　　
+ ------------ +
　　
| Database
　　
+ ------------ +
　　
| MySQL
　　
| Snort
　　
| Test
　　
+ ------------ +
　　
3 rows in SET (0.00 Sec)
　　
Mysql> use Snort;
　　
Mysql> show tables; these will be available:
　　
+ ------------------ +
　　
| Tables_in_snort |
　　
+ ------------------ +
　　
| Data
　　
| Detail
　　
| Encoding
　　
| Event
　　
| Flags
　　
| Icmphdr
　　
| Iphdr
　　
| OPT
　　
| Protocols
　　
| Reference
　　
| Reference_system
　　
| Schema
　　
| Sensor
　　
| Services
　　
| Sig_class
　　
| Sig_reference
　　
| Signature
　　
| Tcphdr
　　
| Udphdr
　　
+ ------------------ +
　　
19 rows in SET (0.00 Sec)
　　
Mysql> exit
　　
5. install and configure the web interface
　　
Install jpgraph1.11
　　
CP jpgraph-1.11.tar.gz/www/htdocs
　　
CD/www/htdocs
　　
Tar-xzvf jpgraph-1.xx.tar.gz
　　
Rm-RF jpgrap-1.xx.tar.gz
　　
CD jpgraph-1.11
　　
Rm-RF readme
　　
Rm-RF qpl.txt
　　
Install ADODB:
　　
CP adodb330.tgz/www/htdocs/
　　
CD/www/htdocs
　　
Tar-xzvf adodb330.tgz
　　
Rm-RF adodb330.tgz
　　
Install and configure acid:
　　
CP acid-0.0.6b23.tar.gz/www/htdocs
　　
CD/www/htdocs
　　
Tar-xvzf acid-0.9.6b23.tar.gz
　　
Rm-RF acid-0.9.6b23.tar.gz
　　
CD/www/htodcs/acid/
　　
Edit acid_conf.php and modify the configuration as follows:
　　
#8194; $ dblib_path = "/www/htdocs/ADODB ";
　　
/* The type of underlying alert Database
　　
*
　　
* MYSQL: "MySQL"
　　
* Postgressql: "Postgres"
　　
* Ms SQL SERVER: "MSSQL"
　　
*/
　　
#8194; $ dbtype = "MySQL ";
　　
/* Alert dB connection Parameters
　　
*-? $ Alert_dbname: MySQL Database Name of Snort alert DB
　　
*-? $ Alert_host: Host on which the DB is stored
　　
*-? $ Alert_port: port on which to access the DB
　　
*-? $ Alert_user: login to the database with this user
　　
*-? $ Alert_password: password of the DB user
　　
*
　　
* This information can be gleaned from the Snort Database
　　
* Output plugin configuration.
　　
*/
　　
#8194; $ alert_dbname = "snort ";
　　
#8194; $ alert_host = "localhost ";
　　
#8194; $ alert_port = "";
　　
#8194; $ alert_user = "root ";
　　
#8194; $ alert_password = "your_password ";
　　
/* Archive dB connection parameters */
　　
#8194; $ archive_dbname = "snort ";
　　
#8194; $ archive_host = "localhost ";
　　
#8194; $ archive_port = "";
　　
#8194; $ archive_user = "root ";
　　
#8194; $ archive_password = "your_password ";
　　
And a little further down
　　
#8194; $ chartlib_path = "/www/htdocs/jpgraph-1.11/src ";
　　
/* File format of charts ('png ', 'jpeg', 'gif ')*/
　　
#8194; $ chart_file_format = "PNG ";
　　
Go to the web page:
　　
Http: // yourhost/acid/acid_main.php
　　
Click "Setup page" link-> Create acid AG
　　
Access http: // yourhost/acid to view the acid interface.
　　
Vi. Test System
　　
Restart the system or directly start related background programs:
　　
/Etc/init. d/MySQL restart
　　
/Etc/init. d/snort start
　　
/Etc/init. d/httpd start
　　
Use Nmap, Nessus, CIS or X-scan to scan the system,
　　
Generates alert records.
　　
Http: // yourhost/acid.
　　
So far, a powerful IDs configuration has been completed. You can use the web interface
　　
Remote Login, monitor the local area network of the host, and install phpMyAdmin to MySQL
　　
Database Operations.