Build a small intrusion detection system on RedHat9

Build a small Intrusion Detection System (RedHat9) Snort + Apache + PHP4 + MySQL + Acid 1. the Redhat9.0 release of the system platform installs gcc and related library files. we recommend that you do not install Apache, PHP, and MySQL. we will compile and install them using the source code. Based on security considerations, you can set iptables to only allow

Build a small Intrusion Detection System (RedHat9)

Snort + Apache + PHP4 + MySQL + Acid

I. system platform

Redhat9.0 release, install gcc and related library files, it is recommended not to install

Apache, PHP, and MySQL are compiled and installed using the source code. Security-based

You can set iptables to allow only SSH and WWW access.

II. Software

Http://mysql.secsup.org MySQL4.0.12

Snort2.0.0 http://www.snort.org

Http://www.apache.org Apache2.0.45

PHP4.3.1 http://www.php.net.

ADODBv3.30 http://phplens.com

Http://acidlab.sourceforge.net Acid0.9.6b23

Http://flow.dl.sourceforge.net Zlib1.1.4

JPGraph1.11 http://jpgraph.techuk.com

LibPcap0.7.2 http://www.tcpdump.org

We recommend that you download http://ftp.cdut.edu.cn/pub/linux/NEW/ at this site

You can also go to the http://www.rpmfind.com to download the related xx. src. rpm compilation installation. If the rpm Package is installed, you can forcibly uninstall it.

Rpm-e-nodeps xx. xx

III. Installation (we recommend that you test all the package files in the same directory)

1. install zlib1.1.4

Tar-xzvf zlib-xx.tar.gz

Cd zlib-xx

./Configure; make test

Make install

Cd ..

2. install LibPcap0.7.2

Tar-xzvf libpcap.tar.gz

Cd libpcap-xx

./Configure

Make

Make install

Cd ..

3. install MySQL4.0.12

3.1 Create a mysql group and a mysql User

Groupadd mysql

Useradd-g mysql

Modify the. bash_profile line under/root:

PATH =? $ PATH :? $ HOME/bin is

PATH =? $ PATH :? $ HOME/bin:/usr/local/mysql/bin

3.2 install mysql

Tar-xzvf mysql-xx.tar.gz

Cd mysql-xx

./Configure -- prefix =/usr/local/mysql

Make

Make install

Cd scripts

./Mysql_install_db

Chown-R root/usr/local/mysql

Chown-R mysql/usr/local/mysql/var

Chgrp-R mysql/usr/local/mysql

Cd ../support-files/my-medium.cnf/etc/my. cnf

Add two lines to/etc/ld. so. conf:/usr/local/mysql/lib/mysql

/Usr/local/lib

Load to the database, execute

Ldconfig-v

3.3 test whether mysql works:

Cd/usr/local/mysql/bin/

./Mysqld_safe -- user = mysql &

# Ps-ef | grep mysql

Check whether mysql_safe is working

3.4 set mysql to self-start:

In the support-files directory under the mysql installation directory

Copy the mysql. server file to the/etc/init. d Directory.

Cp mysql. server/etc/init. d/mysql

Chmod 755/etc/init. d/mysql

Create a hard link:

Cd/etc/rc3.d (started in text mode)

Ln-s/etc/init. d/mysql S85mysql

Ln-s/etc/init. d/mysql K85mysql

Cd/etc/rc5.d (graphic startup)

Ln-s/etc/init. d/mysql S85mysql

Ln-s/etc/init. d/mysql K85mysql

4. install Apache2.0.45 and PHP4.3.1

Tar-zxvf httpd-2.0.xx.tar.gz

Cd httpd_2.xx.xx

./Configure -- prefix =/www -- enable-so

Note: The apache root directory is/www.

Make

Make install

Cd ..

Tar-zxvf php-4.3.x.tar.gz

Cd php-4.3.x

. /Configure -- prefix =/www/php -- with-apxs2 =/www/bin/apxs -- with-config-filepath =/www/php -- enable-sockets -- with-mysql =/usr /local/mysql -- with-zlibdir =/

Usr/local -- with-gd

Note: There is no carriage return in the middle of a row.

Cp php. ini-dist/www/php. ini

Edit httpd. conf (/www/conf ):

Add two rows

LoadModule php4_module modules/libphp4.so

AddType application/x-httpd-php. php

The content in httpd. conf is as follows:

#

# LoadModule foo_module modules/mod_foo.so

LoadModule php4_module modules/libphp4.so

# AddType allows you to tweak mime. types without actually editing it, or? $

# Make certain files to be certain types.

#

AddType application/x-tar. tgz

AddType image/x-icon. ico

AddType application/x-httpd-php. php

Set Apache to self-start:

Cp/www/bin/apachectl/etc/init. d/httpd

Cd/etc/rc3.d

Ln-s/etc/init. d/httpd S85httpd

Ln-s/etc/init. d/httpd K85httpd

Cd/etc/rc5.d

Ln-s/etc/init. d/httpd S85httpd

Ln-s/etc/init. d/httpd K85httpd

Test PHP:

Cd/etc/init. d

./Httpd start

Create a file test. php under/www/htdocs

Cd/www/htdocs

Vi test. php

Join

Lt ;? Php

Hpinfo ();

?>

Use a browser to access http: // IP_address/test. php.

System, apache, and php information

5. install Snort2.0

5.1 Create an snort configuration file and log Directory

Mkdir/etc/snort

Mkdir/var/log/snort

Tar-zxvf snort-2.x.x.tar.gz

Cd snort-2.x.x

./Configure -- with-mysql =/usr/local/mysql

Make

Make install

5.2 install rules and configuration files

Cd rules (in the snort installation directory)

Cp */etc/snort

Cd ../etc

Cp snort. conf/etc/snort

Cp *. config/etc/snort

5.3 modify snort. conf (/etc/snort. conf)

Var HOME_NET 10.2.2.0/24

192.168.0.0/24)

Var RULE_PATH ../rules to var RULE_PATH/etc/snort/

Change logging database:

Output database: log, mysql, user = root password = your_password

Dbname = snort host = localhost

5.4 set snort to self-start:

Under the snort installation directory

Cd/contrib

Cp S99snort/etc/init. d/snort

Vi/etc/init. d/snort

Modify snort as follows:

CONFIG =/etc/snort. conf

# SNORT_GID = nogroup (comment out)

#8194; $ SNORT_PATH/snort-c? $ CONFIG-I? $ IFACE? $ OPTIONS

(Remove the-g? $ SNORT_GID)

Chmod 755/etc/init. d/snort

Cd/etc/rc3.d

Ln-s/etc/init. d/snort S99snort

Ln-s/etc/init. d/snort K99snort

Cd/etc/rc5.d

Ln-s/etc/init. d/snort S99snort

Ln-s/etc/init. d/snort K99snort

4. create a database in mysql

/Usr/local/mysql/bin/mysql

Mysql> set password for root @ localhost = PASSWORD (your_password );

Mysql> create database snort;

Mysql> grant INSERT, SELECT on root. * to snort @ localhost;

Mysql> quit;

Go to the snort installation directory:/usr/local/mysql/bin/mysql-p <./contrib/create_mysql snort

Gt; Enter password:

Install the DB table: (in the contrib directory)

Zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql-p snort

Go to the mysql database and check the table in the snort database:

/Usr/local/mysql/bin/mysql-p

Gt; Enter password:

Mysql> show databases;

+ ------------ +

| Database

+ ------------ +

| Mysql

| Snort

| Test

+ ------------ +

3 rows in set (0.00 sec)

Mysql> use snort;

Mysql> show tables; these will be available:

+ ------------------ +

| Tables_in_snort |

+ ------------------ +

| Data

| Detail

| Encoding

| Event

| Flags

| Icmphdr

| Iphdr

| Opt

| Protocols

| Reference

| Reference_system

Schema

| Sensor

| Services

| Sig_class

| Sig_reference

| Signature

| Tcphdr

| Udphdr

+ ------------------ +

19 rows in set (0.00 sec)

Mysql> exit

5. install and configure the Web interface

Install JPGraph1.11

Cp jpgraph-