Configure the Linux security logging server

Environment RedHat7.3 is emerging with more and more hackers on the Internet. How can we ensure that we can save a complete log? Hacker knows that the first thing that comes into the system is to clean up logs, and find the simplest and most direct method of intrusion.

Environment RedHat 7.3

The emergence of more and more hackers on the Internet and the emergence of more and more experts. How can we ensure that we can save a complete log? Hacker knows that the first thing that comes into the system is to clean up logs. the simplest and most direct way to detect intrusions is to view system records. Now let's talk about how to set up a secure log server.

Think about how to change your log if intruders cannot connect to your log server? Now let's learn how to set up a log server without ip addresses.

Now we will introduce how to use Snort to do three things:

Stealth sniffer

Stealth NIDS porbe

Stealth logger

All of this is used on a server without an ip address. NIDS is short for Network Intrusion Dectection Server, that is, the Intrusion detection Server.

Why stealth?

Running any service on the internet is dangerous. Whether it is http or ftp or telnet, there will be a chance of hack intrusion. The uniqueness of stealth logger allows us to receive data without sending any data. In this way, external computers (computers infiltrated by hack) cannot modify the information received by the loger server. That is to say, it ensures the integrity and originality of our information. To ensure the security of the log server, it is best not to connect the log server to the network. That is to say, when you need to check what is on the logger server, you need to go to the computer and open the screen. Instead of the remote login. However, if you must connect to the network, use two interfaces. That is to say, two NICs, and note that, first, IP forwarding must be disabled. Second, the interface used for stealth logger is a network card without an ip address. this network card must not be in the same network with another network card with an ip address.

Settings:

First of all, make sure that your Nic is correctly installed and can be caught by the kernel. Then, write the module required by the NIC to the/etc/modules. conf file.

Now let's set up a Nic interface without ip addresses.

Edit file/etc/sysconfig/network-scripts/ifcfg-eth0

Vim/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE = eth0
USERCTL = no
ONBOOT = yes
BOOTPROTO =
BROADCAST =
NETWORK =
NETMASK =
IPADDR =

After archiving, use ifconfig to activate our eth0 interface.

Stealth

Here we use the snort program. If you do not have this program on your computer, you can download it at www.snort.org.

Now we run

Snort-dvi eth0

Here, The-d option tells snort to decode the data)

-V tells snort to display the result on the screen

-I indicates the required interface.

You can use the-C option to tell snort to display only the ASCII part. Ignore hexadecimal data.

? $ Snort-dviC eth0
Log directory =/var/log/snort
Initializing Network Interface eth0
Kernel filter, protocol ALL, TURBO mode
(63 frames), raw packet socket
-- = Initializing Snort = --
Decoding Ethernet on interface eth0
-- = Initialization Complate = --
-*> Snort! <*-
Version 1.8.4 (Build 99)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
......
......
......

NIDS intrusion detection is a complex task. Snort also provides powerful intrusion detection functions. Here I will only make a brief introduction so that you can have a concept. If the real object is used as an NIDS. More complex actions are required. For example, set a more comprehensive rules and regularly update the rules defined in snort. conf (when a new attack method appears, it should be updated in a timely manner)

First, you need to change/etc/snort. conf to your own machine.

# Set the location where logs are stored

Config logdir:/var/log/snort

# Set the network

Var HOME_NET 192.168.1.0/24
Var EXTERNAL_NET any
Var SMTP? $ HOME_NET
Var HTTP_SERVERS? $ HOME_NET
Var SQL _SERVERS? $ HOME_NET
Var DNS_SERVERS 192.168.1.250/32 var RULE_PATH ./

# Set preprocessors

Preprocessor frag2
Preprocessor stream4: detect_scans
Preprocessor stream4_re0000t
Preprocessor portscan :? $ HOME_NET 4 3 portscan. log

# Set output

Output database: log, mysql, user = root
Dbname-snort host = localhost

# Rules

Alert tcp? $ HOME_NET 7161->? $ EXTERNAL_NET any (msg: "MISC Cisco Catalyst Remote Access"; flags: SA; reference: arachnids, 129; reference: cve, CVE-1999-0430; classtype: bad-unknow; sid: 513; rev: 1 ;)

# Set the patch. these are all attached rules files.

Include? $ RULE_PATH/bad-traffic.rules include? $ RULE_PATH/exploit. rules include? $ RULE_PATH/scan. rules include? $ RULE_PATH/ftp. rules

# There are many other rule types. You can write it by yourself, or find someone to download it.

Now let's run the snort:

Snort-c/etc/snort. conf-D-I eth0

Now the snort NIDS mode is running. In the case of default:

Alerts is stored in/var/log/snort/alert.

Port-scanning is stored in/var/log/snort/portscan. log.

When running NIDS, you need to run snort in daemon mode. If you install rpm, the rpm file contains an snortd file, which will help you install it under/etc/rc. d/init. d. After configuring the snort configure file, you only need to use chkconfig to open snortd:

Add snortd

Chkconfig -- add snortd

Enable snortd

Chkconfig snortd on

Or

Chkconfig -- level 3 snortd on

The level here must be changed to the runlevel you are running.

You can use cat/etc/inittab | grep id to check which runlevel you are on.

Cat/etc/inittab | grep id

Id: 5: initdefault:

Run on run level 5.

To set the server, we need to set the server so that the server can send logs to our logger server. First, we need to set/etc/syslog. conf to send the log to a valid ip address that does not exist. For example, if our network is 192.168.1.0/24, there is no machine 192.168.1.123, which means the ip address is actually empty. We will point the log here. You can point to any blank valid ip address.

Vim/etc/syslog. conf

Join

*. Info @ 192.168.1.123

If your system uses syslog-ng

Vim/etc/syslog-ng/syslog-ng.conf

Destination d_loghost {udp (ip (192.168.123)

Port (514) ;}; filter f_info {level (info) ;}; log {filter (f_info); destination (d_loghost );};

We also need to add static ARP entry. If your network is only connected to a Hub, the ARP address can be set as a fictitious ip address. If you have a connection switch, you need to add the real MAC address of the log server.

Here we can add the real MAC address of our logger server.

Arp-s 192.168.1.123 00: D0: B7: DB: BF: 95

Set snort on the Logger server

/Etc/snort. conf

Var EXTERNAL_NET any

# Snort-d

Config dump_payload

# Snort-C

Config dump_chars_only

# Set the path for storing logs

Config logdir:/var/log/snort

# What frag2 does is to give fragmented to re-assembly.

Preprocessor frag2

Log udp 192.168.1.1/32 any-> 192.168.1.123/32 514 (logto: "logged-packets ";)

The last line needs to be explained a little:

Here we will use snort as packet logger. that is to say, it does not write everything into/var/log/snort/alert. Instead, log any packets with match the rule without writing an alert.

Udp: udp protocol. system log is usually used here.

192.168.1.1/32: it is only our server, that is, the machine that sends logs. If you collect logs from the entire network segment, you can use 192.168.1.0/24.

Any: any source port any port

->: This is what everyone knows about ction operator.

192.168.1.123/35 514 is the empty ip address we provided, port 514

If logto: is not specified, logs are stored in different files. If logto is specified, all logs will be stored in the specified file, which looks much more convenient.

You can save logs more securely to protect your servers. The snort function is actually very powerful. here is a simple introduction.