* Environment RedHat 7.3
There are more and more hackers on the Internet, and more experts appear. How can we ensure that we can save a complete log? Hacker knows that the first thing that comes into the system is to clean up logs. The simplest and most direct way to detect intrusions is to view system records. now let's talk about how to set up a secure log server.
Think about how to change your log if intruders cannot connect to the server? Now let's learn how to set up a log server without ip addresses.
Now we will introduce how to use Snort to do three things:
Stealth sniffer
Stealth NIDS porbe
Stealth logger
All this is used on a Server without ip addresses. NIDS is short for Network Intrusion Dectection Server, that is, the Intrusion detection Server.
Why stealth?
Running any service on the internet is dangerous. whether it is http or ftp or telnet, there will be a chance of hack intrusion. the uniqueness of stealth logger allows us to receive data without sending any data. in this way, external computers (computers infiltrated by hack) cannot modify the information received by the loger server. that is to say, it ensures the integrity of our information and the primitive nature. to ensure the security of the log server, it is best not to connect the log server to the network. that is to say, when you need to check what is on the logger server, you need to go to the computer and open the screen. instead of remote login. however, if you must connect to the network, use two interfaces. that is, two NICs. note that, first, IP forwarding must be disabled. second, the interface used for stealth logger is a network card without an ip address. This network card must not be in the same network with another network card with an ip address.
Set
First, make sure that your Nic is correctly installed and can be caught by the kernel. Then, write the module required by the NIC to the/etc/modules. conf file.
Now let's set up a NIC interface without ip addresses.
Edit file/etc/sysconfig/network-scripts/ifcfg-eth0
Vim/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE = eth0
USERCTL = no
ONBOOT = yes
BOOTPROTO =
BROADCAST =
NETWORK =
NETMASK =
IPADDR =
After archiving, use ifconfig to activate our eth0 interface.
Stealth
Here we use the snort program. If you do not have this program on your computer, you can download it at www.snort.org.
Now we run
Snort-dvi eth0
Here, the-d option tells snort to decode the data)
-V tells snort to display the result on the screen
-I indicates the required interface.
You can use the-C option to tell snort to display only the ASCII part. Ignore hexadecimal data.
$ Snort-dviC eth0
Log directory =/var/log/snort
Initializing Network Interface eth0
Kernel filter, protocol ALL, TURBO mode
(63 frames), raw packet socket
-- = Initializing Snort = --
Decoding Ethernet on interface eth0
-- = Initialization Complate = --
-*> Snort! <*-
Version 1.8.4 (Build 99)
By Martin Roesch (roesch@sourcefire.com,
Www.snort.org)
......
......
NIDS (Intrusion Detection) intrusion detection is a complex task. snort also provides powerful intrusion detection functions. here I will only make a brief introduction so that you can have a concept. if the real object is used as an NIDS. more complex actions are required. for example, set a better rules and regularly update snort. rules defined in conf (when a new attack method appears, it should be updated in time)
First, you need to change/etc/snort. conf to your own machine.
# Set the location where logs are stored
Config logdir:/var/log/snort
# Set the network
Var HOME_NET 192.168.1.0/24
Var EXTERNAL_NET any
Var SMTP $ HOME_NET
Var HTTP_SERVERS $ HOME_NET
Var SQL _SERVERS $ HOME_NET
Var DNS_SERVERS 192.168.1.250/32
Var RULE_PATH ./
# Set preprocessors
Preprocessor frag2
Preprocessor stream4: detect_scans
Preprocessor stream4_re0000t
Preprocessor portscan: $ HOME_NET 4 3 portscan. log
# Set output
Output database: log, mysql, user = root
Dbname-snort host = localhost
# Rules
Alert tcp $ HOME_NET 7161-> $ EXTERNAL_NET any
(Msg: "MISC Cisco Catalyst Remote Access ";
Flags: SA; reference: arachnids, 129;
Reference: cve, CVE-1999-0430;
Classtype: bad-unknow; sid: 513; rev: 1 ;)
# Set the patch. These are all attached rules files.
Include $ RULE_PATH/bad-traffic.rules
Include $ RULE_PATH/exploit. rules
Include $ RULE_PATH/scan. rules
Include $ RULE_PATH/ftp. rules
# There are many other rule types. You can write the rule by yourself, or you can find someone to download and use it.
Now let's run the snort:
Snort-c/etc/snort. conf-D-I eth0
Now the snort NIDS mode is running. in the case of default:
Alerts is stored in/var/log/snort/alert.
Port-scanning is stored in/var/log/snort/portscan. log.
When running NIDS, you need to run snort in daemon mode. if you install rpm, the rpm file contains an snortd file, which will help you install it in/etc/rc. d/init. d/below. after configuring the snort configure file, you only need to use chkconfig to open snortd:
Add snortd
Chkconfig -- add snortd
Enable snortd
Chkconfig snortd on
Or
Chkconfig -- level 3 snortd on
The level here must be changed to the runlevel you are running.
You can use cat/etc/inittab | grep id to check which one you are in
Runlevel above.
Cat/etc/inittab | grep id
Id: 5: initdefault:
This indicates running on run level 5.
To set the server, we need to set the server so that the server can send logs to our logger server. first, we need to set/etc/syslog. conf sends the log to a valid ip address that does not exist. for example, if our network is 192.168.1.0/24, there is no host 192.168.1.123, which means the ip address is actually empty. we will point the log here. you can point to any blank valid ip address.
Vim/etc/syslog. conf
Join
*. Info @ 192.168.1.123
If your system uses syslog-ng
Vim/etc/syslog-ng/syslog-ng.conf
Destination d_loghost {udp (ip (192.168.123)
Port (514 ));};
Filter f_info {level (info );};
Log {filter (f_info); destination (d_loghost );};
We also need to add static ARP entry. if your network is only connected to a Hub, the ARP Address can be set as a fictitious ip address. if you have a connection switch, you need to add the real MAC address of the log server.
Here we can add the real MAC address of our logger server.
Arp-s 192.168.1.123 000: B7B: BF: 95
Set snort on the Logger Server
/Etc/snort. conf
Var EXTERNAL_NET any
# Snort-d
Config dump_payload
# Snort-C
Config dump_chars_only
# Set the path for storing logs
Config logdir:/var/log/snort
# What frag2 does is to give fragmented to re-assembly.
Preprocessor frag2
Log udp 192.168.1.1/32 any-> 192.168.1.123/32 514
(Logto: "logged-packets ";)
The last line needs to be explained a little: www.2cto.com
Here we will use snort as packet logger. that is to say, not all things are written to/var/log/snort/alert. instead, log any packets with match the rule without writing an alert.
Udp: udp protocol. system log is usually used here.
192.168.1.1/32: it is only our server, that is, the machine that sends logs. If you collect logs from the entire network segment, you can also use 192.168.1.0/24.
Any: any source port any port
->: This is what everyone knows about ction operator.
192.168.1.123/35 514 Is the empty ip address we provided, port 514
If logto: is not specified, logs are stored in different files. If logto is specified, all logs are stored in the specified file, which looks much more convenient.
You can save logs more securely to protect your servers. The snort function is actually very powerful. Here is just a simple introduction. If you are interested in these things. You can see a lot of useful files under www.snort.org/docs.