INSTALL IPS(SNORT) WITH EasyIDS and Guardian

I/Intro

An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

II/INSTALL

Step 1:Install IDS as http://conheotiensinh.blogspot.com/2009/12/install-ids-in-centos-with-5-minutes.html

Step 2:IPS – Guardian

Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Step 3:

Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
#wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
#tar -xzvf guardian-1.7.tar.gz
#cd guardian-1.7
#cp guardian.pl /usr/local/bin/
#cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
#cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
#cp guardian.conf /etc/snort/
#touch /etc/snort/guardian.ignore
#touch /etc/snort/guardian.target
#touch /var/log/snort/guardian.log

Step 4:

edit /etc/snort/guardian.conf change some variables

HostIpAddr xxx.xxx.xxx.xxx (IP snort monitor)
Interface ETH01 (interface snort monitor)
HostGatewayByte 75
Logfile /var/log/snort/guardian.log
AlertFile /var/log/messages
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
TimeLimit 86400

Step 5:
Edit /usr/local/bin/guardian_block.sh change some variables(this shell will block ip attacker and alert mail to test@conheotiensinh.co.cc )


source=$1
interface=$2

/sbin/iptables -I INPUT -s $source -i $interface -j DROP
/sbin/iptables -I FORWARD -s $source -i $interface -j DROP
echo "$source is blocked!" | mail -s "Snort alert is blocked" test@conheotiensinh.co.cc

Step 6:

Edit /usr/local/bin/guardian_unblock.sh change some variables(this shell will delete ip attaker from block ip and alert mail to test@conheotiensinh.co.cc)


source=$1
interface=$2

/sbin/iptables -D INPUT -s $source -i $interface -j DROP
/sbin/iptables -D FORWARD -s $source -i $interface -j DROP

echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert is released" test@conheotiensinh.co.cc

Step 7:

Edit /etc/snort/guardian.target

add ip (snort monitor)

Step 8:
Edit /etc/snort/guardian.ignore

add ip 127.0.0.1

Step 9:

Edit /etc/snort/snort.conf
uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

service snort restart

Step 10:create file shell guardian.sh

#————— CUT HERE —————–#

#!/bin/bash

start()
{
export PATH=$PATH:/usr/local/bin
/usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
}

stop()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'`
else
echo "Guardian is not running ....."
fi
}

status()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
echo "Guardian is Running ....."
else
echo "Guardian is not Running ...."
fi
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac

Step 11:

chmod +x guardian.sh
cp guardian.sh /usr/local/bin/guardian.sh


/usr/local/bin/guardian.sh start

Step 12:test

use nmap test


#nmap -v -sS xxx.xxx.xxx.xxx

Beside you can use Easy IDS as IPS with other Firewall:FreeBSD using IPFW,Checkpoint, PIX....use SSH copy rule to firewall

Please prefer:http://www.chaotic.org/guardian/

Install IDS in Centos with 5 minutes

I/Intro

An Intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violation.IDS install very hard (you need install Snort,HTTP,MYSQL and ......). But With EasyIDS you install IDS easier

II/Install

Step 1:you download ISO EasyIDS from http://sourceforge.net/projects/easyids/files/

Step 2:install It as install Centos OS (EasyIDS 4.0 run with Centos 5.4)

Step3:config Ip for Nic Card

Setp 4: To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username admin and the password password.

Step 5:atttack Easy IDS and check Status in Easy IDS

Beside you can use Easey IDS as IPS(Intrusion Prevention System) with iptables and Guardian.I will intro later

Thanks

INSTALL Monit for Monitor System

I/INTRO

Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

II/INSTALL

Step 1:Install monit

#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#yum install monit
#chkconfig --levels 235 monit on

Step 2:Config Monit

edit /etc/moni.d/monitrc

set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost #mail server
set mail-format { from: monit@server1.example.com }
set alert root@localhost #alert to admin with email adrress root@localhost
set httpd port 2812 and
  SSL ENABLE
  PEMFILE  /var/certs/monit.pem
  allow admin:test

some features example of monit

*check host CUIBAP with address 19.16.12.32
if failed icmp type echo with timeout 20 seconds then alert
(check host if over 20 second it will alert mail to admin)

*check host CONHEO with address 132.163.193.3
if failed port 25 with timeout 30 seconds then alert
(check Service SMTP if over 30 second it will alert mail to admin)

*check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/sshd start"
stop program "/etc/init.d/sshd stop"
if failed port 22 protocol ssh then restart
if failed port 22 protocol ssh then alert
if 5 restarts within 5 cycles then timeout
(check Service SSH if it down monit auto start only run in localhost)

Step 3:access monit via web mail port 2812

Install Iredmail use LDAP and Groupware Server use SOGO

I/INTRO

As document previous I intro to you how to install iredmail use Mysql as backend http://conheotiensinh.blogspot.com/2009/08/install-linux-mail-server-with-5.html.Today I Will intro to you how to install iredmail use LDAP as backend(config iredadmin for admin mailbox .If you use Mysql as backend(postfixadmin)).Beside I will intro install and config Groupware Server use SOGO

*SOGo is groupware server with a focus on scalability and open standards.

*SOGo provides a rich AJAX-based Web interface and supports multiple native clients through the use of standard protocols such as CalDAV, CardDAV and GroupDAV.

*SOGo is the missing component of your infrastructure; it sits in the middle of your servers to offer your users an uniform and complete interface to access their information. It has been deployed in production environments where thousands of users are involved.

II/INSTALL

1/Install iredmail as normal but attention ! you choose ldap as backend password of account postmaster

2/Install and config Iredadmin

Default after install finish you can use phpldapadmin for admin mailbox but It very hard for config

Step 1:install package need for install iredadmin

#yum install python-setuptools.noarch MySQL-python.i386 \
gcc.i386 gcc-c++.i386 openssl-devel.i386 python-devel.i386 \
openldap-devel.i386
#easy_install web.py Jinja2 python-ldap==2.3.8 netifaces
#rpm -ivh http://www.iredmail.org/yum/rpms/5/mod_wsgi-2.5-2.ired.i386.rpm

Step 2:download Iredadmin(you need buy liscense because open source version only fearture create mailbox not create maillist but you can use phpldapadmin create mailist ) from http://iredmail.googlecode.com/files/iRedAdmin-0.1.1.tar.bz2
Step 3:Copy iRedAdmin to /var/www/, set correct file permissions
Step 4:

$ tar xjf iRedAdmin-0.1.1.tar.bz2 -C /var/www/ 
$ cd /var/www/
$ chown -R root:root iRedAdmin-0.1.1 
$ chmod -R 0755 iRedAdmin-0.1.1
$ ln -s iRedAdmin-0.1.1 iredadmin   

Step 5:Add apache configure file: /etc/httpd/conf.d/iredadmin.conf.

AddType text/html .py Order deny,allow Allow from all

Step 6:Edit /etc/httpd/conf.d/ssl.conf, make iredadmin accessable via HTTPS. Add below lines before :

WSGIScriptAlias /iredadmin /var/www/iredadmin/iredadmin.py/ Alias /iredadmin/static /var/www/iredadmin/static/

Step 7:restart apache

/etc/init.d/httpd restart

Step 8:Create MySQL database: iredadmin and grant privileges

$ mysql -uroot -p
mysql> CREATE DATABASE iredadmin DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> USE iredadmin;
mysql> SOURCE /var/www/iredadmin/docs/samples/iredadmin.sql;
GRANT SELECT,INSERT,UPDATE,DELETE ON iredadmin.* TO
iredadmin@localhost IDENTIFIED BY '123' ;
FLUSH PRIVILEGES;

Step 9:Configure iRedAdmin

$ cd /var/www/iredadmin/ $ cp settings.ini.sample settings.ini


Edit settings.ini and set several variables


$ chmod -w settings.ini

Step 10:access iredamin:https://your_server_ip_address/iredadmin/

3/Install and config SOGO

Step 1:create repo for install SOGO by yum
create file /etc/yum.repos.d/inverse.repo with info

[RHEL5] name=Inverse SOGo Repository baseurl=http://inverse.ca/downloads/SOGo/RHEL5/$basearch gpgcheck=0

Step 2:install sogo

#yum install sogo
#yum install sope49-gdl1-postgresql(you can use mysql or oracle)

Step 3:Because SOGo requires a relational database system in order to store appointments, tasks and contacts information. It also uses the database system to store personal preferences of SOGo users.You need create DB and Grand permission

Step 4:Edit /home/sogo/GNUstep/Defaults/.GNUstepDefaults as image

Step 5:you need install add-on for thurderbird

http://www.sogo.nu/fr/downloads/frontends.html


Step 6:config thunderbird


If you only use the SOGo Connector plug in, you can still easily access your data.
To access your personal address book:
Choose Go > Address Book. Choose File > New > Remote Address Book.
Enter a signifcant name for your calendar in the Name feld.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Contacts/personal/ Click on OK.
To access your personal calendar: Choose Go > Calendar.
Choose Calendar > New Calendar. Select On the Network and click on Continue. Select CalDAV.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Calendar/personal/ Click on Continue.

STep 7:Test create 1 calendar in web it will auto sync to thunderbird

Monitor bandwidth with Netflow and PRTG(PFSENSE)

I/Intro

*NetFlow Analyzer is a, web based (no hardware probes), bandwidth monitoring, network forensics and network traffic analysis tool that has been optimizing thousands of networks across varied industries for peak performance and helping them to put their bandwidth for a better use. NetFlow Analyzer is a NetFlow, sFlow, JFLow (and more) collector, analyzer and reporting engine integrated together. With close to 4000 enterprises using NetFlow Analyzer for an in-depth visibility into their network traffic and its patterns, NetFlow Analyzer continues to earn trust of more users by giving business knowledge of real-time network behavior and how traffic impacts the network's overall health.

*PRTG Traffic Grapher is an easy to use Windows software for monitoring and classifying bandwidth traffic usage. It provides system administrators with live readings and long-term usage trends for their network devices. The most common usage is bandwidth management, but you can also monitor many other aspects of your network like memory and CPU utilizations.

II/Install

Step 1:install pfsense as normal

Step 2:install Service pfflowd(system->Packages chose pffflow click icon "+")

Step 3:Config Service pfflowd in pfsense (services -> pfflowd) and config as image with Host(address of machine install netflow) and click save

Step 4:config Service SNMP for PRTG(Services -> SNMP check enable as image )

Step 5 :install PRTG and Netflow .

Download PRTG:http://www.paessler.com/prtg6/download
Netflow:http://www.manageengine.com/products/netflow/download.html

install PRTG and Netflow auto

Step 6:restart pfsense

Step 7:Test
from 172.16.1.3 download check status prtg and netflow