← cd ~/blog

less intrusion-detection-system-setup-arnos-iptables-firewall-port-scan-attack-detector-firewall-snort.md

Intrusion Detection System: Setup Arno’s Iptables Firewall, Port Scan Attack Detector, Firewall Snort

#Bash#Debian & Sysadmin#Server archive

# historical archive — written years ago, kept as it was. Some info is dated.

Host intrusion detection systems (HIDS – Host Intrusion Detection System) and network intrusion detection systems (NIDS – Network Intrusion Detection System) are, respectively, the security management methods for computers and networks. In a HIDS, anti-threat applications such as firewalls, antivirus software, and spyware detection programs are installed on all computers in the network that have two-way access to the external environment, such as the Internet. In a NIDS, the anti-threat software is installed only at specific points, such as the servers that interface with the external environment and the network segment to be protected.

All intrusion detection (ID) methods involve gathering and analyzing information from various areas within a computer or network to identify possible threats from hackers and/or crackers inside or outside the organization. Host-based and Network-based systems have their respective advantages and limitations. The most effective protection for a proprietary network is provided by a combination of both technologies.

Let’s focus our attention on a Host Intrusion Detection System to protect one of our remote servers. As stated in the title, we’ll use a few information-analysis tools; namely:

psad and fwsnort will act more like an Intrusion Prevention System (IPS) than an Intrusion Detection System (IDS). The difference is that an IPS, upon detecting a threat, acts to block and prevent access, while in an IDS there will only be a notification to the administrator of the detected threat attempt. You can imagine for yourself that in the first case a process is automated, and that in the second case nothing can happen without manual intervention.

Disclaimer: I remind you to be careful with your choices: we are assuming that you know your system. If the firewall or the other software were restarted with incorrect configurations, you could run the risk of no longer being able to access your remote server. Try it at home first!!!

Arno’s Iptables Firewall

Let’s start with our simple firewall:

apt-get install arno-iptables-firewall

At the end, the configuration phase will start (be careful with your choices!):

[rl_gallery id=”2016″]

The basic firewall rules are good: but I recommend editing /etc/arno-iptables-firewall/firewall.conf by modifying the following two variables:

...
ECHO_IGNORE=1
...
IP_FORWARDING=0

PSAD

Software installation

apt-get install psad

Once the software is installed, edit the file /etc/psad/psad.conf according to your needs. I’ll leave you some changes I made to my file:

--- psad.conf.orig	2012-11-19 22:56:28.000000000 +0100
+++ psad.conf	2015-07-11 12:03:52.863623493 +0200
@@ -16,16 +16,16 @@
 
 ### Supports multiple email addresses (as a comma separated
 ### list).
-EMAIL_ADDRESSES             root@localhost;
+EMAIL_ADDRESSES             [email protected];
 
 ### Machine hostname
-HOSTNAME                    _CHANGEME_;
+HOSTNAME                    server.youdomain.cxm;
 
 ### Specify the home and external networks.  Note that by default the
 ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
 ### all of the directly connected subnets and uses this information as
 ### the HOME_NET variable.
-HOME_NET                    any;
+HOME_NET                    NOT_USED;
 EXTERNAL_NET                any;
 
 ### The FW_SEARCH_ALL variable controls how psad will parse iptables
@@ -74,7 +74,7 @@
 ### auto_ips so a danger level is automatically
 ### assigned.
 DANGER_LEVEL1               5;    ### Number of packets.
-DANGER_LEVEL2               15;
+DANGER_LEVEL2               35;
 DANGER_LEVEL3               150;
 DANGER_LEVEL4               1500;
 DANGER_LEVEL5               10000;
@@ -141,7 +141,7 @@
 ### usually recommended.
 ENABLE_SYSLOG_FILE          Y;
 IPT_WRITE_FWDATA            Y;
-IPT_SYSLOG_FILE             /var/log/messages;
+IPT_SYSLOG_FILE             /var/log/arno-iptables-firewall;
 
 ### When enabled, this instructs psad to write the "msg" field
 ### associated with Snort rule matches to syslog.
@@ -175,7 +175,7 @@
 ### corresponding protocol,  For example, to have psad ignore all
 ### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
 ### IGNORE_PORTS        tcp/61000-61356, udp/53, udp/5000;
-IGNORE_PORTS                NONE;
+IGNORE_PORTS                udp/53;
 
 ### allow entire protocols to be ignored.  This keyword can accept
 ### a comma separated list of protocols.  Each protocol must match
@@ -198,10 +198,10 @@
 ### IP directory is created within /var/log/psad/.  Hence
 ### MIN_DANGER_LEVEL should be set less than or equal to the value
 ### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
-MIN_DANGER_LEVEL            1;
+MIN_DANGER_LEVEL            2;
 
 ### Only send email alert if danger level >= to this value.
-EMAIL_ALERT_DANGER_LEVEL    1;
+EMAIL_ALERT_DANGER_LEVEL    3;
 
 ### Enable detection of malicious activity that is delivered via IPv6.  If
 ### ip6tables is not logging any traffic, then psad won't know anything
@@ -233,11 +233,11 @@
 
 ### If "Y", send a status email message when an IP has reached the
 ### EMAIL_LIMIT threshold.
-EMAIL_LIMIT_STATUS_MSG      Y;
+EMAIL_LIMIT_STATUS_MSG      N;
 
 ### If "Y", send email for all newly logged packets from the same
 ### source ip instead of just when a danger level increases.
-ALERT_ALL                   Y;
+ALERT_ALL                   N;
 
 ### If "Y", then psad will import old scan source ip directories
 ### as current scans instead of moving the directories into the
@@ -322,11 +322,11 @@
 
 ### If "Y", enable automated IDS response (auto manages
 ### firewall rulesets).
-ENABLE_AUTO_IDS             N;
+ENABLE_AUTO_IDS             Y;
 
 ### Block all traffic from offending IP if danger
 ### level >= to this value
-AUTO_IDS_DANGER_LEVEL       5;
+AUTO_IDS_DANGER_LEVEL       2;
 
 ### Set the auto-blocked timeout in seconds (the default
 ### is one hour).
@@ -345,7 +345,7 @@
 
 ### By setting this variable to N, all auto-blocking emails can be
 ### suppressed.
-ENABLE_AUTO_IDS_EMAILS      Y;
+ENABLE_AUTO_IDS_EMAILS      N;
 
 ### Enable iptables blocking (only gets enabled if
 ### ENABLE_AUTO_IDS is also set)

Once done, don’t restart anything yet… wait, we’ll do it later!

FWSNORT

Let’s proceed with the installation. The basic configuration is already good and no particular changes will be needed.

apt-get install fwsnort

Now we’ll need a small script needed to update FWSNORT & the PSAD signatures once a week. Create the file /usr/local/bin/update-fwsnort

#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/var/lib/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
/usr/sbin/psad --sig-update
/usr/sbin/psad -H
echo "psad signatures updated"

Let’s make it executable with a chmod a+x /usr/local/bin/update-fwsnort

Now you can place a copy of the file in the /etc/cron.weekly/ folder or create a rule through crontab -e

0 15 * * 5 /usr/local/bin/update-fwsnort 2>&1 >> /var/log/fwsnort_update.log

For the FWSNORT rules to be inserted into iptables at every reboot, create the following file /etc/init.d/fwsnort

#!/bin/bash
#
### BEGIN INIT INFO
# Provides:          fwsnort
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Load/unload snort signatures for psad
# Description:       update-rc.d -f fwsnort defaults 
### END INIT INFO
/var/lib/fwsnort/fwsnort.sh
exit 0

run these two commands

chmod a+x /etc/init.d/fwsnort
update-rc.d -f fwsnort defaults

There’s still something missing: let’s make our firewall (arno’s iptables firewall) create the Chains needed for psad to work correctly:

let’s edit the file /etc/arno-iptables-firewall/custom-rules and insert the following rules:

# Put any custom (iptables) rules here down below:
##################################################

#create PSAD chains
iptables -N PSAD_BLOCK_INPUT
iptables -N PSAD_BLOCK_OUTPUT
iptables -N PSAD_BLOCK_FORWARD
iptables -A INPUT -j PSAD_BLOCK_INPUT
iptables -A OUTPUT -j PSAD_BLOCK_OUTPUT
iptables -A FORWARD -j PSAD_BLOCK_FORWARD

ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG
#create PSAD chains IPV6
ip6tables -N PSAD_BLOCK_INPUT
ip6tables -N PSAD_BLOCK_OUTPUT
ip6tables -N PSAD_BLOCK_FORWARD
ip6tables -A INPUT -j PSAD_BLOCK_INPUT
ip6tables -A OUTPUT -j PSAD_BLOCK_OUTPUT
ip6tables -A FORWARD -j PSAD_BLOCK_FORWARD

Now it’s time to restart our services!

service psad stop
service arno-iptables-firewall stop

verify that iptables is empty:

iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Let’s start everything!

service arno-iptables-firewall start
service psad start
service fwsnort start

Now try checking iptables again ( iptables -n -L ) and you’ll be surprised at how many rules you’ll find! If you need further documentation, follow the links for the respective software. If you need any explanation, all you have to do is ask.

See you soon!!!