less intrusion-detection-system-setup-arnos-iptables-firewall-port-scan-attack-detector-firewall-snort.md
Intrusion Detection System: Setup Arno’s Iptables Firewall, Port Scan Attack Detector, Firewall Snort
# historical archive — written years ago, kept as it was. Some info is dated.
Host intrusion detection systems (HIDS – Host Intrusion Detection System) and network intrusion detection systems (NIDS – Network Intrusion Detection System) are, respectively, the security management methods for computers and networks. In a HIDS, anti-threat applications such as firewalls, antivirus software, and spyware detection programs are installed on all computers in the network that have two-way access to the external environment, such as the Internet. In a NIDS, the anti-threat software is installed only at specific points, such as the servers that interface with the external environment and the network segment to be protected.
All intrusion detection (ID) methods involve gathering and analyzing information from various areas within a computer or network to identify possible threats from hackers and/or crackers inside or outside the organization. Host-based and Network-based systems have their respective advantages and limitations. The most effective protection for a proprietary network is provided by a combination of both technologies.
Let’s focus our attention on a Host Intrusion Detection System to protect one of our remote servers. As stated in the title, we’ll use a few information-analysis tools; namely:
- Arno’s Iptables Firewall: it’s a simple Firewall. Given a configuration file, it will write the rules to pass to Iptables for you;
- psad – Post Scan Attack Detector: it analyzes the log files produced by Iptables and, should it detect an intrusion attempt, it would block the threat to our server from the IP;
- fwsnort – Firewall Snort: it analyzes the rules of the SNORT® intrusion detection system and builds an equivalent set of rules for Iptables.
psad and fwsnort will act more like an Intrusion Prevention System (IPS) than an Intrusion Detection System (IDS). The difference is that an IPS, upon detecting a threat, acts to block and prevent access, while in an IDS there will only be a notification to the administrator of the detected threat attempt. You can imagine for yourself that in the first case a process is automated, and that in the second case nothing can happen without manual intervention.
Disclaimer: I remind you to be careful with your choices: we are assuming that you know your system. If the firewall or the other software were restarted with incorrect configurations, you could run the risk of no longer being able to access your remote server. Try it at home first!!!
Arno’s Iptables Firewall
Let’s start with our simple firewall:
apt-get install arno-iptables-firewall
At the end, the configuration phase will start (be careful with your choices!):
[rl_gallery id=”2016″]
The basic firewall rules are good: but I recommend editing /etc/arno-iptables-firewall/firewall.conf by modifying the following two variables:
...
ECHO_IGNORE=1
...
IP_FORWARDING=0
PSAD
Software installation
apt-get install psad
Once the software is installed, edit the file /etc/psad/psad.conf according to your needs. I’ll leave you some changes I made to my file:
--- psad.conf.orig 2012-11-19 22:56:28.000000000 +0100
+++ psad.conf 2015-07-11 12:03:52.863623493 +0200
@@ -16,16 +16,16 @@
### Supports multiple email addresses (as a comma separated
### list).
-EMAIL_ADDRESSES root@localhost;
+EMAIL_ADDRESSES [email protected];
### Machine hostname
-HOSTNAME _CHANGEME_;
+HOSTNAME server.youdomain.cxm;
### Specify the home and external networks. Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
-HOME_NET any;
+HOME_NET NOT_USED;
EXTERNAL_NET any;
### The FW_SEARCH_ALL variable controls how psad will parse iptables
@@ -74,7 +74,7 @@
### auto_ips so a danger level is automatically
### assigned.
DANGER_LEVEL1 5; ### Number of packets.
-DANGER_LEVEL2 15;
+DANGER_LEVEL2 35;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
@@ -141,7 +141,7 @@
### usually recommended.
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
-IPT_SYSLOG_FILE /var/log/messages;
+IPT_SYSLOG_FILE /var/log/arno-iptables-firewall;
### When enabled, this instructs psad to write the "msg" field
### associated with Snort rule matches to syslog.
@@ -175,7 +175,7 @@
### corresponding protocol, For example, to have psad ignore all
### tcp in the range 61000-61356 and udp ports 53 and 5000, use:
### IGNORE_PORTS tcp/61000-61356, udp/53, udp/5000;
-IGNORE_PORTS NONE;
+IGNORE_PORTS udp/53;
### allow entire protocols to be ignored. This keyword can accept
### a comma separated list of protocols. Each protocol must match
@@ -198,10 +198,10 @@
### IP directory is created within /var/log/psad/. Hence
### MIN_DANGER_LEVEL should be set less than or equal to the value
### assigned to the EMAIL_ALERT_DANGER_LEVEL variable.
-MIN_DANGER_LEVEL 1;
+MIN_DANGER_LEVEL 2;
### Only send email alert if danger level >= to this value.
-EMAIL_ALERT_DANGER_LEVEL 1;
+EMAIL_ALERT_DANGER_LEVEL 3;
### Enable detection of malicious activity that is delivered via IPv6. If
### ip6tables is not logging any traffic, then psad won't know anything
@@ -233,11 +233,11 @@
### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
-EMAIL_LIMIT_STATUS_MSG Y;
+EMAIL_LIMIT_STATUS_MSG N;
### If "Y", send email for all newly logged packets from the same
### source ip instead of just when a danger level increases.
-ALERT_ALL Y;
+ALERT_ALL N;
### If "Y", then psad will import old scan source ip directories
### as current scans instead of moving the directories into the
@@ -322,11 +322,11 @@
### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
-ENABLE_AUTO_IDS N;
+ENABLE_AUTO_IDS Y;
### Block all traffic from offending IP if danger
### level >= to this value
-AUTO_IDS_DANGER_LEVEL 5;
+AUTO_IDS_DANGER_LEVEL 2;
### Set the auto-blocked timeout in seconds (the default
### is one hour).
@@ -345,7 +345,7 @@
### By setting this variable to N, all auto-blocking emails can be
### suppressed.
-ENABLE_AUTO_IDS_EMAILS Y;
+ENABLE_AUTO_IDS_EMAILS N;
### Enable iptables blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
Once done, don’t restart anything yet… wait, we’ll do it later!
FWSNORT
Let’s proceed with the installation. The basic configuration is already good and no particular changes will be needed.
apt-get install fwsnort
Now we’ll need a small script needed to update FWSNORT & the PSAD signatures once a week. Create the file /usr/local/bin/update-fwsnort
#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/var/lib/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
/usr/sbin/psad --sig-update
/usr/sbin/psad -H
echo "psad signatures updated"
Let’s make it executable with a chmod a+x /usr/local/bin/update-fwsnort
Now you can place a copy of the file in the /etc/cron.weekly/ folder or create a rule through crontab -e
0 15 * * 5 /usr/local/bin/update-fwsnort 2>&1 >> /var/log/fwsnort_update.log
For the FWSNORT rules to be inserted into iptables at every reboot, create the following file /etc/init.d/fwsnort
#!/bin/bash
#
### BEGIN INIT INFO
# Provides: fwsnort
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Load/unload snort signatures for psad
# Description: update-rc.d -f fwsnort defaults
### END INIT INFO
/var/lib/fwsnort/fwsnort.sh
exit 0
run these two commands
chmod a+x /etc/init.d/fwsnort
update-rc.d -f fwsnort defaults
There’s still something missing: let’s make our firewall (arno’s iptables firewall) create the Chains needed for psad to work correctly:
let’s edit the file /etc/arno-iptables-firewall/custom-rules and insert the following rules:
# Put any custom (iptables) rules here down below:
##################################################
#create PSAD chains
iptables -N PSAD_BLOCK_INPUT
iptables -N PSAD_BLOCK_OUTPUT
iptables -N PSAD_BLOCK_FORWARD
iptables -A INPUT -j PSAD_BLOCK_INPUT
iptables -A OUTPUT -j PSAD_BLOCK_OUTPUT
iptables -A FORWARD -j PSAD_BLOCK_FORWARD
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG
#create PSAD chains IPV6
ip6tables -N PSAD_BLOCK_INPUT
ip6tables -N PSAD_BLOCK_OUTPUT
ip6tables -N PSAD_BLOCK_FORWARD
ip6tables -A INPUT -j PSAD_BLOCK_INPUT
ip6tables -A OUTPUT -j PSAD_BLOCK_OUTPUT
ip6tables -A FORWARD -j PSAD_BLOCK_FORWARD
Now it’s time to restart our services!
service psad stop
service arno-iptables-firewall stop
verify that iptables is empty:
iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Let’s start everything!
service arno-iptables-firewall start
service psad start
service fwsnort start
Now try checking iptables again ( iptables -n -L ) and you’ll be surprised at how many rules you’ll find! If you need further documentation, follow the links for the respective software. If you need any explanation, all you have to do is ask.
See you soon!!!