在 CentOS 7.x 上安裝 Suricata 入侵偵測系統

Suricata 和 Snort 一樣,都是入侵偵測系統,二者之間的差異可以參考:
Snort vs Suricata – Aanval Wiki

Suricata 官方網站:https://oisf.net/suricata/
參考網站:
浮雲雅築: [研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)
如何在 Linux 系統上安裝 Suricata 入侵檢測系統 – 每日頭條
Building an IDS on CentOS using Suricata
CentOS Installation – Suricata – Open Information Security Foundation
IT Security through Open Source : Suricata – wildcard rule loading

1. 利用 epel 套件庫安裝 Suricata
# yum install suricata –enablerepo=epel[@more@]2. 下載 rules 並解壓縮
# wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# tar xvzf suricata/emerging.rules.tar.gz -C /etc/suricata

3. 測試設定檔 /etc/suricata/suricata.yaml
# /sbin/suricata -T -c /etc/suricata/suricata.yaml -i eth0
1/3/2017 — 14:50:53 – <Info> – Running suricata under test mode
1/3/2017 — 14:50:53 – <Notice> – This is Suricata version 3.2.1 RELEASE
1/3/2017 — 14:50:56 – <Notice> – Configuration provided was successfully loaded. Exiting.

如果沒有做第二步驟,會有一些 Warning
# /sbin/suricata -T -c /etc/suricata/suricata.yaml -i eth0
1/3/2017 — 14:16:50 – <Info> – Running suricata under test mode
1/3/2017 — 14:16:50 – <Notice> – This is Suricata version 3.2.1 RELEASE
1/3/2017 — 14:16:50 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/botcc.rules
1/3/2017 — 14:19:04 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/ciarmy.rules
1/3/2017 — 14:19:32 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/compromised.rules
1/3/2017 — 14:20:18 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/drop.rules


4. 因為使用 systemctl 一直無法正常啟動
# mv /usr/lib/systemd/system/suricata.service /root

5. 所以自行建立啟動檔 /etc/init.d/suricatd
# vim /etc/init.d/suricatad
#!/bin/sh
# $Id$
#
# suricatad         Start/Stop the suricata IDS daemon.
#
# chkconfig: 2345 40 60
# description:  Suricata is a lightweight network intrusion detection tool that
#                currently detects more than 1100 host and network
#                vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case “$1” in
  start)
        echo -n “Starting Suricata: “
                daemon PCAP_FRAMES=max /sbin/suricata -D -c /etc/suricata/suricata.yaml -i eth0
        ;;
  stop)
        echo -n “Stopping Suricata: “
        killproc suricata
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status suricata
        ;;
  *)
        echo “Usage: $0 {start|stop|restart|status|}”
        exit 1
esac

exit 0

6. 設定檔案權限
# chmod +x /etc/init.d/suricatad

7. 設定開機時啟動
# chkconfig –add suricatad
# /etc/init.d/suricatad start
# /etc/init.d/suricatad status
● suricatad.service – SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/suricatad; bad; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 15:10:45 CST; 3min 58s ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/suricatad.service
           mq311 /sbin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Mar 01 15:10:45 ids systemd[1]: Starting SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, back…s, and more….
Mar 01 15:10:45 ids suricatad[308]: Starting Suricata: 1/3/2017 — 07:10:45 – <Notice> – This is Suricata version 3.2.1 RELEASE
Mar 01 15:10:45 ids suricatad[308]: [  OK  ]
Mar 01 15:10:45 ids systemd[1]: Started SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more..
Hint: Some lines were ellipsized, use -l to show in full.

列出 CentOS / Debian / Ubuntu 開機時服務啟動的設定狀態

在 RedHat / CentOS Linux 中可以使用 chkconfig / systemctl 來查看開機時服務啟動的設定狀態
CentOS 6.x
# /sbin/chkconfig –list
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
fail2ban        0:off   1:off   2:off   3:off   4:on    5:on    6:off
htcacheclean    0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
ipset           0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:off   3:on    4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpdate         0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:on    2:off   3:off   4:off   5:off   6:off[@more@]
# /sbin/chkconfig –list snmpd
snmpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off

# /sbin/chkconfig –list | grep 3:on
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
ipset           0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:off   3:on    4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

CentOS 7.x
# /usr/bin/systemctl list-unit-files | grep enabled
autovt@.service                        enabled
barnyard2.service                      enabled
crond.service                          enabled
getty@.service                         enabled
httpd.service                          enabled
iptables.service                       enabled
mariadb.service                        enabled
rsyslog.service                        enabled
snmpd.service                          enabled
sshd.service                           enabled
systemd-readahead-collect.service      enabled
systemd-readahead-drop.service         enabled
systemd-readahead-replay.service       enabled
default.target                         enabled
graphical.target                       enabled
remote-fs.target                       enabled
runlevel5.target                       enabled

在 Debian / Ubuntu
# apt-get install sysv-rc-conf

# /usr/sbin/sysv-rc-conf –list
atd          0:off      1:off   2:on    3:on    4:on    5:on    6:off
bootlogs     1:on       2:on    3:on    4:on    5:on
cron         2:on       3:on    4:on    5:on
dbus         2:on       3:on    4:on    5:on
halt         0:off
killprocs    1:on
kmod         S:on
motd         1:on       2:on    3:on    4:on    5:on
networking   0:off      6:off   S:on
postfix      0:off      1:off   2:on    3:on    4:on    5:on    6:off
procps       S:on
rc.local     2:on       3:on    4:on    5:on
reboot       6:off
rmnologin    2:on       3:on    4:on    5:on
rpcbind      0:off      1:off   6:off   S:on
rsync        2:on       3:on    4:on    5:on
rsyslog      0:off      1:off   2:on    3:on    4:on    5:on    6:off
sendsigs     0:off      6:off
single       1:on
snmpd        0:off      1:off   2:on    3:on    4:on    5:on    6:off
ssh          2:on       3:on    4:on    5:on
umountfs     0:off      6:off
umountroot   0:off      6:off
urandom      0:off      6:off   S:on
x11-common   S:on

# /usr/sbin/sysv-rc-conf –list snmpd
snmpd        0:off      1:off   2:on    3:on    4:on    5:on    6:off

# /usr/sbin/update-rc.d snmpd remove
# /usr/sbin/sysv-rc-conf –list snmpd
snmpd

# /usr/sbin/update-rc.d snmpd defaults
# /usr/sbin/sysv-rc-conf –list snmpd
snmpd        0:off      1:off   2:on    3:on    4:on    5:on    6:off

在 CentOS 6.x x64 上安裝 OSSEC – HIDS 主機型入侵偵測系統

參考網站:
OSSEC 主機型入侵偵測系統 (HIDS) 安裝與設定 « Jamyy’s Weblog
建置OSSEC 主機型入侵偵測系統<br>網路威脅危害大,萬全準備不可少 – 技術專欄 – 網管人NetAdmin
浮雲雅築: [研究] OSSEC – HIDS 2.7.1 主機型入侵偵測系統 – server/agent 安裝 (CentOS 6.5 x64)
How to Install OSSEC on Red Hat or CentOS 6 – scottlinux.com | Linux Blog

OSSEC 官方網站:http://ossec.github.io

1. 增加 atomic 套件庫
http://ossec.github.io/downloads.html 下載所須要的版本
# wget http://updates.atomicorp.com/channels/ossec/centos/6/x86_64/RPMS/atomic-release-1.0-21.el6.art.noarch.rpm
# rpm -ivh atomic-release-1.0-21.el6.art.noarch.rpm

# wget -q -O – https://www.atomicorp.com/installers/atomic | sh

[@more@]2. 取消啟用 atomic 套件庫
# sed -i ‘s/enabled = 1/enabled = 0/’ /etc/yum.repos.d/atomic.repo

3. 更新 atomic 套件庫
# yum update –enablerepo=atomic

4. 搜尋 ossec 相關套件
# yum search ossec –enablerepo=atomic
ossec-hids-agent.x86_64 : The OSSEC HIDS Client
ossec-hids-client.x86_64 : The OSSEC HIDS Client
ossec-hids-debuginfo.x86_64 : Debug information for package ossec-hids
ossec-hids-hybrid.x86_64 : The OSSEC HIDS hybrid client
ossec-hids-mysql.x86_64 : The OSSEC HIDS Server
ossec-hids-postgres.x86_64 : The OSSEC HIDS Server postgres connector
ossec-hids-server.x86_64 : The OSSEC HIDS Server
ossec-wui.noarch : OSSEC Web Interface
ossec-hids.x86_64 : An Open Source Host-based Intrusion Detection System

ossec-hids-hybird 包含 Server / Agent

5. 安裝 ossec 相關套件
# yum install ossec-hids-mysql ossec-wui ossec-hids ossec-hids-server –enablerepo=atomic

6. 取消電子郵件通知
# sed -i ‘s/<email_notification>yes/<email_notification>no/’ /var/ossec/etc/ossec.conf

7. 建立 ossec-wui 管理帳號及密碼
# /usr/bin/htpasswd /usr/share/ossec-wui/.htpasswd ossec
New password:
Re-type new password:
Updating password for user ossec

8. 限制可以連線的範圍
# vim /etc/httpd/conf.d/ossec.conf
Alias /ossec    /usr/share/ossec-wui/
<Directory /usr/share/ossec-wui/>
 AllowOverride AuthConfig Limit
 Order deny,allow
 Deny from all
 Allow from 192.168.1.0/24

 <Files *.sh>
 deny from all
 </Files>
<Files ossec_conf.php>
 deny from all
 </Files>
 <Files .*>
 deny from all
 </Files>
</Directory>

9. 重新啟動 Apache Web Server
# /etc/init.d/httpd restart

10. 啟動 ossec-hids
# /etc/init.d/ossec-hids start

在 CentOS 6.x 上安裝 BandwidthD

BandwidthD 是一套可以在區域網路上顯示各個 IP 網路使用情形的程式,由 David Hinkle 所開發。

BandwidthD 官方網站:http://bandwidthd.sourceforge.net/
底下是在 CentOS 6.x x64 下安裝[@more@]

1. 下載 rpm 檔
# wget ftp://ftp.pbone.net/mirror/li.nux.ro/download/nux/misc/el6/x86_64/bandwidthd-2.0.1-15.el6.nux.x86_64.rpm

2. 安裝所須套件
# yum install libpcap-devel libpng-devel gd-devel zlib-devel libpqxx

3. 安裝 BandwidthD
# rpm -ivh bandwidthd-2.0.1-15.el6.nux.x86_64.rpm

4. 修改設定檔 /etc/bandwidthd.conf
# vim /etc/bandwidthd.conf
加入要偵測的網段
subnet 192.168.1.0/24

5. 修改 /etc/httpd/conf.d/bandwidthd.conf
可以加上連線範圍的限定
# cat /etc/httpd/conf.d/bandwidthd.conf
Alias /bandwidthd /var/www/bandwidthd/htdocs

6. 設定開機時啟動
# chkconfig –level 3 bandwidthd on
# /etc/init.d/bandwidthd start

安裝 Barnyard2 / Base / Adodb – For Snort

參考網頁:
浮雲雅築: [研究] Snort 2.9.6.2 + Barnyard 2.13 安裝 (CentOS 6.5 x64) 快速安裝程式
Startup script timeout (Centos 7) · Issue #141 · firnsy/barnyard2 · GitHub

底下參考自:讓Snort開始運作,Information Security 資安人科技網

Barnyard是一套用來讀取 Snort 統一輸出報表(Unified output)並將之轉存到資料庫的特製工具,並且會直接監視資料庫連線來預防資料的流失。統一輸出報表是 Snort3 種輸出報表的其中一個選項,它透過減輕 Snort  引擎中的有效負荷的傳輸(payload translation)來增快處理速度。

1. 安裝所需套件
# yum install git libtool libnet libnet-devel mariadb-devel daq-devel libyaml-devel file-devel libcap-ng-devel libpcap-devel libdnet-devel

2. 切換目錄
# cd /usr/local/src

3. 使用 git 下載 barnyard2
# git clone https://github.com/firnsy/barnyard2.git barnyard2
Cloning into ‘barnyard2’…
remote: Counting objects: 1292, done.
remote: Total 1292 (delta 0), reused 0 (delta 0), pack-reused 1292
Receiving objects: 100% (1292/1292), 1.04 MiB | 601.00 KiB/s, done.
Resolving deltas: 100% (896/896), done.[@more@]
4. 切換目錄
# cd barnyard2

5. 進行設定
# ./autogen.sh
Found libtoolize
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: Entering directory `.’
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal –force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize –copy –force
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: running: /usr/bin/autoconf –force
autoreconf: running: /usr/bin/autoheader –force
autoreconf: running: automake –add-missing –copy –force-missing
configure.ac:11: installing ‘./config.guess’
configure.ac:11: installing ‘./config.sub’
configure.ac:8: installing ‘./install-sh’
configure.ac:8: installing ‘./missing’
autoreconf: Leaving directory `.’
You can now run “./configure” and then “make”.

6. 進行編譯及安裝
# ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql
# make && make install

7. 複製檔案到相對應目錄
# cp /usr/local/src/barnyard2/rpm/barnyard2.config /etc/sysconfig/barnyard2
# cp /usr/local/src/barnyard2/rpm/barnyard2 /etc/init.d/

8. 更改檔案給予執行權限
# chmod +x /etc/init.d/barnyard2

9. 設定開機時啟動 barnyard2
# chkconfig –add barnyard2

10. 建立連結
# ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf
# ln -s /usr/local/bin/barnyard2 /usr/bin/

11. 建立目錄
# mkdir -p /var/log/snort/eth0/archive/

12. 修改 /etc/init.d/barnyard2
# sed -i -e “s@BARNYARD_OPTS=@#BARNYARD_OPTS=@”   /etc/init.d/barnyard2
# sed -i -e “/BARNYARD_OPTS=”-D -c $CONF/aBARNYARD_OPTS=”-D -c /etc/snort/barnyard2.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid””   /etc/init.d/barnyard2

13. 修改 /etc/sysconfig/barnyard2
# sed -i -e “s@LOG_FILE=@#LOG_FILE=@”   /etc/sysconfig/barnyard2
# sed -i -e “/LOG_FILE=”snort_unified.log”/aLOG_FILE=”snort.log””   /etc/sysconfig/barnyard2

14. 修改 /etc/sysconfig/snort
# sed -i -e “s@ALERTMODE=fast@#ALERTMODE=fast@”    /etc/sysconfig/snort
# sed -i -e “s@BINARY_LOG=1@#BINARY_LOG=1@”    /etc/sysconfig/snort

15. 修改 /etc/snort/barnyard2.conf
# sed -i -e “s@config sid_file@# config sid_file@” /etc/snort/barnyard2.conf
# sed -i -e “/config sid_file/aconfig sid_file: /etc/snort/etc/sid-msg.map” /etc/snort/barnyard2.conf
# sed -i -e “/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=snort host=localhost” /etc/snort/barnyard2.conf

16. 修改 /etc/snort/snort.conf
# sed -i -e “s@output unified2@#output unified2@”    /etc/snort/snort.conf
# sed -i -e “/output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types/aoutput unified2: filename snort.log, limit 128”   /etc/snort/snort.conf

17. 建立資料庫及設定設用者帳號密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database snortdb;
MariaDB [(none)]> grant all privileges on snortdb.* to barnyard2@localhost identified by ‘123456’;
MariaDB [(none)]> flush privileges;

19. 匯入資料
# /usr/bin/mysql snortdb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql

20. 進行測試
# /usr/local/bin/barnyard2 -T -c /etc/snort/barnyard2.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -l /var/log/snort -a /var/log/snort -f snort.log -X /var/lock/subsys/barnyard2-eth0.pid

如果有無法啟動的狀況
# vim /etc/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Dedicated Unified2 Spooler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log

[Install]
WantedBy=multi-user.target

# systemctl enable barnyard2.service
Created symlink from /etc/systemd/system/multi-user.target.wants/barnyard2.service to /etc/systemd/system/barnyard2.service.
# systemctl start barnyard2

21. 安裝 Base + adodb (Web UI)
# cd /usr/local/src
# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz
# wget http://nchc.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz -C /var/www/html
# mv /var/www/html/base-1.4.5 /var/www/html/base
# chmod a+w /var/www/html/base
# tar zxvf adodb518a.tgz -C /var/www/html
# chmod a+w /var/www/html/adodb5
# 修改 /etc/php.ini
# vim /etc/php.ini
date.timezone = “Asia/Taipei”
error_reporting = E_ALL & ~E_NOTICE
找到
; UNIX: “/path1:/path2”
;include_path = “.:/php/includes”
底下增加一行
include_path => .:/usr/share/pear:/usr/share/php

22. 重新啟動 Web Server
# systemctl restart httpd

23. 安裝過程畫面





24. 更改目錄權限
# chmod a-w /var/www/html/base
# chmod a-w /var/www/html/adodb5

利用 PulledPork 來更新 Snort Rule

參考網站:
Setting up Snort – Part 4 – Installing PulledPork · Don Mizutani
How To Install Snort NIDS On CentOS 7 | Unixmen

# yum install git
# git clone https://github.com/shirkdog/pulledpork.git
# cd pulledpork/
# cp pulledpork.pl /usr/local/bin
# chmod +x /usr/local/bin/pulledpork.pl
# cp -v etc/*.conf /etc/snort
‘etc/disablesid.conf’ -> ‘/etc/snort/disablesid.conf’
‘etc/dropsid.conf’ -> ‘/etc/snort/dropsid.conf’
‘etc/enablesid.conf’ -> ‘/etc/snort/enablesid.conf’
‘etc/modifysid.conf’ -> ‘/etc/snort/modifysid.conf’
‘etc/pulledpork.conf’ -> ‘/etc/snort/pulledpork.conf’
# mkdir /etc/snort/rules/iplists
# touch /etc/snort/rules/iplists/default.blacklist[@more@]
安裝所須套件
# yum install perl-libwww-perl perl-Crypt-SSLeay perl-Sys-Syslog perl-Archive-Tar perl-LWP-Protocol-https
Test pulledPork Configuration
# /usr/local/bin/pulledpork.pl -V

修改設定檔 /etc/snort/pulledpork.conf
# egrep -v ‘^#|^$’ /etc/snort/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|Oinkcode
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://snort.org/downloads/community/|opensource.tar.gz|Opensource
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/etc/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-6-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control
enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf
version=0.7.3

進行更新
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

    https://github.com/shirkdog/pulledpork
      _____ ____
     `—-,    )
      `–==  /    PulledPork v0.7.3 – Making signature updates great again!
       `–==/
     .-~~~~-.Y|_  Copyright (C) 2009-2016 JJ Cummings
  @_/        /  66_  cummingsj@gmail.com
    |          _(“)
        /-| ||’–‘  Rules give me wings!
      _  _
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2990.tar.gz….
        They Match
        Done!
Checking latest MD5 for community-rules.tar.gz….
        They Match
        Done!
IP Blacklist download of http://talosintelligence.com/feeds/ip-filter.blf….
Reading IP List…
Checking latest MD5 for opensource.tar.gz….
        They Match
        Done!
Blacklist version is unchanged, not updating!
Writing /var/log/sid_changes.log….
        Done

No Rule Changes

No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

加入工作排程
# crontab -e
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l > /dev/null 2>&1

在 CentOS 7.x 上安裝 snort

snort 官方網站:https://www.snort.org/

1. 下載官方網站提供套件:
# wget https://www.snort.org/downloads/snort/daq-2.0.6-1.centos7.x86_64.rpm
# wget https://www.snort.org/downloads/snort/snort-2.9.9.0-1.centos7.x86_64.rpm

[@more@]參考網站:
浮雲雅築: [研究] Snort 2.9.8.0 安裝 + 快速安裝程式 (CentOS 7.2 x64)

2. 安裝套件
# yum install libpcap-devel libdnet-devel libnghttp2-devel

如果沒有先安裝上述套件,直接安裝 daq 和 snort 會出現錯誤訊息
# rpm -ivh daq-2.0.6-1.centos7.x86_64.rpm
error: Failed dependencies:
        libpcap.so.1()(64bit) is needed by daq-2.0.6-1.x86_64
# rpm -ivh snort-2.9.9.0-1.centos7.x86_64.rpm
error: Failed dependencies:
        libdnet.so.1()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
        libnghttp2.so.14()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
        libpcap.so.1()(64bit) is needed by snort-1:2.9.9.0-1.x86_64
        libsfbpf.so.0()(64bit) is needed by snort-1:2.9.9.0-1.x86_64

3. 進行安裝
# rpm -ivh daq-2.0.6-1.centos7.x86_64.rpm snort-2.9.9.0-1.centos7.x86_64.rpm

4. 註冊並下載 rules
https://www.snort.org/downloads/#rule-downloads

5 解壓縮 rules
# tar xvzf snortrules-snapshot-2990.tar.gz -C /etc/snort

6. 產生黑/白名單
# cp /etc/snort/snort.conf /etc/snort/snort.conf.$(date +%F)
# sed -i ‘s|../rules|rules|’ /etc/snort/snort.conf
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

# sed -i “s|var BLACK_LIST_PATH|#var BLACK_LIST_PATH|” /etc/snort/snort.conf
# sed -i “/var BLACK_LIST_PATH/avar BLACK_LIST_PATH /etc/snort/rules” /etc/snort/snort.conf
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
# sed -i “s|var WHITE_LIST_PATH|#var WHITE_LIST_PATH|”   /etc/snort/snort.conf
# sed -i “/var WHITE_LIST_PATH/avar WHITE_LIST_PATH /etc/snort/rules” /etc/snort/snort.conf

7. 修改設定檔 /etc/snort/snort.conf
# sed -i ‘s/^dynamicdetection/#dynamicdetection/’ /etc/snort/snort.conf

# mkdir -p /usr/local/lib/snort_dynamicrules

8. 檢查設定檔是否正確
# snort -T -c /etc/snort/snort.conf
……
Snort successfully validated the configuration!
Snort exiting

9. 啟動 snort
# systemctl start snortd
or
# /etc/init.d/snortd start

10. 檢查啟動狀態
# /etc/init.d/snortd status
● snortd.service – SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/snortd; bad; vendor preset: disabled)
   Active: active (running) since Fri 2017-02-24 21:57:01 CST; 6s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 429 ExecStart=/etc/rc.d/init.d/snortd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/snortd.service
           mq435 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
Feb 24 21:57:01 fb snort[435]:            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
Feb 24 21:57:01 fb snort[435]: Commencing packet processing (pid=435)

# ps aux | grep snort | grep -v grep
snort      435  0.0 80.3 810840 421080 ?       Ssl  21:57   0:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Proxmox – 解決在 CentOS 7 上啟動 fail2ban 出現的錯誤訊息

啟動 fail2ban 出現錯誤訊息
# systemctl status fail2ban
● fail2ban.service – Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Fri 2017-02-17 12:46:16 CST; 2min 55s ago
     Docs: man:fail2ban(1)
  Process: 972 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)

Feb 17 12:46:16 NPC11 systemd[1]: Failed to start Fail2Ban Service.
Feb 17 12:46:16 NPC11 systemd[1]: Unit fail2ban.service entered failed state.
Feb 17 12:46:16 NPC11 systemd[1]: fail2ban.service failed.
Feb 17 12:46:16 NPC11 systemd[1]: fail2ban.service holdoff time over, sche…t.
Feb 17 12:46:16 NPC11 systemd[1]: start request repeated too quickly for f…ce
Feb 17 12:46:16 NPC11 systemd[1]: Failed to start Fail2Ban Service.
Feb 17 12:46:16 NPC11 systemd[1]: Unit fail2ban.service entered failed state.
Feb 17 12:46:16 NPC11 systemd[1]: fail2ban.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

檢查 /var/log/message 中的紀錄
# grep -i fail2ban /var/log/message
Feb 17 04:46:15 NPC11 systemd: Starting Fail2Ban Service…

Feb 17 04:46:15 NPC11 fail2ban-client: ERROR  There is no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock.
Feb 17 04:46:15 NPC11 systemd: fail2ban.service: control process exited, code=exited status=255
Feb 17 04:46:15 NPC11 systemd: Failed to start Fail2Ban Service.
Feb 17 04:46:15 NPC11 systemd: Unit fail2ban.service entered failed state.
Feb 17 04:46:15 NPC11 systemd: fail2ban.service failed.

看起來似乎是在 /var/run/fail2ban 目錄下找不到 fail2ban.sock 這一個檔案
[@more@]解決方式:
1. 建立目錄
# mkdir /var/run/fail2ban

2. 重新啟動 fail2ban 就正常了!
# systemctl enable fail2ban.service;systemctl start fail2ban.service

客製化 CentOS 6.9 x86_64 LAMP 安裝光碟

為了方便測試系統而製作
光碟開機畫面

硬碟資料清除確認

[@more@]設定 root 密碼

硬碟分割

GRUB 開機管理程式安裝

開始安裝

安裝完成

主要特點:
1. 簡化安裝步驟
2. 採用最小化安裝,再補上一些缺少的套件 vim/nano/zip/unzip…….
3. 安裝 Apache + MariaDB(10.1) + PHP,並做系統調整
4. 安裝 Fail2ban,啟動 SSH Server 防護
5. 系統更新改至頭城國小 140.111.74.109

預設啟動 fail2ban 及 ssh 防護
[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-SSH    tcp  —  0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-SSH (1 references)
target     prot opt source               destination
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

開啟服務
[root@localhost ~]# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1447/sshd
tcp        0      0 :::80                       :::*                        LISTEN      1788/httpd
tcp        0      0 :::22                       :::*                        LISTEN      1447/sshd
tcp        0      0 ::1:22                      ::1:54878                   ESTABLISHED 1706/sshd
tcp        0      0 ::1:54878                   ::1:22                      ESTABLISHED 1705/ssh
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1201/dhclient

加入對時工作排程
[root@localhost ~]# crontab -l
# 格式
# 分 時 日 月 星期幾 執行命令
# 對時
0 6 * * * /usr/sbin/ntpdate -s time.stdtime.gov.tw > /dev/null 2>&1;/sbin/hwclock -w > /dev/null 2>&1

安裝完成的後續設定

MariaDB SQL Server 後續設定
# /usr/bin/mysql_secure_installation

開啟防火牆上 HTTPD Web Server
# iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
# iptables-save > /etc/sysconfig/iptables

CentOS Linux 6.9

CentOS Linux 6.9 已經釋出,可以下載 ISO 檔來安裝,或使用 yum update 來更新到最新版本。
# yum update

# cat /etc/redhat-release
CentOS release 6.9 (Final)

CentOS Linux ISO 6.9 版下載
i386
樹德科技大學
ftp://ftp.stu.edu.tw/Linux/CentOS/6.9/isos/i386/
元智大學 (目前暫時無法連線)
ftp://ftp.yzu.edu.tw/Linux/CentOS/6.9/isos/i386/
國立交通大學資訊工程學系
http://centos.cs.nctu.edu.tw/6.9/isos/i386/
Hinet IDC (目前暫時無法連線)
http://mirror01.idc.hinet.net/CentOS/6.9/isos/i386/
義守大學
http://ftp.isu.edu.tw/pub/Linux/CentOS/6.9/isos/i386/
崑山科技大學
http://ftp.ksu.edu.tw/pub/CentOS/6.9/isos/i386/
國家高速網路與計算中心
ftp://ftp.twaren.net/Linux/CentOS/6.9/isos/i386/
台中市教網
http://ftp.tc.edu.tw/Linux/CentOS/6.9/isos/i386/
頭城國小
ftp://140.111.74.109/CentOS/6.9/isos/i386/

[@more@]
x86_64
樹德科技大學
ftp://ftp.stu.edu.tw/Linux/CentOS/6.9/isos/x86_64/
元智大學 (目前暫時無法連線)
ftp://ftp.yzu.edu.tw/Linux/CentOS/6.9/isos/x86_64/
國立交通大學資訊工程學系
http://centos.cs.nctu.edu.tw/6.9/isos/x86_64/
Hinet IDC (目前暫時無法連線)
http://mirror01.idc.hinet.net/CentOS/6.9/isos/x86_64/
義守大學
http://ftp.isu.edu.tw/pub/Linux/CentOS/6.9/isos/x86_64/
崑山科技大學
http://ftp.ksu.edu.tw/pub/CentOS/6.9/isos/x86_64/
國家高速網路與計算中心
ftp://ftp.twaren.net/Linux/CentOS/6.9/isos/x86_64/
台中市教網
http://ftp.tc.edu.tw/Linux/CentOS/6.9/isos/x86_64/
頭城國小
ftp://140.111.74.109/CentOS/6.9/isos/x86_64/