頭城國小資訊組

ntopng 官方網站：http://www.ntop.org/
ntop 是一套好用的圖形化介面網路軟體，可以監控並記錄整個網路的流量。ntopng 則是 ntop 的下一個版本。

參考網頁：
【 Linux 】NTopNG安裝 (CentOS 7) – 亞索數位筆記
CentOs 7 ntopng 安裝 @ 工作雜記 :: 隨意窩 Xuite日誌

1. 安裝 epel 套件庫
# yum install epel-release

2. 新增 ntop 套件庫設定檔
# vim /etc/yum.repos.d/ntop-nmon.repo
[ntop]
name=ntop packages
baseurl=http://www.nmon.net/centos-stable/$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://www.nmon.net/centos-stable/RPM-GPG-KEY-deri

[ntop-noarch]
name=ntop packages
baseurl=http://www.nmon.net/centos-stable/$releasever/noarch/
enabled=1
gpgcheck=1
gpgkey=http://www.nmon.net/centos-stable/RPM-GPG-KEY-deri

清除舊的暫存並更新套件庫套件資訊
# yum clean all
# yum update[@more@]
3. 安裝 ntopng 相關套件
# yum install pfring n2disk nprobe ntopng ntopng-data cento nbox

安裝 PF_RING 驅動程式
# yum install pfring-drivers-zc-dkms

4. 設定開機時啟動 ntopng 相關服務
# systemctl start redis.service
# systemctl enable redis.service

# systemctl start ntopng.service
# systemctl enable ntopng.service

5. 加入防火牆設定
# firewall-cmd –permanent –add-port=3000/tcp
# firewall-cmd –reload
或
# iptables -A INPUT -p tcp –syn -m state –state NEW –dport 3000 -j ACCEPT

6. 檢查是否有正常啟動
# systemctl status ntopng.service
● ntopng.service – Start/stop ntopng program
   Loaded: loaded (/etc/systemd/system/ntopng.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 21:34:25 CST; 3s ago
  Process: 12500 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS)
  Process: 12560 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS)
 Main PID: 12567 (ntopng)
   CGroup: /system.slice/ntopng.service
           mq12567 /usr/bin/ntopng /etc/ntopng/ntopng.conf

Mar 01 21:34:24 flow logger[12561]: ntopng start
Mar 01 21:34:24 flow ntopng[12560]: Starting ntopng: No network card detected
Mar 01 21:34:24 flow ntopng[12567]: [NtopPro.cpp:182] ERROR: [LICENSE] Invalid or missing ntopng License [Empty license file]
Mar 01 21:34:24 flow ntopng[12567]: [NtopPro.cpp:195] WARNING: [LICENSE] ntopng will now run in pro mode for 10 minutes
Mar 01 21:34:24 flow ntopng[12567]: [NtopPro.cpp:197] WARNING: [LICENSE] before returning to community mode
Mar 01 21:34:24 flow ntopng[12567]: [NtopPro.cpp:198] WARNING: [LICENSE] You can buy a permanent license at http://shop.ntop.org
Mar 01 21:34:24 flow ntopng[12567]: [NtopPro.cpp:199] WARNING: [LICENSE] or run ntopng in community mode starting
Mar 01 21:34:24 flow ntopng[12567]: [NtopPro.cpp:200] WARNING: [LICENSE] ntopng –community
Mar 01 21:34:25 flow ntopng[12560]: [  OK  ]
Mar 01 21:34:25 flow systemd[1]: Started Start/stop ntopng program.

有正常啟動，但有 ERROR 和一些 WARNING

解決方式：
# echo “–community” >> /etc/ntopng/ntopng.conf

7. 重新啟動 ntopng 服務
# systemctl restart ntopng.service

8. 已正常無 WARNING 警告訊息
# systemctl status ntopng.service
● ntopng.service – Start/stop ntopng program
   Loaded: loaded (/etc/systemd/system/ntopng.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 21:37:19 CST; 2s ago
  Process: 12604 ExecStop=/etc/systemd/scripts/ntopng stop (code=exited, status=0/SUCCESS)
  Process: 12659 ExecStart=/etc/systemd/scripts/ntopng start (code=exited, status=0/SUCCESS)
 Main PID: 12666 (ntopng)
   CGroup: /system.slice/ntopng.service
           mq12666 /usr/bin/ntopng /etc/ntopng/ntopng.conf

Mar 01 21:37:18 flow systemd[1]: Starting Start/stop ntopng program…
Mar 01 21:37:18 flow logger[12660]: ntopng start
Mar 01 21:37:18 flow ntopng[12659]: Starting ntopng: No network card detected
Mar 01 21:37:19 flow ntopng[12659]: [  OK  ]
Mar 01 21:37:19 flow systemd[1]: Started Start/stop ntopng program.

9. 開啟瀏覽器，在網址列輸入 http://Server’IP:3000

預設登入的帳號 / 密碼：admin / admin

其它設定 /etc/ntopng/ntopng.conf
–http-port xxxx
–local-networks “XXX.XXX.XXX.XXX” 網段：例如:192.168.0.0/24
–interface 網路介面，例如：eth0 eth1 enp6s0

直接下載最新版本安裝
Windows
x86
http://ftp.mozilla.org/pub/firefox/releases/53.0/win32/zh-TW/Firefox%20Setup%2053.0.exe
ESR 52.1.0 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.0esr/win32/zh-TW/Firefox%20Setup%2052.1.0esr.exe

x64
http://ftp.mozilla.org/pub/firefox/releases/53.0/win64/zh-TW/Firefox%20Setup%2053.0.exe
ESR 52.1.0 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.0esr/win64/zh-TW/Firefox%20Setup%2052.1.0esr.exe

Mac
http://ftp.mozilla.org/pub/firefox/releases/53.0/mac/zh-TW/Firefox%2053.0.dmg
ESR 52.1.0 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.0esr/mac/zh-TW/Firefox%2052.1.0esr.dmg

參考網頁：
Suricata + Barnyard + BASE 安裝 – Neverland

底下參考自：讓Snort開始運作,Information Security 資安人科技網

Barnyard是一套用來讀取 Snort 統一輸出報表(Unified output)並將之轉存到資料庫的特製工具，並且會直接監視資料庫連線來預防資料的流失。統一輸出報表是 Snort3 種輸出報表的其中一個選項，它透過減輕 Snort  引擎中的有效負荷的傳輸(payload translation)來增快處理速度。

1. 安裝所需套件
# yum install git libtool libnet libnet-devel mariadb-devel daq-devel libyaml-devel file-devel libcap-ng-devel libpcap-devel libdnet-devel

2. 切換目錄
# cd /usr/local/src

3. 使用 git 下載 barnyard2
# git clone https://github.com/firnsy/barnyard2.git barnyard2
Cloning into ‘barnyard2’…
remote: Counting objects: 1292, done.
remote: Total 1292 (delta 0), reused 0 (delta 0), pack-reused 1292
Receiving objects: 100% (1292/1292), 1.04 MiB | 601.00 KiB/s, done.
Resolving deltas: 100% (896/896), done.[@more@]
4. 切換目錄
# cd barnyard2

5. 進行設定
# ./autogen.sh
Found libtoolize
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: Entering directory `.’
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal –force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize –copy –force
libtoolize: putting auxiliary files in `.’.
libtoolize: copying file `./ltmain.sh’
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4′.
libtoolize: copying file `m4/libtool.m4′
libtoolize: copying file `m4/ltoptions.m4′
libtoolize: copying file `m4/ltsugar.m4′
libtoolize: copying file `m4/ltversion.m4′
libtoolize: copying file `m4/lt~obsolete.m4′
autoreconf: running: /usr/bin/autoconf –force
autoreconf: running: /usr/bin/autoheader –force
autoreconf: running: automake –add-missing –copy –force-missing
configure.ac:11: installing ‘./config.guess’
configure.ac:11: installing ‘./config.sub’
configure.ac:8: installing ‘./install-sh’
configure.ac:8: installing ‘./missing’
autoreconf: Leaving directory `.’
You can now run “./configure” and then “make”.

6. 進行編譯及安裝
# ./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql
# make && make install

7. 複製檔案到相對應目錄
# cp /usr/local/src/barnyard2/rpm/barnyard2.config /etc/sysconfig/barnyard2
# cp /usr/local/src/barnyard2/rpm/barnyard2 /etc/init.d/

8. 更改檔案給予執行權限
# chmod +x /etc/init.d/barnyard2

9. 設定開機時啟動 barnyard2
# chkconfig –add barnyard2

10. 建立連結
# ln -s /usr/local/etc/barnyard2.conf /etc/suricata/barnyard2.conf
# ln -s /usr/local/bin/barnyard2 /usr/bin/

11. 建立目錄
# mkdir -p /var/log/snort/eth0/archive/

12. 修改 /etc/init.d/barnyard2
# sed -i -e “s@Snort Output Processor@Suricata Output Processor@”   /etc/init.d/barnyard2
# sed -i -e “s@BARNYARD_OPTS=@#BARNYARD_OPTS=@”   /etc/init.d/barnyard2
# sed -i -e “/daemon/iBARNYARD_OPTS=”-D -c /etc/suricata/barnyard2.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid”” /etc/init.d/barnyard2d2

13. 修改 /etc/sysconfig/barnyard2
# sed -i -e “s@LOG_FILE=@#LOG_FILE=@”   /etc/sysconfig/barnyard2
# sed -i -e “/LOG_FILE=”snort_unified.log”/aLOG_FILE=”unified2.log“”   /etc/sysconfig/barnyard2
# sed -i -e “s@CONF@#CONF@” /etc/sysconfig/barnyard2
# sed -i -e “s@SNORTDIR@#SNORTDIR@” /etc/sysconfig/barnyard2
# sed -i -e “/Probably not this either/aCONF=/etc/suricata/barnyard2.conf” /etc/sysconfig/barnyard2
# sed -i -e “/#SNORTDIR/aSNORTDIR=”/var/log/suricata”” /etc/sysconfig/barnyard2

14. 修改 /etc/suricata/barnyard2.conf
# cp /etc/suricata/barnyard2.conf /etc/suricata/barnyard2.conf.$(date +%F)
# sed -i ‘s@/etc/snort/reference.config@/etc/suricata/rules/reference.config@’ /etc/suricata/barnyard2.conf
# sed -i ‘s@/etc/snort/classification.config@/etc/suricata/rules/classification.config@’ /etc/suricata/barnyard2.conf
# sed -i ‘s@/etc/snort/gen-msg.map@/etc/suricata/rules/gen-msg.map@’ /etc/suricata/barnyard2.conf
# sed -i ‘s@/etc/snort/sid-msg.map@/etc/suricata/rules/sid-msg.map@’ /etc/suricata/barnyard2.conf
# sed -i -e “/database: log to a variety of databases/aoutput database: log, mysql, user=barnyard2 password=123456 dbname=suricatadb host=localhost” /etc/suricata/barnyard2.conf

15. 修改 /etc/suricata/suricata.yaml
# vim /etc/suricata/suricata.yaml
  – unified2-alert:
      enabled: yes
      filename: unified2.alert

16. 建立資料庫及設定設用者帳號密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database snortdb;
MariaDB [(none)]> grant all privileges on snortdb.* to barnyard2@localhost identified by ‘123456’;
MariaDB [(none)]> flush privileges;

17. 匯入資料
# /usr/bin/mysql suricatadb -ubarnyard2 -p123456 < /usr/local/src/barnyard2/schemas/create_mysql

18. 進行測試
# /usr/local/bin/barnyard2 -T -c /etc/suricata/barnyard2.conf -d /var/log/suricata -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid

19. 如果有無法啟動的狀況
# vim /etc/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Dedicated Unified2 Spooler
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -w /var/log/suricata/barnyard2.waldo -l /var/log/suricata -a /var/log/suricata -f unified2.alert -X /var/lock/subsys/barnyard2.pid

[Install]
WantedBy=multi-user.target

20. 建立目錄及改變目錄擁有者群組
# mkdir /var/log/barnyard2
# chown -R suricata:suricata /var/log/barnyard2

21. 設定開機時啟動
# systemctl enable barnyard2.service
Created symlink from /etc/systemd/system/multi-user.target.wants/barnyard2.service to /etc/systemd/system/barnyard2.service.

22. 啟動並檢查
# systemctl start barnyard2
# systemctl status barnyard2.service
● barnyard2.service – Barnyard2 Dedicated Unified2 Spooler
   Loaded: loaded (/etc/systemd/system/barnyard2.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 19:06:47 CST; 1min 18s ago
 Main PID: 630 (barnyard2)
   CGroup: /system.slice/barnyard2.service
           mq630 /usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata/ -f unified2.alert

Mar 01 19:07:24 ids barnyard2[630]: database:  data encoding = hex
Mar 01 19:07:24 ids barnyard2[630]: database:   detail level = full
Mar 01 19:07:24 ids barnyard2[630]: database:     ignore_bpf = no
Mar 01 19:07:24 ids barnyard2[630]: database: using the “log” facility
Mar 01 19:07:24 ids barnyard2[630]: –== Initialization Complete ==–
Mar 01 19:07:24 ids barnyard2[630]: ______   -*> Barnyard2 <*-
Mar 01 19:07:24 ids barnyard2[630]: / ,,_    Version 2.1.14 (Build 337)
Mar 01 19:07:24 ids barnyard2[630]: |o”  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
Mar 01 19:07:24 ids barnyard2[630]: + ”” +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
Mar 01 19:07:24 ids barnyard2[630]: Waiting for new spool file

23 安裝 Base + adodb (Web UI)
# cd /usr/local/src
# wget http://nchc.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz
# wget http://nchc.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz -C /var/www/html
# mv /var/www/html/base-1.4.5 /var/www/html/base
# chmod a+w /var/www/html/base
# tar zxvf adodb518a.tgz -C /var/www/html
# chmod a+w /var/www/html/adodb5
# 修改 /etc/php.ini
# vim /etc/php.ini
date.timezone = “Asia/Taipei”
error_reporting = E_ALL & ~E_NOTICE
找到
; UNIX: “/path1:/path2”
;include_path = “.:/php/includes”
底下增加一行
include_path => .:/usr/share/pear:/usr/share/php

24. 重新啟動 Web Server
# systemctl restart httpd

25. 更改目錄權限
# chmod a-w /var/www/html/base
# chmod a-w /var/www/html/adodb5

Suricata 和 Snort 一樣，都是入侵偵測系統，二者之間的差異可以參考：
Snort vs Suricata – Aanval Wiki

Suricata 官方網站：https://oisf.net/suricata/
參考網站：
浮雲雅築: [研究] Suricata 3.0 入侵偵測系統安裝 (CentOS 7.2 x64)
如何在 Linux 系統上安裝 Suricata 入侵檢測系統 – 每日頭條
Building an IDS on CentOS using Suricata
CentOS Installation – Suricata – Open Information Security Foundation
IT Security through Open Source : Suricata – wildcard rule loading

1. 利用 epel 套件庫安裝 Suricata
# yum install suricata –enablerepo=epel[@more@]2. 下載 rules 並解壓縮
# wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
# tar xvzf suricata/emerging.rules.tar.gz -C /etc/suricata

3. 測試設定檔 /etc/suricata/suricata.yaml
# /sbin/suricata -T -c /etc/suricata/suricata.yaml -i eth0
1/3/2017 — 14:50:53 – <Info> – Running suricata under test mode
1/3/2017 — 14:50:53 – <Notice> – This is Suricata version 3.2.1 RELEASE
1/3/2017 — 14:50:56 – <Notice> – Configuration provided was successfully loaded. Exiting.

如果沒有做第二步驟，會有一些 Warning
# /sbin/suricata -T -c /etc/suricata/suricata.yaml -i eth0
1/3/2017 — 14:16:50 – <Info> – Running suricata under test mode
1/3/2017 — 14:16:50 – <Notice> – This is Suricata version 3.2.1 RELEASE
1/3/2017 — 14:16:50 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/botcc.rules
1/3/2017 — 14:19:04 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/ciarmy.rules
1/3/2017 — 14:19:32 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/compromised.rules
1/3/2017 — 14:20:18 – <Warning> – [ERRCODE: SC_ERR_NO_RULES(42)] – No rule files match the pattern /etc/suricata/rules/drop.rules

4. 因為使用 systemctl 一直無法正常啟動
# mv /usr/lib/systemd/system/suricata.service /root

5. 所以自行建立啟動檔 /etc/init.d/suricatd
# vim /etc/init.d/suricatad
#!/bin/sh
# $Id$
#
# suricatad         Start/Stop the suricata IDS daemon.
#
# chkconfig: 2345 40 60
# description:  Suricata is a lightweight network intrusion detection tool that
#                currently detects more than 1100 host and network
#                vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# See how we were called.
case “$1” in
  start)
        echo -n “Starting Suricata: “
                daemon PCAP_FRAMES=max /sbin/suricata -D -c /etc/suricata/suricata.yaml -i eth0
        ;;
  stop)
        echo -n “Stopping Suricata: “
        killproc suricata
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status suricata
        ;;
  *)
        echo “Usage: $0 {start|stop|restart|status|}”
        exit 1
esac

exit 0

6. 設定檔案權限
# chmod +x /etc/init.d/suricatad

7. 設定開機時啟動
# chkconfig –add suricatad
# /etc/init.d/suricatad start
# /etc/init.d/suricatad status
● suricatad.service – SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.
   Loaded: loaded (/etc/rc.d/init.d/suricatad; bad; vendor preset: disabled)
   Active: active (running) since Wed 2017-03-01 15:10:45 CST; 3min 58s ago
     Docs: man:systemd-sysv-generator(8)
   CGroup: /system.slice/suricatad.service
           mq311 /sbin/suricata -D -c /etc/suricata/suricata.yaml -i eth0

Mar 01 15:10:45 ids systemd[1]: Starting SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, back…s, and more….
Mar 01 15:10:45 ids suricatad[308]: Starting Suricata: 1/3/2017 — 07:10:45 – <Notice> – This is Suricata version 3.2.1 RELEASE
Mar 01 15:10:45 ids suricatad[308]: [  OK  ]
Mar 01 15:10:45 ids systemd[1]: Started SYSV: Suricata is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more..
Hint: Some lines were ellipsized, use -l to show in full.

在 RedHat / CentOS Linux 中可以使用 chkconfig / systemctl 來查看開機時服務啟動的設定狀態
CentOS 6.x
# /sbin/chkconfig –list
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
fail2ban        0:off   1:off   2:off   3:off   4:on    5:on    6:off
htcacheclean    0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
ipset           0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:off   3:on    4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpdate         0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:on    2:off   3:off   4:off   5:off   6:off[@more@]
# /sbin/chkconfig –list snmpd
snmpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off

# /sbin/chkconfig –list | grep 3:on
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
ipset           0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:off   3:on    4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

CentOS 7.x
# /usr/bin/systemctl list-unit-files | grep enabled
autovt@.service                        enabled
barnyard2.service                      enabled
crond.service                          enabled
getty@.service                         enabled
httpd.service                          enabled
iptables.service                       enabled
mariadb.service                        enabled
rsyslog.service                        enabled
snmpd.service                          enabled
sshd.service                           enabled
systemd-readahead-collect.service      enabled
systemd-readahead-drop.service         enabled
systemd-readahead-replay.service       enabled
default.target                         enabled
graphical.target                       enabled
remote-fs.target                       enabled
runlevel5.target                       enabled

在 Debian / Ubuntu
# apt-get install sysv-rc-conf

# /usr/sbin/sysv-rc-conf –list
atd          0:off      1:off   2:on    3:on    4:on    5:on    6:off
bootlogs     1:on       2:on    3:on    4:on    5:on
cron         2:on       3:on    4:on    5:on
dbus         2:on       3:on    4:on    5:on
halt         0:off
killprocs    1:on
kmod         S:on
motd         1:on       2:on    3:on    4:on    5:on
networking   0:off      6:off   S:on
postfix      0:off      1:off   2:on    3:on    4:on    5:on    6:off
procps       S:on
rc.local     2:on       3:on    4:on    5:on
reboot       6:off
rmnologin    2:on       3:on    4:on    5:on
rpcbind      0:off      1:off   6:off   S:on
rsync        2:on       3:on    4:on    5:on
rsyslog      0:off      1:off   2:on    3:on    4:on    5:on    6:off
sendsigs     0:off      6:off
single       1:on
snmpd        0:off      1:off   2:on    3:on    4:on    5:on    6:off
ssh          2:on       3:on    4:on    5:on
umountfs     0:off      6:off
umountroot   0:off      6:off
urandom      0:off      6:off   S:on
x11-common   S:on

# /usr/sbin/sysv-rc-conf –list snmpd
snmpd        0:off      1:off   2:on    3:on    4:on    5:on    6:off

# /usr/sbin/update-rc.d snmpd remove
# /usr/sbin/sysv-rc-conf –list snmpd
snmpd

# /usr/sbin/update-rc.d snmpd defaults
# /usr/sbin/sysv-rc-conf –list snmpd
snmpd        0:off      1:off   2:on    3:on    4:on    5:on    6:off

1. 將更新的 Server 都指向國家高速網路中心
$ sudo cp /etc/apt/sources.list /etc/apt/sources.list.$(date +%F)
$ sudo sed -i ‘s/ftp.debian.org/free.nchc.org.tw/g’ /etc/apt/sources.list

清除所有的
$ sudo apt-get clean all
更新套件庫
$ sudo apt-get update

2. 進行套件更新
$ sudo apt-get upgrade

[@more@]3. 補足缺少的套件
$ sudo apt-get install vim zip unzip mailutils ntpdate rsync sysv-rc-conf

4. 讓終端機程式可以輸入及顯示中文
$ sudo dpkg-reconfigure locales

$ cat /etc/default/locale
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8

$ /usr/bin/locale
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE=”en_US.UTF-8″
LC_NUMERIC=”en_US.UTF-8″
LC_TIME=”en_US.UTF-8″
LC_COLLATE=”en_US.UTF-8″
LC_MONETARY=”en_US.UTF-8″
LC_MESSAGES=”en_US.UTF-8″
LC_PAPER=”en_US.UTF-8″
LC_NAME=”en_US.UTF-8″
LC_ADDRESS=”en_US.UTF-8″
LC_TELEPHONE=”en_US.UTF-8″
LC_MEASUREMENT=”en_US.UTF-8″
LC_IDENTIFICATION=”en_US.UTF-8″
LC_ALL=

5. 時區及預設編輯器設定
$ sudo tail -2 /etc/profile
export TZ=”Asia/Taipei”
export EDITOR=”/usr/bin/vim”

# /usr/bin/tzselect
Please identify a location so that time zone rules can be set correctly.
Please select a continent, ocean, “coord”, or “TZ”.
 1) Africa
 2) Americas
 3) Antarctica
 4) Arctic Ocean
 5) Asia
 6) Atlantic Ocean
 7) Australia
 8) Europe
 9) Indian Ocean
10) Pacific Ocean
11) coord – I want to use geographical coordinates.
12) TZ – I want to specify the time zone using the Posix TZ format.
#? 5
Please select a country whose clocks agree with yours.
 1) Afghanistan           18) Israel                35) Palestine
 2) Armenia               19) Japan                 36) Philippines
 3) Azerbaijan            20) Jordan                37) Qatar
 4) Bahrain               21) Kazakhstan            38) Russia
 5) Bangladesh            22) Korea (North)         39) Saudi Arabia
 6) Bhutan                23) Korea (South)         40) Singapore
 7) Brunei                24) Kuwait                41) Sri Lanka
 8) Cambodia              25) Kyrgyzstan            42) Syria
 9) China                 26) Laos                  43) Taiwan
10) Cyprus                27) Lebanon               44) Tajikistan
11) East Timor            28) Macau                 45) Thailand
12) Georgia               29) Malaysia              46) Turkmenistan
13) Hong Kong             30) Mongolia              47) United Arab Emirates
14) India                 31) Myanmar (Burma)       48) Uzbekistan
15) Indonesia             32) Nepal                 49) Vietnam
16) Iran                  33) Oman                  50) Yemen
17) Iraq                  34) Pakistan
#? 43

The following information has been given:

        Taiwan

Therefore TZ=’Asia/Taipei’ will be used.
Local time is now:      Tue Feb 28 22:47:26 CST 2017.
Universal Time is now:  Tue Feb 28 14:47:26 UTC 2017.
Is the above information OK?
1) Yes
2) No
#? 1

You can make this change permanent for yourself by appending the line
        TZ=’Asia/Taipei’; export TZ
to the file ‘.profile’ in your home directory; then log out and log in again.

Here is that TZ value again, this time on standard output so that you
can use the /usr/bin/tzselect command in shell scripts:
Asia/Taipei

6. 安裝 snmpd
$ sudo apt-get install snmpd snmp
$ sudo mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.$(date +%F)
$ sudo echo ‘rocommunity public’ > /etc/snmp/snmpd.conf
$ sudo  chmod 600 /etc/snmp/snmpd.conf
$ sudo update-rc.d snmpd defaults
$ sudo /etc/init.d/snmpd restart

Ubuntu 17.04

下載
http://releases.ubuntu.com/17.04/[@more@]Ubuntu MATE

下載：
https://ubuntu-mate.org/download/#zesty

Ubuntu GNOME

下載：
http://cdimage.ubuntu.com/ubuntu-gnome/releases/17.04/release/

Lubuntu

下載：
http://cdimage.ubuntu.com/lubuntu/releases/17.04/release/

Xubuntu

下載：
http://cdimage.ubuntu.com/xubuntu/releases/17.04/release/

Kubuntu

下載：
http://cdimage.ubuntu.com/kubuntu/releases/17.04/release/

Ubuntu Studio

下載：
http://cdimage.ubuntu.com/ubuntustudio/releases/zesty/release/

Ubuntu Kylin 优麒麟 & 銀河麒麟

下載：
http://www.ubuntukylin.com/downloads/

Ubuntu Server

下載：
http://releases.ubuntu.com/17.04/

更多的版本：
https://zh.wikipedia.org/wiki/Ubuntu#.E5.88.86.E6.94.AF.E7.89.88.E6.9C.AC

Ubuntu Linux 17.04 版本代號 Zesty Zapus(熱情的美洲林跳鼠)，有興趣的人可以下載來使用看看，支援期預計到 2018-01。
光碟光碟畫面

進入桌面畫面

[@more@]Desktop x86
http://releases.ubuntu.com/17.04/ubuntu-17.04-desktop-i386.iso

Desktop x64
http://releases.ubuntu.com/17.04/ubuntu-17.04-desktop-amd64.iso

Server x86
http://releases.ubuntu.com/17.04/ubuntu-17.04-server-i386.iso

Server x64
http://releases.ubuntu.com/17.04/ubuntu-17.04-server-amd64.iso

參考網站：
OSSEC 主機型入侵偵測系統 (HIDS) 安裝與設定 « Jamyy’s Weblog
建置OSSEC　主機型入侵偵測系統<br>網路威脅危害大，萬全準備不可少 – 技術專欄 – 網管人NetAdmin
浮雲雅築: [研究] OSSEC – HIDS 2.7.1 主機型入侵偵測系統 – server/agent 安裝 (CentOS 6.5 x64)
How to Install OSSEC on Red Hat or CentOS 6 – scottlinux.com | Linux Blog

OSSEC 官方網站：http://ossec.github.io

1. 增加 atomic 套件庫
到 http://ossec.github.io/downloads.html 下載所須要的版本
# wget http://updates.atomicorp.com/channels/ossec/centos/6/x86_64/RPMS/atomic-release-1.0-21.el6.art.noarch.rpm
# rpm -ivh atomic-release-1.0-21.el6.art.noarch.rpm
或
# wget -q -O – https://www.atomicorp.com/installers/atomic | sh

[@more@]2. 取消啟用 atomic 套件庫
# sed -i ‘s/enabled = 1/enabled = 0/’ /etc/yum.repos.d/atomic.repo

3. 更新 atomic 套件庫
# yum update –enablerepo=atomic

4. 搜尋 ossec 相關套件
# yum search ossec –enablerepo=atomic
ossec-hids-agent.x86_64 : The OSSEC HIDS Client
ossec-hids-client.x86_64 : The OSSEC HIDS Client
ossec-hids-debuginfo.x86_64 : Debug information for package ossec-hids
ossec-hids-hybrid.x86_64 : The OSSEC HIDS hybrid client
ossec-hids-mysql.x86_64 : The OSSEC HIDS Server
ossec-hids-postgres.x86_64 : The OSSEC HIDS Server postgres connector
ossec-hids-server.x86_64 : The OSSEC HIDS Server
ossec-wui.noarch : OSSEC Web Interface
ossec-hids.x86_64 : An Open Source Host-based Intrusion Detection System

ossec-hids-hybird 包含 Server / Agent

5. 安裝 ossec 相關套件
# yum install ossec-hids-mysql ossec-wui ossec-hids ossec-hids-server –enablerepo=atomic

6. 取消電子郵件通知
# sed -i ‘s/<email_notification>yes/<email_notification>no/’ /var/ossec/etc/ossec.conf

7. 建立 ossec-wui 管理帳號及密碼
# /usr/bin/htpasswd /usr/share/ossec-wui/.htpasswd ossec
New password:
Re-type new password:
Updating password for user ossec

8. 限制可以連線的範圍
# vim /etc/httpd/conf.d/ossec.conf
Alias /ossec    /usr/share/ossec-wui/
<Directory /usr/share/ossec-wui/>
 AllowOverride AuthConfig Limit
 Order deny,allow
 Deny from all
 Allow from 192.168.1.0/24

 <Files *.sh>
 deny from all
 </Files>
<Files ossec_conf.php>
 deny from all
 </Files>
 <Files .*>
 deny from all
 </Files>
</Directory>

9. 重新啟動 Apache Web Server
# /etc/init.d/httpd restart

10. 啟動 ossec-hids
# /etc/init.d/ossec-hids start

先用 ping 指令查詢
# ping -c 4 192.168.1.230
PING 192.168.1.230 (192.168.1.230) 56(84) bytes of data.
64 bytes from 192.168.1.230: icmp_seq=1 ttl=254 time=2.96 ms
64 bytes from 192.168.1.230: icmp_seq=2 ttl=254 time=1.19 ms
64 bytes from 192.168.1.230: icmp_seq=3 ttl=254 time=1.23 ms
64 bytes from 192.168.1.230: icmp_seq=4 ttl=254 time=1.18 ms

查詢卡號
# arp -a | grep 192.168.1.230
pc230.test.ilc.edu.tw (192.168.1.230) at 00:17:16:0c:e3:a5 [ether] on eth0

原本 IEEE 查詢的網頁已經無法查詢了！
http://standards.ieee.org/regauth/oui/index.shtml

在網路上搜尋了一下，找到大陸的一個網站，也可以查詢
网卡MAC码分析 – MAC地址查询 – 网卡MAC地址分析 – MAC厂商查询 – 网卡厂商查询 – 网卡MAC归属地查询

查詢到上面的網路卡是屬於 Qno 這一個公司所出產[@more@]如果您有特殊的因素，不想使用上面的網頁，可以下載整個網路卡廠商的 oui.txt 來進行查詢

1. 下載 IEEE oui.txt
# wget http://standards-oui.ieee.org/oui.txt -P /usr/local/bin

2. 建立查詢檔案
# cat /usr/local/bin/checkmacaddress.sh
#!/bin/bash
if [ $# -ne 1 ]; then
    echo “Usage: $0 first3mac”
    exit 1
fi
mac=$1
mac=${mac//:/-}

grep -i $mac /usr/local/bin/oui.txt

3. 更改權限
# chmod 700 /usr/local/bin/checkmacaddress.sh

4. 輸入網路卡卡號前三組進行測試，不分大小寫，可以使用 – 或 : 做分隔
# /usr/local/bin/checkmacaddress.sh 00:0c:29
# /usr/local/bin/checkmacaddress.sh 00:0C:29
# /usr/local/bin/checkmacaddress.sh 00-0c-29
# /usr/local/bin/checkmacaddress.sh 00-0C-29
00-0C-29   (hex)                VMware, Inc.

# /usr/local/bin/checkmacaddress.sh 00-17-16
00-17-16   (hex)                Qno Technology Inc.