Posted by: jasonk2600 | January 19, 2010

Quickie HowTo: Basic Denial of Service Protection Using PF

Synopsis

This quickie howto describes the steps necessary to configure a system acting as a firewall/router using OpenBSD’s Packet Filter (PF) software to provide proactive defense against simple Denial of Service (DoS) attacks and brute force attacks.  This post assumes that the firewall/router has already been configured and is running PF with two NIC’s; one facing the Internet and one facing the local area network (LAN).

Sample NAT Ruleset

Below is an example of a very basic PF ruleset used on a system providing firewall and Network Address Translation (NAT).  The ruleset defines the external NIC (ext_if), the internal NIC (int_if), the local network (localnet), and a list of TCP services that are allowed to connect to the system from the outside (tcp_services).

ext_if = "ath0"
int_if = "dc0"
localnet = $int_if:network

tcp_services = "{ ssh, http }"

nat on $ext_if from $localnet to any -> ($ext_if)

block all
scrub in all
antispoof for $ext_if
antispoof for $int_if

pass from { lo0, $localnet } to any keep state

pass in inet proto tcp from any to $ext_if port $tcp_services

 

Adding Simple Proactive Protection

The new ruleset will need a persistent table to store IP addresses that have attempted to DoS or brute force the TCP services that have been allowed in. Create a table called bruteforce and add a block statement early in the ruleset to block the hosts in the bruteforce table. The sample ruleset would now look like the following:

ext_if = "ath0"
int_if = "dc0"
localnet = $int_if:network

tcp_services = "{ ssh, http }"

table <bruteforce> persist

nat on $ext_if from $localnet to any -> ($ext_if)

block all
block quick from <bruteforce>
scrub in all
antispoof for $ext_if
antispoof for $int_if

pass from { lo0, $localnet } to any keep state

pass in inet proto tcp from any to $ext_if port $tcp_services

 

Now modify the last rule that allows traffic on the specified TCP services in. The max-src-conn option specifies how many concurrent connections from a single IP address are allowed and the max-src-rate option specifies how many connection attempts per second are allowed (5 attempts every 5 seconds in the example below). The finished sample ruleset would now look like the following:

ext_if = "ath0"
int_if = "dc0"
localnet = $int_if:network

tcp_services = "{ ssh, http }"

table <bruteforce> persist

nat on $ext_if from $localnet to any -> ($ext_if)

block all
block quick from <bruteforce>
scrub in all
antispoof for $ext_if
antispoof for $int_if

pass from { lo0, $localnet } to any keep state

pass in inet proto tcp from any to $ext_if port $tcp_services \
     keep state (max-src-conn 10, max-src-rate 5/5, \
     overload <bruteforce> flush global)

 

Restart the system for the new PF ruleset to take effect.

References

 

  [EoF]
Posted by: jasonk2600 | January 19, 2010

Debian GNU/Linux Snort IDS Monitoring Console

Synopsis

This post describes the steps necessary to configure a system running Debian GNU/Linux as a monitoring console for the Snort IDS using BASE.  This post only covers the process of configuring the monitoring console, for information on setting up Snort IDS sensors and/or setting up PostgreSQL as a database backend for the Snort IDS refer to the following posts:

Installation

Install the Apache web server and PHP 5 using the aptitude software package management utility.

# aptitude install apache2 libapache2-mod-php5 \
  php5-gd php5-pgsql libphp-adodb

 

Next, install the BASE IDS monitoring web application using the aptitude software package management utility.  When prompted select pgsql as the database type to be used by acidbase.

# aptitude install acidbase

 

Configuration

Configure BASE by modifying the /etc/acidbase/database.php configuration file to connect to the system running the PostgreSQL database backend.  NOTE: Replace 10.0.1.1 with the IP address of your PostgreSQL database backend.

$alert_user='snortuser';
$alert_password='YourPassword';
$basepath='/acidbase';
$alert_dbname='snort';
$alert_host='10.0.1.1';
$alert_port='5432';
$DBtype='pgsql';

 

Create a symbolic link to the BASE IDS monitoring web application in the /var/www/ directory.

# cd /var/www
# ln -s /usr/share/acidbase

 

Open your favorite web browser and login to BASE for the first time at http://localhost/acidbase/.  Click on the ‘Setup Page’ link and then click on the ‘Create BASE AG’ button to initialize the database.  The BASE IDS monitoring web application has now been configured and is ready for use.

 

  [EoF]
Posted by: jasonk2600 | January 18, 2010

Debian GNU/Linux Snort IDS Sensor

Synopsis

This post describes the steps necessary to configure a system running Debian GNU/Linux as a Snort Intrusion Detection System (IDS) sensor.  This post only covers the process of configuring a Snort IDS sensor that connects to a PostgreSQL database backend, for information on setting up a PostgreSQL backend for the Snort IDS and/or setting up a Snort IDS monitoring console refer to the following posts:

Installation

Install the PostgreSQL DBMS and Snort IDS using the aptitude software package management utility. When prompted for the address range for the local network, replace 10.0.1.0/24 with your LAN’s IP address range.

# aptitude install postgresql-client snort snort-pgsql snort-rules

Address range for the local network:
10.0.1.0/24

 

Configuration

Configure Snort to use your existing PostgreSQL database backend for reporting by adding the following to the /etc/snort/snort.conf configuration file.  NOTE:  Replace 10.0.1.1 with the IP address of your PostgreSQL DBMS server and replace Password with the password you chose for the snortuser.

output database: log, postgresql, user=snortuser
   password=Password dbname=snort host=10.0.1.1
   sensor_name=Debian

 

Remove the /etc/snort/db-pending-config file and start the Snort IDS sensor for the first time. Be sure to check /var/log/daemons.log for any error messages.

# rm /etc/snort/db-pending-config
# /etc/init.d/snort start

Starting Network Intrusion Detection System: snort

 

  [EoF]
Posted by: jasonk2600 | January 18, 2010

Debian GNU/Linux PostgreSQL Backend for Snort IDS

Synopsis

This post describes the steps necessary to configure a system running Debian GNU/Linux as a database backend using PostgreSQL for the Snort Intrusion Detection System (IDS).  This post only covers the process of creating the PostgreSQL backend, for information on setting up Snort IDS sensors and/or setting up a Snort IDS monitoring console refer to the following posts:

Installation

Install the PostgreSQL DBMS and Snort IDS using the aptitude software package management utility. When prompted for the address range for the local network, replace 10.0.1.0/24 with your LAN’s IP address range.

# aptitude install postgresql snort snort-pgsql

Address range for the local network:
10.0.1.0/24

 

Configuration

Create a PostgreSQL database and database user for the Snort IDS to use.  After creating the database and user, initialize the Snort database with the script provided by the Snort IDS software package.

# su postgres
$ createuser -P snortuser

Enter password for new role: *****
Enter it again: *****
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

$ createdb -O snortuser snort
$ cd /usr/share/doc/snort-pgsql
$ zcat create_postgresql.gz | psql snort snortuser
$ exit

 

Configure PostgreSQL to listen for database connections on all IP addresses by modifying /etc/postgresql/8.3/main/postgresql.conf to reflect the following setting.

listen_addresses = '*'

 

Configure PostgreSQL to use MD5 hashing for password authentication on any connections originating from the local network by modifying /etc/postgresql/8.3/main/pg_hba.conf to reflect the following setting. NOTE: Replace 10.0.1.0/24 with the IP address range of your LAN.

host  all  all  10.0.1.0/24  md5

 

Restart the PostgreSQL DBMS for the new settings to take effect.  The Debian GNU/Linux system has now successfully been configured as a PostgreSQL database backend for the Snort IDS.  Snort IDS sensors can now be configured to use this system.

# /etc/init.d/postgresql-8.3 restart

Restarting PostgreSQL 8.3 database server: main.

 

References

 

  [EoF]
Posted by: jasonk2600 | January 18, 2010

FreeBSD PostgreSQL Backend for Snort IDS

Synopsis

This howto will describe how to setup a system running FreeBSD and PostgreSQL DBMS to act as a backend database for the Snort Intrusion Detection System (IDS).  It is assumed that PostgreSQL has already been installed on the FreeBSD system.  For more information on installing PostgreSQL DBMS on FreeBSD refer to the following post:

Installation

Install the Snort IDS from the FreeBSD ports collection.  When configuring the port, be sure to enable the FLEXRESP2 and POSTGRESQL options.

# cd /usr/ports/security/snort
# make config
# make install clean
# rehash

 

Configuration

Setup a database and user for Snort in the PostgreSQL DBMS.  The following will create a new database named snort owned by a new user named snortuser with a password of your choice.

# su pgsql
$ createuser -P snortuser
Enter password for new role: ******
Enter it again: ******
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

$ createdb -O snortuser snort
$ cd /usr/local/share/examples/snort
$ cat create_postgresql | psql snort snortuser

$ exit

 

Next, configure Snort to report to the new PostgreSQL database.  Modify /usr/local/etc/snort/snort.conf configuration file to reflect the following settings. Replace YourPassword with the password you chose for the snortuser and replace YourHost with the host name of your system.  Be sure to comment out the line containing include $RULE_PATH/local.rules.

output database: log, postgresql, user=snortuser
   password=YourPassword dbname=snort host=localhost sensor_name=YourHost

#include $RULE_PATH/local.rules

 

Download a current copy of the Snort IDS signatures from www.snort.org and extract them to /usr/local/etc/snort/rules/.

Enable the Snort IDS to automatically start at system boot and start Snort for the first time.

# echo 'snort_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/snort start

 

Testing

If the Snort IDS fails to start check /var/log/messages for any error messages.  To verify that the Snort IDS is analyzing network traffic, ping the system running Snort from another system.  Check the event table in the snort database for information that Snort is reporting.

# su pgsql
$ psql snort

psql (8.4.2)
Type "help" for help.

snort=# SELECT * FROM event;

sid | cid | signature | timestamp
----+-----+-----------+-----------

snort=# \q
$ exit

 

References

 

  [EoF]

Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.