9.5. Turning off Nonessential Services
One step beyond using your firewall to restrict access to services is to turn off services
To configure the services that start automatically when the server is
For example, if you're not using NFS to make files available over the network (if you're not sure what this means, then you're probably not using NFS!), you can safely disable the NFS services portmap , rpcgssd , rpcidmapd , and rpcsvcgssd . NFS is used to share files between Linux and other UNIX-like machines. Similarly, if you're not using Samba to share files (usually with Windows machines), you should disable Samba's smb service.
If you prefer, you can also disable and enable services from the command line using the chkconfig command . For instance, to disable the smb service, enter:
[root@swinetrek kermit]# /sbin/chkconfig smb off [root@swinetrek kermit]#
To enable the service, use:
[root@swinetrek kermit]# /sbin/chkconfig smb on [root@swinetrek kermit]#
The chkconfig --list command displays a list of all the services on the machine, showing whether each is enabled or disabled.
Snort is an Intrusion Detection System, or IDS. An IDS
9.6.1. Installing Snort
Snort isn't part of the Fedora archive, but it's available from the Snort project's Website. Follow the Download link, and look for the pre-compiled binary packages. At the time of writing, Snort is only available as an RPM package for Fedora Core 3, but this package
While you're at the Snort Website, you should also download a set of Snort rules; there's a big orange link on the right-hand side of the download page. Snort rules are configuration files that tell Snort what to look for when it searches for evidence of intrusions. Three official rule sets are provided by Sourcefire , the company that maintains Snort: the subscription release, which contains the very latest rules, but requires a paid subscription; the registered user release, which contains the latest rules five working days after they appear in the subscription release, and only requires a free registration; and the unregistered
Note: Snort rules are being constantly updated by Sourcefire; you should check for new rules at least once a week.
9.6.2. Setting Up Snort
The Snort RPM installs Snort with a good initial configuration: you shouldn't need to change too much to have the program running usefully. It's possible to configure Snort in many different and complicated ways; the Snort manual and FAQ, available from the Snort project's Website, will help here. For the moment, we'll work with the default configuration, except for a couple of things. First, Snort needs to know where your local network is, so that it doesn't alert you to "suspicious" traffic originating from the local network. Also, we should set up Snort so that it uses its full logging mode to provide you with the most useful information it can.
This section of snort.conf defines your server's home network. Comment out the var HOME_NET any line, uncomment the var HOME_NET 10.1.1.0/24 line, and enter your local network's subnet, or the machine's IP address if it's not part of a local network. (A network administrator should be able to help here if you're not sure.) For example, if your subnet was 192.168.1.0/24, snort.conf should be edited as shown below.
Next, open the file /etc/sysconfig/snort and locate the following section:
After making a backup of the file, change ALERTMODE=fast to ALERTMODE=full . This will set up Snort to produce more output, which will adversely affect its performance. If you find that your server is running slowly, consider changing this setting back to ALERTMODE=fast .
Finally, you'll need to extract the rules you've downloaded using the tar command:
[root@swinetrek kermit]# tar -x -z -f \ > /home/kermit/Desktop/snortrules-snapshot-CURRENT.tar.gz \ > -C /etc/snort [root@swinetrek kermit]#
Once you've configured Snort correctly, you can start the snortd daemon.
9.6.3. Using Snort
Snort stores its logs in the
directory. Snort's default setup will log alerts in the file
. Whenever Snort detects suspicious traffic, it writes a description of the traffic into the
file. To perform a simple test of this, try to access http://
This is all rather overwhelming, so let's take a closer look, line by line.
The first line is the key: it
The second line of the alert explains what
The third line tells you when the attack happened, and where it came from. In this case, the attack
The fourth and fifth lines contain detailed network information, which may be useful to a network administrator. If you already understand that line, you'll know whether the information in it is useful in diagnosing the attack; if you don't understand this information, you may want to call in some network technicians in the event of an attack. These details are not usually all that useful, so it's not something that
Line 5 provides links to references to help you find out the details of the attack. Each URL that's listed explains the WWWBoard passwd.txt vulnerability, as you can see in Figure 9-11.
Figure 9-11. The WWWBoard passwd.txt vulnerability explained.
These descriptions should allow you to understand the nature of the vulnerability, and identify whether you are vulnerable to compromise. They'll also explain workarounds or solutions to prevent your continuing vulnerability. For example, the description of the WWWBoard vulnerability explains how it can be fixed: edit the wwwadmin.pl script to change the location of the passwd.txt file.
Now that you understand what Snort stores in its alert file, you need to remember to check that alert file. The best Intrusion Detection System in the world is completely useless if, even though it detects intrusions, no-one notices that it's doing so. The primary way to check is simply to do what we did above: manually look in the file on a regular basis, and examine each alert to see if it represents a potential vulnerability. However, having to remember regularly to look at the file is boring, and boring
22.214.171.124. Setting up a Nightly Email
One way to ensure that you're reminded is to have the system email you each night with details of any alerts that were logged in the previous day. While it would be nice to be alerted to a potential compromise the instant it happens, in practice, most system administrators are too busy to respond to an alert instantly. A daily email gives you the chance to review the alerts at a reasonable pace, and to take action to close off any security holes, without demanding your availability twenty-four hours a day.
The Snort Website links to various data analysis tools. These take your raw Snort logs and uses them to create nice
[root@swinetrek kermit]# tar -x -p -f \ > /home/kermit/Desktop/snortalog_v2.3.0.tgz -C /usr/local [root@swinetrek kermit]#
Running snortalog isn't difficult, but it does require that you change the working directory to /usr/local/snortalog_v2.3/ .
[root@swinetrek kermit]# cd /usr/local/snortalog_v2.3/ [root@swinetrek snortalog_v2.3]# ./snortalog.pl < \ > /var/log/snort/alert subject: IDS Statistics generated on Wed Oct 26 23:13:53 2005 The log begins at : Wed 26 09:58:27 The log ends at : Wed 26 22:58:42 Total of Lines in log file : 2330 Total of Logs Dropped : 0 ( 0.00%) Total events in table : 372 Source IP recorded : 5 Destination IP recorded : 21 Host logger recorded : 1 with 1 interface(s) Signatures recorded : 21 Classification recorded : 5 Severity recorded : 3 Portscan detected : 0 Version: 2.3.0 Jeremy CHARTIER, <email@example.com> Date: 2004/12/02 11:31:03 [root@swinetrek snortalog_v2.3]#
This brief summary shows that 21 different types of suspicious traffic were identified by Snort between October 26th at 9.58 a.m. and October 26th at 10.58 p.m. The summary can then prompt you to dig further into the alert file itself, to identify what those different types of suspicious traffic were, and whether you need to do anything about them.
To set the system up so that the report is mailed to you nightly, simply add an entry to /etc/crontab , as shown below.
That line simply schedules the command abovewhich generated the summaryto run daily, and to email the results to the root user, whose mail is readable by you. Now you have a daily nudge to check the Snort logs if there seems to be a problem.
126.96.36.199. Further Reporting
Some Snort data analysis tools provide much (much!) more comprehensive and detailed reports, and you may want to investigate these tools if you need to get further into this area. One of the best is SnortSnarf, which produces a detailed HTML report that considers the alerts in your Snort alert file from a variety of different angles, and makes it very easy to pore through your files and understand what the alerts
[root@swinetrek kermit]# tar -x -z -f > /home/kermit/Desktop/SnortSnarf-050314.1.tar.gz -C /usr/local [root@swinetrek kermit]#
Before you can generate a report, you need to install the Time::ParseDate Perl module . A Perl module is nothing more than a piece of code that can be used by many different Perl scripts. The most popular modules are hosted at the Comprehensive Perl Archive Network (CPAN) . Mercifully, the CPAN Perl module makes installing the Time::ParseDate module easy.
[root@swinetrek kermit]# perl -MCPAN -e 'install Time::ParseDate' /usr/lib/perl5/5.8.6/CPAN/Config.pm initialized. CPAN is the world-wide archive of perl resources. It consists of about 100 sites that all replicate the same contents all around the globe. Many countries have at least one CPAN site already. The resources found on CPAN are easily accessible with the CPAN.pm module. If you want to use CPAN.pm, you have to configure it properly. If you do not want to enter a dialog now, you can answer 'no' to this question and I'll try to autoconfigure. (Note: you can revisit this dialog anytime later by typing 'o conf init' at the cpan prompt.) Are you ready for manual configuration? [yes]
The first time you run CPAN, you'll be asked if you want to configure CPAN manually, or if you'd rather let it configure itself. Most of the time, CPAN's automatic configuration will work fine, so enter no :
Are you ready for manual configuration? [yes] no The following questions are intended to help you with the configuration. The CPAN module needs a directory of its own to cache … Installing /usr/share/man/man3/Time::Timezone.3pm Installing /usr/share/man/man3/Time::DaysInMonth.3pm Writing /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /auto/Time-modules/.packlist Appending installation info to /usr/lib/perl5/5.8.6 /i386-linux-thread-multi/perllocal.pod /usr/bin/make install -- OK [root@swinetrek kermit]#
If you need to configure CPAN to use HTTP or FTP proxies, you can enter yes and go through the configuration process step by step.
Generating a report is very similar to running snortalog . The Perl script will return some warnings, but these can safely be ignored:
[root@swinetrek kermit]# cd /usr/local/SnortSnarf-050314.1 [root@swinetrek SnortSnarf-050314.1]# ./snortsnarf.pl \ > /var/log/snort/alert Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290. Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266. [root@swinetrek SnortSnarf-050314.1]#
Load /usr/local/SnortSnarf-050314.1/snfout.alert/index.html in your Web browser to see the full report, as shown in Figure 9-12.
Figure 9-12. A SnortSnarf report.