Defense in Depth using OSSEC and other free tools
2010-02-25 10:30
363 查看
Russ McRee wrote an excellent article about OSSEC for the October 2009 issue of ISSA Journal. (Disclaimer: I contributed to the article.) He then went into some further detail on his blog.
In a recent SANS 401 Mentor session, I used OSSEC in my demo of building a secure webserver using defense-in-depth principles. My rough notes can be found below. All software is freely available and the whole process can be done in under an hour. Once completed, OSSEC will be monitoring all system logs (SSH, Apache, mod_security, iptables, Wordpress) and optionally providing Active Response, blocking attacker's source IP addresses.
# Base install of CentOS 5.4
# Reboot
# Allow SSH and HTTP in firewall
yum -y update && reboot
# Add EPEL repo
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm vi /etc/yum.repos.d/epel.repo
#add this line:
includepkgs=mod_security* lua* alpine* wordpress*
# Install CMS, web server, and database
yum -y install wordpress mysql-server
# Set services to start on boot and start them now
for i in httpd mysqld
do
chkconfig $i on
service $i start
done
# Secure the database
/usr/bin/mysql_secure_installation
mysql -p
create database wordpress;
grant all privileges on wordpress.* to wordpress@localhost identified by 'MyStrongPassphrase';
flush privileges;
exit
vi /etc/wordpress/wp-config.php
# Configure for wordpress database just created
# Test Wordpress
# Look at logs in /var/log/
# Wordpress --> Syslog
cd /usr/share/wordpress/wp-content/plugins
wget http://www.ossec.net/files/other/wpsyslog2.tar.gz tar zxvf wpsyslog2.tar.gz
# Wordpress admin interface --> activate WPsyslog2 plugin
# Test logging into Wordpress, creating/deleting posts, verify logging
# Firewall logging
iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
service iptables save
# Test firewall logging (nmap)
# WAF (Web Application Firewall)
yum -y install mod_security
service httpd restart
# Test WAF by accessing site by IP address instead of hostname
# Test WAF by trying to do an /etc/passwd attack
# Look at rules in /etc/httpd/modsecurity.d/
# NIDS (Network Intrusion Detection System)
yum -y install alpine perl-libwww-perl libpcap-devel pcre-devel gcc
#Download Snort:
cd /usr/local/src/
mkdir snort && cd snort
wget http://dl.snort.org/snort-current/snort-2.8.5.2.tar.gz tar zxvf snort-2.8.5.2.tar.gz
cd snort-2.8.5.2
./configure && make && make install
mkdir -p /etc/snort/rules
cd etc
cp * /etc/snort/
mkdir /var/log/snort
adduser snort
passwd -l snort
chown snort:snort /var/log/snort
#Download PulledPork:
cd /usr/local/src/
mkdir pulledpork && cd pulledpork
wget http://pulledpork.googlecode.com/files/pulledpork-0.3.4.tar.gz tar zxvf pulledpork-0.3.4.tar.gz
cd pulledpork-0.3.4
vi pulledpork.conf
oinkcode=InsertYourOinkcodeHere
tar_path=/bin/tar
rule_path=/etc/snort/rules/
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/snort/sid_changes.log
#sorule_path=/usr/local/lib/snort_dynamicrules/
config_path=/etc/snort/snort.conf
distro=CentOS-5.0
chmod +x pulledpork.pl
./pulledpork.pl -c pulledpork.conf
vi /etc/snort/snort.conf
var RULE_PATH /etc/snort/rules
#include local.rules
# Test run
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort
# Daemon mode
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D
# Start at boot
echo "/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D" >> /etc/rc.local
# Test Snort with idswakeup and verify logs in /var/log/snort/
# HIDS (Host Intrusion Detection System)
cd /usr/local/src/
mkdir ossec
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz tar zxvf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
./install.sh
# Local installation
# Email to root@localhost
# Enable Active Response, whitelist host IP
service ossec start
# Test HIDS alerting
# Test OSSEC Active Response using nmap, idswakeup, SSH brute force, Wordpress brute force
What else could we do for more defense in depth?
Suhosin (PHP Hardening)
GreenSQL (Database firewall)
Daemonlogger (full packet capture for forensics purposes)
Others?
In a recent SANS 401 Mentor session, I used OSSEC in my demo of building a secure webserver using defense-in-depth principles. My rough notes can be found below. All software is freely available and the whole process can be done in under an hour. Once completed, OSSEC will be monitoring all system logs (SSH, Apache, mod_security, iptables, Wordpress) and optionally providing Active Response, blocking attacker's source IP addresses.
# Base install of CentOS 5.4
# Reboot
# Allow SSH and HTTP in firewall
yum -y update && reboot
# Add EPEL repo
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm vi /etc/yum.repos.d/epel.repo
#add this line:
includepkgs=mod_security* lua* alpine* wordpress*
# Install CMS, web server, and database
yum -y install wordpress mysql-server
# Set services to start on boot and start them now
for i in httpd mysqld
do
chkconfig $i on
service $i start
done
# Secure the database
/usr/bin/mysql_secure_installation
mysql -p
create database wordpress;
grant all privileges on wordpress.* to wordpress@localhost identified by 'MyStrongPassphrase';
flush privileges;
exit
vi /etc/wordpress/wp-config.php
# Configure for wordpress database just created
# Test Wordpress
# Look at logs in /var/log/
# Wordpress --> Syslog
cd /usr/share/wordpress/wp-content/plugins
wget http://www.ossec.net/files/other/wpsyslog2.tar.gz tar zxvf wpsyslog2.tar.gz
# Wordpress admin interface --> activate WPsyslog2 plugin
# Test logging into Wordpress, creating/deleting posts, verify logging
# Firewall logging
iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
service iptables save
# Test firewall logging (nmap)
# WAF (Web Application Firewall)
yum -y install mod_security
service httpd restart
# Test WAF by accessing site by IP address instead of hostname
# Test WAF by trying to do an /etc/passwd attack
# Look at rules in /etc/httpd/modsecurity.d/
# NIDS (Network Intrusion Detection System)
yum -y install alpine perl-libwww-perl libpcap-devel pcre-devel gcc
#Download Snort:
cd /usr/local/src/
mkdir snort && cd snort
wget http://dl.snort.org/snort-current/snort-2.8.5.2.tar.gz tar zxvf snort-2.8.5.2.tar.gz
cd snort-2.8.5.2
./configure && make && make install
mkdir -p /etc/snort/rules
cd etc
cp * /etc/snort/
mkdir /var/log/snort
adduser snort
passwd -l snort
chown snort:snort /var/log/snort
#Download PulledPork:
cd /usr/local/src/
mkdir pulledpork && cd pulledpork
wget http://pulledpork.googlecode.com/files/pulledpork-0.3.4.tar.gz tar zxvf pulledpork-0.3.4.tar.gz
cd pulledpork-0.3.4
vi pulledpork.conf
oinkcode=InsertYourOinkcodeHere
tar_path=/bin/tar
rule_path=/etc/snort/rules/
sid_msg=/etc/snort/sid-msg.map
sid_changelog=/var/log/snort/sid_changes.log
#sorule_path=/usr/local/lib/snort_dynamicrules/
config_path=/etc/snort/snort.conf
distro=CentOS-5.0
chmod +x pulledpork.pl
./pulledpork.pl -c pulledpork.conf
vi /etc/snort/snort.conf
var RULE_PATH /etc/snort/rules
#include local.rules
# Test run
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort
# Daemon mode
/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D
# Start at boot
echo "/usr/local/bin/snort -i eth1 -c /etc/snort/snort.conf -u snort -g snort -D" >> /etc/rc.local
# Test Snort with idswakeup and verify logs in /var/log/snort/
# HIDS (Host Intrusion Detection System)
cd /usr/local/src/
mkdir ossec
wget http://www.ossec.net/files/ossec-hids-2.3.tar.gz tar zxvf ossec-hids-2.3.tar.gz
cd ossec-hids-2.3
./install.sh
# Local installation
# Email to root@localhost
# Enable Active Response, whitelist host IP
service ossec start
# Test HIDS alerting
# Test OSSEC Active Response using nmap, idswakeup, SSH brute force, Wordpress brute force
What else could we do for more defense in depth?
Suhosin (PHP Hardening)
GreenSQL (Database firewall)
Daemonlogger (full packet capture for forensics purposes)
Others?
相关文章推荐
- Defense in Depth using OSSEC and other free tools
- Tips: 使用autotools生成动态.so库文件 / Generate .so library files using autotools in Solaris and Linux
- Block developers from using TOAD and other tools on production databases
- Embedding and Using Resources in C#
- Chapter 22: Using Item Renderers and Item Editors--Creating drop-in item renderers and item editors
- Build SIP-based VOIP Service With RADIUS AAA Using Kamailio (OpenSER) And FreeRadius
- Using gdbserver and arm-eabi-gdb to debug native code in Android
- Flow-tools and FlowView to monitor the netflow in Openstack
- SCSF - Part 8 Creating and Using Services in the CAB
- Android: How to download the latest zip Android Source Code easily and using it in Intellij
- [TypeScript] Using Lodash in TypeScript with Typings and SystemJS
- 2.2深入信号和槽(Signals and Slots in Depth)
- Using Unicode in INI files and WritePrivateProfileStringW
- Announcing a preview of F# 4.0 and the Visual F# Tools in VS 2015
- Data Structures and Other Objects Using C++ (Chapter 1) 学习笔记一
- Data Structures and Other Objects Using C++ (Chapter 2) 学习笔记四
- Win A Free Copy of Packt’s Managing Multimedia and Unstructured Data in the Oracle Database e-book
- 评论数据库Win A Free Copy of Packt’s Managing Multimedia and Unstructured Data in the Oracle Database e-book
- Using LINQ Group By and String.Join() / Aggregate() in Entity Framework 3.5
- pjscrape: A web-scraping framework written in Javascript, using PhantomJS and jQuery