HOWTO : Intrusion Detection System made easy

An Intrusion Detection System (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer system, mainly through a network, such as the internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees.

EasyIDS is currently built from CentOS 4.6 and Snort. It is a passive system. EasyIDS is installed to a dedicated personal computer. It is very easy to setup or almost nothing to setup. For the installation and setup please refer to her website Documentation section.

EasyIDS at least requires two network interface cards (NICs), 384MB RAM or more and 8GB hard drive or larger. The system can be configure by mean of web GUI with your browser.

I put my EasyIDS behind my ZeroShell, a firewalled PC-based router, and connected to the other servers and clients by switches.

Home network with passive IDS

Switch with port mirroring is very expensive and hub is hardly to be purchased in Hong Kong nowadays. You can make a DIY network TAP according to this link.

I am now working on turning the EasyIDS to be an Intrusion Prevention System (IPS).

Security is very important even at home!

Reference link :
IDS/IPS placement on home network
Construction and use of passive Ethernet TAP
Simple SOHO IDS with Snort & a DIY Network TAP
Make a passive Network TAP
Building an Ethernet TAP

HOWTO : Home made NAS server with Ubuntu 8.04.1 – Part VII

Some personal NAS in the market comes with iTune music server. However, iTune is not an Open Source software.

Sockos is an Open Source personal music server that written in Java. She requires Sun’s Java Runtime. IcedTea is not compatible so far.

Sockos is a cross platform software and requires no installation. She can run on a standalone personal computer or on a server. For running on personal computer with GUI, please refer to her official site.

The client computer requires no mp3 player to play the music but may need Flash (optional). Flex player requires no installation of music player on the clinet computer. Other formats, such as WMV, OGG and Flac, require pre-installed music players that fit for the special formats.

The advantage of Sockos is that you can listen to your mp3 files at anytime and anywhere under the condition that fast internet connection is available. The disadvantage is that you should have at least IEEE 802.11g (54M) Wifi connection for smooth operation. GPRS and HSDPA do not work properly in my testing.

I am going to talk about running Sockos in Ubuntu Server 8.04.1 (without GUI).

Step 1 :

Install the Sun Java and runtime in the Ubuntu server (NAS).
sudo apt-get install sun-java6-bin sun-java6-fonts sun-java6-jre sun-java6-plugin


Download the Sockos from the official site. Extact it on your home directory of your Ubuntu server. If your server (NAS) is detached the keyboard and monitor, plug in them now.

wget http://sockso.pu-gh.com/downloads/sockso-latest.zip
unzip sockso-latest.zip
cd sockos-1.0.9

Step 2 :

Create a directory at /var for storing the database files.
sudo mkdir /var/sockos
chmod -R 0755 /var/sockos

Step 3 :

Run the server as user (such as samiux) at the physcial server at tty1 (Ctrl+Alt+F1) at /home/samiux/sockos-1.0.9.
sudo sh linux.sh –nogui –datadir /var/suckso

A directory namely “covers” and files “database.lck”, “database.log”, “database.properties” and “database.script” will be created on /var/sockso.

A console will be prompted and telling you that your IP address and the port 4444 to be used for the music server.

Step 4 :

Now, create the paths for the mp3 that located in the music server (your NAS – Ubuntu Server).

For example, if some mp3 files are storing at 3 locations, such as :
/home/samiux/music, /home/john/mp3 and /home/mary/songs.

At the console (at the server), type the following commands :
coladd /home/samiux/music
coladd /home/john/mp3
coladd /home/mary/songs

collist to list all the paths that you just created. You can delete the path by coldel command.

Step 5 :

You can create a user, e.g. samiux by the following command or create at the web interface.
useradd samiux 9876543210 samiux.com@gmail.com

(where 9876543210 is password and the other is your email address)

Your Sockos Music Server is ready but you should not exit the console; otherwise, it will terminate the Sockos. Leave it alone and press Ctrl+Alt+F2. You can revisit to the console again by pressing Ctrl+Alt+F1. Type “help” for assistance at the console.

Step 6 :

Go to your personal computer (client) and open a browser, e.g. Firefox and type the following on the address.
http://192.168.0.15:4444

(where 192.168.0.15 is your NAS address behind a router, 4444 is the port that Sockos to be used)

Warning

If you want to share your music files with others over the internet, you should beware the copyright law in the music industry or you may in serious trouble – lawsuit. You have been warned.

Enjoy your loving music at anywhere and anytime!!!

My home network

I gathered all the HOWTOs for building up my home network here.

My Network

(1) Router
(2) NAS - Part I (Introduction)
(3) NAS - Part II (Samba)
(4) NAS - Part III (vsFTPd)
(5) NAS - Part IV (BitTorrent)
(6) NAS - Part IV(a) (BitTorrent)
(7) NAS - Part V (System Tunning)
(8) NAS - Part VI (ClamAV)
(9) NAS - Part VII (Music Server) (added on October 1, 2008)
(10) IP-PBX (VoIP server)
(11) Intrusion Detection System (IDS) (added on October 2, 2008)

This summary is built for reading and searching easily. Enjoy!!!

HOWTO : Ubuntu eee on ASUS Eee PC 701

Ubuntu eee comes with Netbook Remix and it is very user-friendly. I installed Ubuntu eee on my ASUS Eee PC 701 and all the function keys are workable. The speaker, mic, webcam and wireless work flawlessly.

Now, I want to do some tweaking on my Ubuntu eee box.

Step 0 :
Install the Ubuntu eee on your Es accordingly. The installation is quiet straight forward.

Step 1 :
sudo nano /boot/grub/menu.lst

add “elevator=noop” at the end of the kernel tag.

Step 2 :
sudo nano /etc/fstab

add “noatime” at the following line (the content may be different to me) :
UUID=b151a69-....1d865 / ext3 noatime,relatime,errors=remount-ro 0 1

Step 3 :
add the following lines at the end of /etc/fstab.

tmpfs /var/log/apt tmpfs defaults 0 0
tmpfs /var/log tmpfs defaults 0 0
tmpfs /tmp tmpfs defaults 0 0
tmpfs /var/tmp tmpfs defaults 0 0

Step 4 :
Make it like this.

Just only 5 steps to make your Es working flawlessly and smoothly.

Enjoy!

Ubuntu 8.04.1 LTS on Eee PC 701 & 900

Install Ubuntu 8.04.1 on ASUS Eee PC as is. The installation is smooth and simple.

No matter you have Eee PC 701 or 900, the tweak on them is similar or the same.

Since the wireless driver from Ubuntu 8.04.1 does not work on Eee PC, you should disable the two entries at “System” - “Hardware driver” before going ahead.

Install the following packages at the terminal and make sure you are connected to the internet via ethernet cable :
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential
sudo apt-get install linux-headers-`uname -r`

For Eee PC 701 :
wget http://samiux.volospin.com/eeepc/ubuntu-8.04.1-eeetweak-eeepc701-1.0.sh.tar.gz
tar -xvzf ubuntu-8.04.1-eeetweak-eeepc701-1.0.sh.tar.gz
sudo chmod +x ubuntu-8.04.1-eeetweak-eeepc701-1.0.sh
sudo ./ ubuntu-8.04.1-eeetweak-eeepc701-1.0.sh

For Eee PC 900 :
wget http://samiux.volospin.com/eeepc/ubuntu-8.04.1-eeetweak-eeepc900-1.0.sh.tar.gz
tar -xvzf ubuntu-8.04.1-eeetweak-eeepc900-1.0.sh.tar.gz
sudo chmod +x ubuntu-8.04.1-eeetweak-eeepc900-1.0.sh
sudo ./ ubuntu-8.04.1-eeetweak-eeepc900-1.0.sh

Make sure you run the script only ONCE. If you are making of mistake, you should re-install your copy of Ubuntu 8.04.1 before running the script again.

To tweak the boot up speed, you just need to edit the /boot/grub/menu.lst and add the following to the end of “kernel” tag :
clocksource=hpet

By the way, the script do nothing on the webcam and microphone.

Easy to Learn, Easy to Work, Easy to Play with Ubuntu 8.04.1!!!

HOWTO : Painless to Elastix with X100P

Elastix is a Linux distro based on CentOS (at the time of this writing is Elastix 1.2 based on CentOS 5). Elastix is a total solution of Asterisk – a telephony software. Elastix allows you to set up a VoIP (Voice over Internet Protocol) server at home or office. The entry point is not expensive and it is very easy to set up. The is another very famous distro namely Trixbox. I have tried it yet and it is not suitable for me as the update speed is slow and with no other features that Elastix comes with.

Software

You will need an iso of Elastix that you can download it at here. It is a CD image. Burn it and ready for install. The installation is in text mode but it is straight forward and simple.

Hardware

The minimum requirement for Elastix is 500MHz CPU with 258M RAM. You also need another heart of the system is X100P. You can buy it at here. It is inexpensive, about $300-HK and I bought it in Hong Kong. (exchange rate - $1-US equals to $8-HK). X100P can co-exist more than one card.

You may heard someone in the net complaining about this card or its clone. This is also a clone card from the Digium which is discontinued very long time ago. The card is simple to set up. Yes, it is very easy to set up if you make it work.

I spent a whole day to make this card to work and later I find out that it is very easy to overcome it. The main problem is that the card is very easy to be uninitialized. The manual (you should find it yourself over the net as the it will not comes with the package) stated that you can change slot or not to insert the card too firmly to the slot, leave 1 to 2mm above. I found out that it is not the interrupts problem at all too.

Once the card can be initialized under Elastix, you SHOULD not unplug the power cord from the wall (It is because if the power cord is connected to the power supply, there will some electricity to the supply.); otherwise, you may encounter the card cannot be initialized again when the system is booted up. If you encountered this, you simply re-insert the card to the slot again with the power cord connected (crazy!). Or simply leave it be powered on for 24/7/365 – it is your aim at least – a telephony server.

Updated on 2008-SEP-10 :
The captioned problem only happened to my old Pentium III and Althon XP computers. I install the X100P on a brand new VIA C7-D PC-2500E motherboard with no such problem.

Configuration

The first thing is to get the “Elastix without tears” in hand at here. Read it carefully to get some information and concept. Once you had read it all. You can configure the system.

Install Elastix as is. Once you logged in, the system will prompt you the IP address of the server. Use browser to open it. The username is “admin” and the password is “palosanto” (you can change it later when you had set the system up). My tutorial is targeted to just make it work.

Run zttool to see if the card is initialized or not. You may not see the “OK Wildcard X100P Board 1” on the result. You can type the following to make it as (if you cannot see “Wildcard X100P”, your card does not initialized correctly, re-insert your card) :
genzaptelconf -c us

where "us" stands for United State. It is okay in Hong Kong.

Then edit the file zapata.conf at /etc/asterisk/zapata.conf with vi. Or you can install the nano by the following command :
yum install nano

Comment out the following line to make it look like this :
;echotraining=800

Uncomment the following lines :
busydetect=yes
busycount=3

These changing is to solve the problem of echo and hangup problems of X100P. Elastix is equipped with echo cancellation software to overcome this. The Asterisk solved the hangup problem. Perfect match!

Follow the “Elastix without tears” to set up at least one extension. It is very straight forward and easy. The only problem is to make the X100P to be initialized when the system is booted up.

For the softphone (X-Lite or Zoiper), you may consider to mute the mic on the screen as it may produce “buzzy” noise that interfere with your conversation.

If you will access to the Elastix box remotely by softphone, I recommend you to use Zoiper at the laptop and create an IAX2 extension for that purpose. Remember to open the port 4569 if you have a firewall. The /etc/asterisk/iax.conf should be added the following lines just under [general] :
bindport = 4569
externhost = your Elastix box domain name
localnet = 192.168.0.0/255.255.255.0
bindaddr = 0.0.0.0
delayreject = yes
disallow=all
allow=g729
allow=ilbc
allow=gsm
allow=g723
allow=alaw
allow=ulaw
jitterbuffer = yes
mailboxdetail = yes

(**those setting are copied from “Elastix without tears”)

Enjoy the wonderful Telephony with Linux!!!!

(Next time I will show you how to set up Linksys SPA3102 on Elastix)

Byzanz and PDFEdit on Ubuntu 8.04.1

Byzanz can record your desktop session to a GIF image file. It is ideal for creating a Linux visual tutorial on Gnome Window Manager. The GIF image can be viewed on the Firefox.

To use it, right click on the top bar and select “Add to the panel” and choose “Desktop Recorder”. It can record the desktop, area or windows. It also can capture the mouse cursor too.

To install it on Ubuntu 8.04.1 :
sudo apt-get update
sudo apt-get install byzanz

PDFEdit can edit a PDF file and it can also combine 2 or more PDF files together with a simple click. You can install it on Ubuntu 8.04.1 with a single command.
sudo apt-get install pdfedit

Make your tutorials with the powerful tools!

HOWTO : Home made wired and wireless router with ZeroShell

My wired and wireless routers are connected together and served me for years. However, they produced a lot of heat on the devices and the electricity adapters. It is not ideal for running 24/7/365 at no air-conditioning environment with my new built home NAS server.

I searched the internet for days and later find ZeroShell. ZeroShell is very powerful and easy to install. It only supports Atheros chipset wireless PCI card. So, I can build a all-in-one (wired and wireless) router in one machine.

The minimum requirement of ZeroShell is Pentium 233MHz CPU, 96MB RAM and a ATA CD-ROM or Compact Flash card. The current version is 1.0 beta 10 at this writing. It is a Linux based router system. I am now going to build a simple and just work powerful home wired and wireless router. Enterprise features are not needed in this HOWTO.

Hardware

Motherboard – VIA PC-1 PC2500E with VIA C7-D 1.5GHz CPU
RAM – 2 X 1GB DDR2 667MHz (maximum)
Hard drive – SATA SSD Enclosure with 8GB Compact Flash card (Transcend)
Wireless PCI card – TP-Link TL-WN551G (detachable antenna) 54M IEEE 802.11b/g
PCI Ethernet card – Planet Gigabit Ethernet PCI card
Switch – 100M or Gigabit switch (optional)

The on board 100M ethernet card is for connecting to internet (the interface name at ZeroShell is ETH01), the PCI ethernet card is for connecting to wired intranet (the interface name at ZeroShell is ETH00) and the TP-Link wireless card is connected to wireless computers (the interface name at ZeroShell is ETH02).

Install ZeroShell on hard drive

Download ZeroShell-1.0.beta10-CompactFlash-IDE-USB-SATA=1GB.img.gz and copy it to a USB stick. Download the CD iso (ZeroShell-1.0.beta10.iso and burn to CD-R. Follow the instruction at this PDF at http://digilander.libero.it/smasherdevourer/schede/linux/Zeroshell%20su%20HD-EN.pdf

Configure the Wired ZeroShell

Set your IP address at your Ubuntu Desktop as static IP (192.168.0.2), netmask is 255.255.255.0 and the gateway is 192.168.0.75. Connect to the Zeroshell with browser. The default username is admin and the password is zeroshell. You can change the password later during the configuration.

Follow the instruction at this http://digilander.libero.it/smasherdevourer/schede/linux/zeroshellEN.pdf up to “Surfing Internet”. The default gateway at “Storing our configuration” is 192.168.0.75.

Use the default profile and change the administrator password. If the default gateway is not set for you at “Router” — “Network”, you just key in “192.168.0.75″. Make sure to set IP range at the DHCP server for the ETH00, such as 192.168.0.1 to 192.168.0.70 or something like this.

After that, reconfigure your Ubuntu Desktop IP to roaming. Now, you can surf the internet via the wired intranet.

Configure the Wireless ZeroShell

Since this beta 10 version does not support web based setup via browser, you should go to the console or use ssh to set the wireless interface.

At the console, press “w”- Wifi Manager. Then press “n” to set the SSID. Press “c” to set the channel and WPA-PSK. Finally, press “r” to restart the device.

Make sure to add IP range at DHCP server. The ETH01 should be set to Dynamic IP enabled.

At the browser, go to “Setup”- “Network”. Add a IP (192.168.10.75) and netmask (255.255.255.0) to the interface ETH02, i.e. wireless interface. Then go to “Router”- “Manage” to add two static routes for connecting wired and wireless interfaces.

Route 1 :
Destination – 192.168.10.0
Netmask – 255.255.255.0
Type – net
Metric – 1
Gateway – 192.168.0.75
Interface – N/A

Route 2 :
Destination – 192.168.10.0
Netmask – 255.255.255.0
Type – net
Metric – 2
Gateway – N/A
Interface – eth00

Now, you can surf the internet by wireless and you can also login to the ZeroShell web interface by wireless too.

Let’s build your home all-in-one router now!!!

HOWTO : Home made NAS server with Ubuntu 8.04.1 – Part IV (a)

Since someone complained that Torrentflux with BitTornado eats a lot of CPU resources. I then switch to Torrentflux-b4rt with BitTornado. Torrentflux-b4rt is a fork of Torrentflux but it is completely rewritten by the developers for the current version. The current version is still in beta 2 at this writing.

I have tested the torrent download at 1134.80 KB/s (one torrent) and it eats not more than 25% of CPU resources (according to the TOP). The overall CPU usage of the system is not more than 35% for the speed of download. Quiet good indeed. It is better than Torrentflux.

Torrentflux-b4rt supports wget, torrent and nzb metafile type download method. The downloaded video clips can be used for streaming via VLC. B4rt also supports Transmission, Azureus, BitTorrent Mainline and BitTornado. However, I had tested the latest version of Transmission (1.32) unsuccessful – it is too slow to start the download and unable to stop the transfer. I think it is bugs. Azureus requires Java to run and I will not test it at all. BitTorrent Mainline is also not tested. Therefore, I selected BitTornado.

Torrentflux-b4rt

Install required libraries and softwares :
sudo apt-get install php5-cli unrar unzip vlc uudeview build-essential bittornado

Download and compile the cksfv that required by b4rt :
wget http://zakalwe.fi/~shd/foss/cksfv/files/cksfv-1.3.12.tar.bz2
tar -xjvf cksfv-1.3.12.tar.bz2

cd cksfv-1.3.12
./configure
make
sudo make install

Get and install the Torrentflux-b4rt (the current version at this writing) from the official site :
wget http://download.berlios.de/tf-b4rt/torrentflux-b4rt_1.0-beta2.tar.bz2
tar -xjvf torrentflux-b4rt_1.0-beta2.tar.bz2

cd torrentflux-b4rt_1.0-beta2
sudo cp -R html /var/www/torrentflux

sudo chmod -R 0777 /var/torrentflux/inc/config

Create a directory for the download :
sudo mkdir /home/torrent
sudo chmod -R 0777 /home/torrent

Install the Torrentflux-b4rt with the browser. Type in “http://your_server_ip/torrentflux/setup.php”

Follow the instructions on the screen. The username and password of MySQL is the administrator’s username and password of the MySQL (i.e. “root” and the password that you install the MySQL). Make sure to delete the “setup.php”at /var/www/torrentflux after the installation.

The Torrentflux-b4rt is already installed. You can login by the browser at “http://your_server_ip/torrentflux”. Beware, the username and password that you have key in is the administrator username and password. The program will create for you once you keyed in.

I nearly forgot to tell you to open or forward the (default) port 49160 to 49300 at router or firewall. You can change it as desire.

Samba configuration

If you want to share the downloaded files with the intranet, you just added the following lines at the end of the /etc/samba/smb.conf :
[torrent]
comment = Share to all
path = /home/torrent
browseable = yes
read only = no
create mask = 0664
directory mask = 0664
valid users = samiux,john,mary
admin users = samiux

Access to the torrent directory at Windows system :
\\your_server_ip\torrent

Bonus

Transmission installation procedure :
sudo apt-get install libcurl4-openssl-dev gettedxt libc6-dev libssl-dev pkg-config

Download and install the Transmission :
wget http://download.m0k.org/transmission/files/transmission-1.32.tar.bz2
tar -xjvf transmission-1.32.tar.bz2

cd transmission-1.32
./configure --without-gtk
make
sudo make install

HOWTO : Home made NAS server with Ubuntu 8.04.1 – Part VI

This part is also optional. The Samba is shared with Windows desktops that files stored in the Samba will be infected by virus. To prevent this, you should install the ClamAV, the open source anti-virus program for Linux that kills Windows virus.

ClamAV

Edit /etc/apt/sources.list and append the following lines at the end of the file :
sudo nano /etc/apt/sources.list

# ClamAV PPA
deb http://ppa.launchpad.net/ubuntu-clamav/ubuntu hardy main
deb-src http://ppa.launchpad.net/ubuntu-clamav/ubuntu hardy main

sudo apt-get update
sudo apt-get install clamav clamav-daemon arj unzoo lha unrar

Make sure clamav-daemon is running :
ps ax | grep clamd

If not :
sudo /etc/init.d/clamav-daemon start
sudo /etc/init.d/clamav-freshclam start

Scan and kill virus if found at 03:00am on every day :
sudo crontab -e

* 3 * * * clamscan -r -i –remove /home > /home/samiux/scan.txt

Remember to configure the ClamAV’s 15 threads to 3 or less in order to reduce the consumption of CPU resources but the con is that it take a longer time to complete the virus scan of the whole system :
sudo dpkg-reconfigure clamav-base

Remarks : The current version of ClamAV at the time of this writing cannot scan RAR files. It is a bug and it will be fixed later.

Updated on 2008-AUG-19 :
I don’t know why the Clamscan occupied a lot of CPU resources. Therefore, I kill all the threads and then stop the ClamAV as well as uninstall it.