HOWTO : Intrusion Prevention System (IPS) with ZeroShell, EasyIDS and Guardian

Part A : Router – ZeroShell
To setup a Gigabit router, please follow the link below :
https://samiux.wordpress.com/2008/08/17/howto-home-made-wired-and-wireless-router-with-zeroshell/

Part B : IDS – EasyIDS
To setup a Intrusion Detection System (IDS), please follow the link below :
https://samiux.wordpress.com/2008/10/02/howto-intrusion-detection-system-made-easy/

Part C : IPS – Guardian

Step 0 :
ssh to EasyIDS.
ssh 192.168.0.200 -l root

Step 1 :
Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz

Step 2 :
Untar the package.
tar -xzvf guardian-1.7.tar.gz

Step 3 :
cd guardian-1.7
cp guardian.pl /usr/local/bin/
cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
cp guardian.conf /etc/snort/
touch /etc/snort/guardian.ignore
touch /etc/snort/guardian.target
touch /var/log/snort/guardian.log

Step 4 :
vi /etc/snort/guardian.conf

Make the file looks like this (the IP address of HostIpAddr may be different from yours).
HostIpAddr 218.190.113.253
Interface ETH01
HostGatewayByte 75
Logfile /var/log/snort/guardian.log
AlertFile /var/log/messages
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
TimeLimit 86400

Step 5 :
vi /usr/local/bin/guardian_block.sh

#———— CUT HERE ——————#
#!/bin/sh

# this is a sample block script for guardian. This should work with ipchains.
# This command gets called by guardian as such:
# guardian_block.sh
# and the script will issue a command to block all traffic from that source ip
# address. The logic of weither or not it is safe to block that address is
# done inside guardian itself.
source=$1
interface=$2
firewall_ip="192.168.0.75"

ssh root@$firewall_ip "iptables -I INPUT -s $source -i $interface -j DROP"
ssh root@$firewall_ip "iptables -I FORWARD -s $source -i $interface -j DROP"
echo "$source is blocked!" | mail -s "Snort alert is blocked" snort.alert.samiux@gmail.com

#————-CUT HERE —————–#

Step 6 :
vi /usr/local/bin/guardian_unblock.sh

#————-CUT HERE —————–#
#!/bin/sh

# this is a sample unblock script for guardian. This should work with ipchains.
# This command gets called by guardian as such:
# unblock.sh
# and the script will issue a command to remove the block that was created with # block.sh address.
source=$1
interface=$2
firewall_ip="192.168.0.75"

ssh root@$firewall_ip "iptables -D INPUT -s $source -i $interface -j DROP"
ssh root@$firewall_ip "iptables -D FORWARD -s $source -i $interface -j DROP"
echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert is released" snort.alert.samiux@gmail.com

#————-CUT HERE ——————#

Step 7 :

vi guardian.sh
#————— CUT HERE —————–#
#!/bin/bash

start()
{
export PATH=$PATH:/usr/local/bin
/usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
}

stop()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'`
else
echo "Guardian is not running ....."
fi
}

status()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
echo "Guardian is Running ....."
else
echo "Guardian is not Running ...."
fi
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac

#————— CUT HERE —————–#

chmod +x guardian.sh
cp guardian.sh /usr/local/bin/guardian.sh

Usage : guardian.sh [start|stop|restart|status]

Step 8 :
vi /etc/rc.d/rc.local

Append the following line.
/usr/local/bin/guardian.sh start

Part D : Making them work together

Step a :
SSH to your ZeroShell and login as “admin” then go to shell by selecting “s“.

In the /Database directory, create a directory namely “startup“.

Copy /etc/ssh/sshd_config to /Database/startup/sshd_config.

Edit /Database/startup/sshd_config. Comment out “AllowUsers admin” and uncomment “#AuthorizedKeysFile .ssh/authorized_keys“.

Looks like this :
#AllowUsers admin
AuthorizedKeysFile .ssh/authorized_keys

Step b :

SSH to the sensor (EasyIDS). Run “ssh-keygen -t rsa” to generate a public/private key pair in /root/.ssh/.

DO NOT ENTER A PASSPHRASE.

Copy the content of /root/.ssh/id_rsa.pub to ZeroShell “/Database/startup/.ssh/authorized_keys” with text editor and make sure you have /root/.ssh directory at the ZeroShell.

mkdir /root/.ssh

Step c :
Create a startup script at /Database/startup/rc.local.

vi /Database/startup/rc.local

#———- CUT HERE —————-#
#!/bin/sh
/bin/cp /Database/startup/sshd_config /etc/ssh/sshd_config
/bin/cp -Rp /Database/startup/.ssh /root/.ssh
echo "root:YOUR_ROOT_PASSWORD" | /usr/sbin/chpasswd
/sbin/service sshd restart

#———– CUT HERE —————#

chmod 755 /Database/startup/rc.local

Step d :
Login to your ZeroShell and go to “Setup” and then “Startup“.
Enable the startup configuration and add “/Database/startup/rc.local” to the startup script and save it. Reboot the Zeroshell.

Make sure you add 192.168.0.200 with ETH00 to the SSH of ZeroShell.

Step e :
Go to EasyIDS by ssh. Edit /etc/snort/guardian.target to make guardian to detect the alert from that IP.
vi /etc/snort/guardian.target
Add :
218.190.113.253

vi /etc/snort/guardian.ignore
Add :
127.0.0.1

Step f :
vi /etc/snort/snort.conf
uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

service snort restart

Step g :
Finally, when everything is setup and okay, you should stop and start the guardian.sh to activate the blocking feature.
guardian.sh stop
guardian.sh start

Now you can SSH from EasyIDS to ZeroShell without password.

Step g :
You can also tune the EasyIDS as Ubuntu that described in this blog – “Performance tuning”.

Remarks : After observation and experiment, the EasyIDS requires some time to make it work. May be to capture some traffic before to detect the alert.

Part E : Testing
Step I :
Download idswakeup and nmap to test the IPS.
sudo apt-get update
sudo apt-get install idswakeup
sudo apt-get install nmap

For example :
sudo idswakeup 111.222.333.444 218.190.113.253 1 10
sudo nmap -v -sS 218.190.113.253

Step II :
Log in to the Zeroshell and check the firewall if the 111.222.333.444 was blocked or not. If yes, your IPS is setting up sucessfully.

Remarks :
If you restarted the Snort, you should also restart Guardian at once also. Otherwise, the Guardian cannot block the suspicious IPs.

About these ads

One Response

  1. Stumbled on instructions on how to install Zeroshell while researching on it: http://computing-tips.net/Solution_Howto_install_Zeroshell_Hard_drive_WinXP/

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: