Prakash Sawarkar

Sunday, 28 July 2013

Suricata 1.4.5 released! A Network Intrusion Detection,Prevention

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata Features
IDS / IPS
Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.
Multi-threading
Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets.
Automatic Protocol Detection
The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.
Fast IP Matching
The engine will certainly take rules that are IP matches based on the RBN and compromised IP lists at Emerging Threats and keep them into a specific fast matching preprocessor.

Step :1 Installing Suricata in RHEL, CentOS

You must use the Fedora’s EPEL repository to install some needed packages for i386 and x86_64 systems.
EPEL (Extra Packages for Enterprise Linux) is open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux. Epel project is not a part of RHEL/Cent OS but it is designed for major Linux distributions by providing lots of open source packages like networking, sys admin, programming, monitoring and so on. Most of the epel packages are maintained by Fedora repo.

Enable EPEL Repository in RHEL/CentOS 6/5

First, you need to download the file using Wget and then install it using RPM on your system to enable the EPEL repository. Use below links based on your Linux OS versions. (Make sure you must be root user).

For RHEL/CentOS 6 32-64 Bit

## RHEL/CentOS 6 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

For RHEL/CentOS 5 32-64 Bit

## RHEL/CentOS 5 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm

## RHEL/CentOS 5 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm

Verify EPEL Repo

# yum repolist
# yum -v repolist | less
# yum -v repolist

Before you can compile and build Suricata for your system, install the following dependency packages that are required for further installation. The process may take a while to complete, depending on the internet speed.
# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel

IPS Support
Next, build Suricata with IPS support. For this, we to need “libnfnetlink” and “libnetfilter_queue” packages, but these pre-built packages not available in the EPEL or CentOS Base repositories. So, we need to download and install rpms from the Emerging Threats CentOS repository.

For 32-Bit

# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15- 1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm

For 64-Bit

# rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm

Download latest Suricata source files and build it using the following commands.
# cd /tmp
# wget http://www.openinfosecfoundation.org/download/suricata-1.4.5.tar.gz
# tar -xvzf suricata-1.4.5.tar.gz
# cd suricata-1.4.5

Now we use Suricata Auto Setup feature to automatically create all necessary directories, configuration files and latest rulesets.

# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full

Step 2: Suricata Basic Setup

After downloading and installing Suricata, now its time to proceed to Basic Setup. Create following directorates.

# mkdir /var/log/suricata
# mkdir /etc/suricata

The next part is to copy configuration files such as “classification.config“, “reference.config” and “suricata.yaml” from the base build installation directory.

# cd /tmp/suricata-1.4.5
# cp classification.config /etc/suricata
# cp reference.config /etc/suricata
# cp suricata.yaml /etc/suricata

Finally, start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0, you can include the network card of your preference.

# suricata -c /etc/suricata/suricata.yaml -i eth0
19/8/2013 -- 21:02:17 - <Info> - This is Suricata version 1.4.5 RELEASE
19/8/2013 -- 21:02:17 - <Info> - CPUs/cores online: 2
19/8/2013 -- 21:02:17 - <Info> - Found an MTU of 1500 for 'eth0'
19/8/2013 -- 21:02:17 - <Info> - allocated 3670016 bytes of memory for the defrag hash... 65536 buckets of size 56
19/8/2013 -- 21:02:17 - <Info> - preallocated 65535 defrag trackers of size 144
19/8/2013 -- 21:02:17 - <Info> - defrag memory usage: 13107056 bytes, maximum: 33554432
19/8/2013 -- 21:02:55 - <Info> - all 4 packet processing threads, 3 management threads initialized, engine started.

After several minutes later, check the engine is correctly working and receives and inspects traffic.
# cd /usr/local/var/log/suricata/
# ls -l
-rw-r--r--. 1 root root 289910 Aug 19 21:05 fast.log
drwxr-xr-x. 2 root root 4096 Aug 19 20:16 files
-rw-r--r--. 1 root root 0 Aug 19 20:23 http.log
-rw-r--r--. 1 root root 286167 Aug 19 21:05 stats.log
-rw-r--r--. 1 root root 262586 Aug 19 20:30 unified2.alert.1376923989
-rw-r--r--. 1 root root 66517 Aug 19 21:05 unified2.alert.1376926375

Watch “stats.log” file and make sure the displayed information is up-dated in real time.

# tail -f stats.log
tcp.reassembly_memuse | Detect | 0
tcp.reassembly_gap | Detect | 0
detect.alert | Detect | 310
flow_mgr.closed_pruned | FlowManagerThread | 0
flow_mgr.new_pruned | FlowManagerThread | 1226
flow_mgr.est_pruned | FlowManagerThread | 0
flow.memuse | FlowManagerThread | 6489568
flow.spare | FlowManagerThread | 10000
flow.emerg_mode_entered | FlowManagerThread | 0
flow.emerg_mode_over | FlowManagerThread | 0

Friday, 31 May 2013

Monit

Monit is a free open source utility for managing and monitoring, processes, programs, files, directories and filesystems on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

Monday, 11 March 2013

How to Install Linux (LAMP) Apache, MySQL 5.5.30 & PHP 5.4.12 on RHEL/CentOS

LAMP using yum is very easy and takes only minutes. This is a good option for beginners who don’t feel comfortable installing from source.

Installing Apache, MySQL 5.5.30 & PHP 5.4.12 on RHEL 6.3/6.2/6.1/6.0/5.9/5.8/5.6, CentOS 6.3/6.2/6.1/6.0/5.9/5.8/5.6 (LAMP)

Step 1: Iptables Stop

# service iptables stop
# chkconfig iptables off

Step 2: Installing Repository

Install Remi & Epel Repository on RHEL/CentOS 6.3-6.0 - 32 Bit
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

Install Remi & Epel Repository on RHEL/CentOS 6.3-6.0 - 64 Bit
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

Install Remi Repository on RHEL/CentOS 5.9-5.0 - 32 Bit
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

Install Remi Repository on RHEL/CentOS 5.9-5.0 - 64 Bit
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
# rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

Step 3: Installing Apache, MySQL 5.5.30 & PHP 5.4.12 Modules

# yum --enablerepo=remi,remi-test install httpd mysql mysql-server mysql-devel php php-common php-mysql php-pgsql php-mbstring php-mcrypt

Step 4: Starting/Stopping Apache & MySQL 5.5.30

Enable Apache and MySQL on Run-Levels

# /etc/init.d/httpd start
# /etc/init.d/mysqld start

# chkconfig --levels 235 httpd on
# chkconfig --levels 235 mysqld on

Step 5: Secure Installation of MySQL

# mysql_secure_installation
During the installation, MySQL will ask you for your permission twice. After you say Yes to both, MySQL will install.
Once it is done installing, you can set a root MySQL password:
The prompt will ask you for your current root password.
Since you just installed MySQL, you most likely won’t have one, so leave it blank by pressing enter.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Then the prompt will ask you if you want to set a root password. Go ahead and choose Y and follow the instructions.
CentOS automates the process of setting up MySQL, asking you a series of yes or no questions.
It’s easiest just to say Yes to all the options. At the end, MySQL will reload and implement the new changes.

By default, a MySQL installation has an anonymous user, allowing anyone

to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y                                            
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

Test MySQL
To run a quick test, use the command line program mysql:
you can login to mysql root account without providing any password as shown below.
# mysql -u root

Enter Password of root


Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.5.30 MySQL Community Server (GPL) by Remi
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Step 6: Verifying Apache, MySQL 5.5.30 & PHP 5.4.12

1. Create a page called phpinfo.php under your Apache root directory and add the following lines to it. For example (/var/www/html/phpinfo.php).

<?php
phpinfo ();
?>

2. Now access the page via web browser like http://localhost/phpinfo.php. You will see below screenshot.

Wednesday, 6 March 2013

Kernel 3.8 Released, how to Compile in Redhat, CentOS and Fedora.

Before starting, Compiling Kernel make sure the system has all the necessary packages installed.

Kernel 3.8 Dependencies

rpmdevtools

yum-utils

qt3-devel

libXi-devel

gcc

ncurses

ncurses-devel

yum-utils is a default package. To install the other package, use the following command

# yum install rpmdevtools yum-utils

# yum install qt3-devel libXi-devel

# yum install gcc ncurses ncurses-devel

After that

# yum update

Step 1:Downloading Kernel 3.8

Download the latest Kernel 3.8 using wget command.

goto

# cd /tmp

# wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.8.2.tar.bz2

Step 2:Extracting Kernel 3.8

# tar -xvf linux-3.8.2.tar.bz2 -C /usr/src/

# cd /usr/src/linux-3.8.2/

Step 3:Configuring Kernel 3.8

Run the following command:

# make menuconfig

You will get similar to below screen, where you see number of menus to select configuration for your latest kernel.

You have to select different options as per your need. Each configuration option has HELP button associated with it so select help button to get help.

If you like to configure your latest kernel with old configuration then simple type the below command.

# make oldconfig

Step 4: Compiling Kernel 3.8

# make

The compilation would take at least 30-50 minutes depends on your system configuration.

Step 5: Installing Kernel 3.8

# make modules_install install

After Install new kernel entry in your grub.conf file.

Step 6: Verifying Kernel 3.8

To verify newly installed Kernel after reboot just type the following command on the terminal.

# uname -r

Before printing, please think about its necessity..

Sunday, 30 December 2012

How to Install SVN (Subversion) 1.7.8 Server Using uberSVN 13.2 on RedHat/CentOS

SVN (Subversion) is an open source free version control system. It is used to manage files and directories and the modification made to them over a period of time. In short, if your server fails, then this subversion allows you to recover your older version or the updated versions of your data by examine the history of how your data has been changed over time. Sounds great, doesn’t it?. But that’s not enough, it also used to keep the track of exact modifications of files that have been made in the past. In fact, you can even cross check to see the older version and the newer version changes directly. Subversion also has some key features.

SVN Features
* Versioning can be done on individual files and directories.

* Provision for copying, adding, deleting and renaming of files and directoires.

* Keeping the track of File and directory properties over time, thereby providing a detailed history .

* Easy to implement new network functions.

* Subversion system works with other software and programming languages.

What is uberSVN?

uberSVN is a free open source application used to provides a complete intuitive and

configurable Web interface for Subversion with an integrated social coding

environment with built-in Apache Subversion versioning and revision control system.

Which makes life much easier for both users and programmers. Additional features of

uberSVN as follow.

uberSVN Features

Provides a real time coding interface that allows developers to collaborate the

code they commit to the repository.

A web interface for managing sever settings, user permissions and creating new

repositories.

Support for LDAP server integration with user authentication.

Provides an automated up-to-date updater for installing updates quickly.

A web based interface for accessing repositories and managing user permissions.

A tab manager to include and configure other pages served by other web

applications.

Requirements:-

TCP/IP networking must be configured and working.

uberSVN requires Java Runtime Environment.

Step 1: Downloading uberSVN Installer

Download the latest uberSVN 13.2 installer using the wget command (or go to

http://www.ubersvn.com/download page to download the latest version).
# cd /opt
# wget http://download.jp.as.ubersvn.com/uberSVN-32-1204.sh (32bit)

# wget http://download.jp.as.ubersvn.com/uberSVN-64-1302.sh (64bit)

Step 2: Setting Executable Permission

Set the executable permssion on installer, use the chmod command.

# chmod +x uberSVN-xxxx.sh

Step 3: Running Installer

1. Run the installer to download files to your current direcitory, use the command.

# ./uberSVN-xxxx.sh

Silent Install Option

In Linux you can use a 'silent install' option with arguments "-- -s", like this:

# ./uberSVN-32-1209.sh -- -s

This will install to the default */opt/ubersvn* location.

2. The installer will start by extracting number of files. Seeing huge number of dots is normal.

3. You’ll be warned that the installer is for new deployments of uberSVN and should
not be used for updating existing installations. Enter “Y“.
IMPORTANT: This installer is for new deployments of uberSVN and should not be used for updating existing installations!
Do you wish to continue with the installation? [Y/n] y
4. Next, you’re asked where uberSVN should be installed. Press Enter.
Where should uberSVN be installed? Note that installing to /root or a home directory (eg /home/name) may cause permission issues and is not recommended.
Enter installation location (/opt/ubersvn):
5. You are asked to confirm your install location. Enter "Y".
Are you sure you want to install to: /opt/ubersvn/ubersvn? [Y/n] y
6. You will be asked to confirm whether you want uberSVN to run on the port 1024.
Apache Subversion may be installed with the ability to run on a privileged port number below 1024. See http://www.ubersvn.com/below1024 for security considerations.
Allow Apache Subversion to run on a port below 1024? [y/N] y
7. Next you will be asked if you want to start uberSVN on boot. Enter “Y“.
Linux distribution was detected as Redhat
Do you want uberSVN to start on boot? (y/n) (y)
8. The installation will now prompt you to the URL of web interface screen, go to your browser and enter the below provided URL.
Your uberSVN installation is nearly ready. Visit the following URL to complete configuration:
http://yourip:9890/ubersvn

Step 4: Configuring uberSVN Interface
1. This is first uberSVN setup screen. This screen shows you a Installation Directory, Repository Storage Location and uberSVN key. If you don’t have a key, then follow this link to get it free key. Click the Next button to continue.

2. Create the Admin User‘s account. Enter full name, email address, user name and provide a password. To continue, Click the Next button.

3. Next, setup Portal and Apache. These settings controls your’s and users access to uberSVN and repositories you set up. Enter the BASE URL with your machine actually IP address, uberSVN Port and Apache Subversion Port. These settings ensures that your Subversion repositories will be available on the network. Click the Next button to continue.

4. Next, setup Email Settings to send out emails to your users. Enter your mail server details or Select “No“, if you don’t want to use this email feature or come back later for these settings.

5. uberSVN will take some time to setup your settings. Once setup is completes you will able to hit on the Start using uberSVN button.

Step 5: Logging into uberSVN Interface
You will get login prompt. Enter your admin username and password that you have entered in Step 4 of point #2.

Step 6: Creating Repositories and Adding Users
You’re now at Subversion panel, where you can easily create new repositories and set access for users.

Step 7: Starting/Stopping Subversion
1. Open a terminal and login into the system. Go to uberSVN’s binary directory.
# cd /opt/ubersvn/bin
2. Now run the start/stop script from hereon.
[root@kernelp bin]# ./ubersvncontrol start
Starting Tomcat
Using CATALINA_BASE: /opt/ubersvn/tomcat
Using CATALINA_HOME: /opt/ubersvn/tomcat
Using CATALINA_TMPDIR: /opt/ubersvn/tomcat/temp
Using JRE_HOME: /home/user/jre
Using CLASSPATH: /opt/ubersvn/tomcat/bin/bootstrap.jar
Please allow 30 seconds or so for the uberSVN portal to start

Thats it! for more details for setting up new repositories, adding users, adding teams etc. Visit docs.ubersvn.com/v1.0/admin.html