Posted by: kezhong | October 30, 2012

Install brutessh on CentOS 5.8

For security reason, our NOC team should limit ssh access outside from our customers so as to prevent SSH brute force attacks. After tuned the firewall of routers, we need to test if the firewall works. So we installed brutessh to simulate SSH brute force attacks to our test server. Beware, don’t use brutessh to try others’ IPs.

Install the crypto and paramiko for python
# wget
# rpm -ivh python-crypto-2.0.1-1.el5.rf.x86_64.rpm
# wget
# rpm -ivh python-paramiko-1.7.6-1.el5.rf.noarch.rpm

Install brutessh
# wget
# tar xvf brutessh-06.tar
# cd brutessh
# chmod 744 *.py

Make up a passlist file named passlist.txt or you can download the dictionary from John the Ripper as my past post

Simulate SSH brute force attacks
# python -h -u root -d passlist.txt
*SSH Bruteforcer Ver. 0.6           *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*      *

Username: root
Password file: passlist.txt
Trying password…
2/3 password

Times — > Init: 0.02 End: 0.28

On our attacked server, we can check the situation.
# tail -f /var/log/secure

Posted by: kezhong | October 15, 2012

Fedora 17 enable rc.local

My co-worker asked me where was the rc.local file on his Fedora 17 server because he want to add something in it. I helped him for a while, so I think it is necessary to post the way here so that we can deal with this issue as soon as possible next time.

Enable rc-local service
# systemctl enable rc-local.service

Create the rc.local file in the /etc/rc.d directory, and make sure the first line is #!/bin/sh
# cat /etc/rc.d/rc.local
route add -net netmask gw dev eth1.11

Make the rc.local file executable
# chmod 700 /etc/rc.d/rc.local

Reboot the server to check if the rc.local executes.

Posted by: kezhong | April 7, 2012

Install Snort on CentOS 5.8 (X86_64)

Snort is a free lightweight network intrusion detection system(NIDS). The following steps are what I installed Snort on my CentOS 5.8 server.

Install CentOS 5.8 (X86_64)
When I installed the operating system, I installed MySQL, HTTP, Development Tools and Development Libararies, and then update it the latest.

Install the necessary packages
# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++

Download snort and its dependent packages
# mkdir /root/snortinstall
# cd /root/snortinstall
# wget
# wget
# wget
# wget
# wget
# wget

Install snort and its dependent packages
# tar xvzf daq-0.6.2.tar.gz
# tar xvzf libdnet-1.12.tgz
# tar xvzf libpcap-1.2.1.tar.gz
# tar xvzf pcre-8.30.tar.gz
# tar xvzf snort-
# tar xvzf tcpdump-4.2.1.tar.gz

# cd libpcap-1.2.1
# ./configure
# make
# make install
# cd /usr/lib64/
# rm
# rm
# ln -s /usr/local/lib/ /usr/lib64/
# ln -s /usr/lib64/ /usr/lib64/
# ln -s /usr/lib64/ /usr/lib64/

# cd /root/snortinstall/
# cd daq-0.6.2
# ./configure
# make
# make install

# cd ../pcre-8.30
# ./configure
# make
# make install

# cd ../libdnet-1.12
# ./configure
# make
# make install

# cd ../snort-
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6  –enable-sourcefire
# make
# make install

# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd etc/
# cp * /etc/snort/

Register on Snort official web site and download rules
# cd /root/snortinstall/
# tar xvzf snortrules-snapshot-2921.tar.gz
# cd rules/
# cp * /etc/snort/rules
# cp ../so_rules/precompiled/Centos-5-4/x86-64/* /etc/snort/so_rules
# cp ../preproc_rules/* /etc/snort/preproc_rules

Edit /etc/snort/snort.conf file
1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”, change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”, change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128”

Setup MySQL Database
# echo “SET PASSWORD FOR root@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “create database snort;”|mysql -u root -p
# cd /root/snortinstall/
# cd snort-
# mysql -u root -p -D snort < schemas/create_mysql
# echo “grant create, insert on root.* to snort@localhost”|mysql -u root -p
# echo “SET PASSWORD FOR snort@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “grant create,insert,select,delete,update on snort.* to snort@localhost”|mysql -u root -p

Download and install ADODB and BASE
# yum -y install php-pear
# pear upgrade –force
# pear install Numbers_Roman
# pear install channel://
# pear install Image_Color
# pear install channel://
# pear install channel://
# cd /root/snortinstall/
# wget
# wget
# cd /var/www
# tar xvzf /root/snortinstall/adodb511.tgz
# mv adodb5/ adodb/
# cd html/
# tar xvzf /root/snortinstall/base-1.4.5.tar.gz
# mv base-1.4.5/ base/
# cd base/
# cp base_conf.php.dist base_conf.php

Edit base_conf.php file, change parameters as below
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/adodb’;
$DBtype = ‘mysql’;
$alert_dbname   = ‘snort’;
$alert_host     = ‘localhost’;
$alert_port     = ”;
$alert_user     = ‘snort’;
$alert_password = ‘yourpassword’;

Create BASE AV
# service httpd restart
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”

Secure the BASE
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords base

Edit the file /etc/httpd/conf/httpd.conf, and add the following lines
<Directory “/var/www/html/base”>
    AuthType Basic
    AuthName “SnortIDS”
    AuthUserFile /var/www/passwords/passwords
    Require user base

# touch /var/www/html/index.html
# service httpd restart

Install Barnyard2
# cd /root/snortinstall/
# wget
# tar xvzf barnyard2-1.8.tar.gz
# cd barnyard2-1.8
# ./configure –with-mysql-libraries=/usr/lib64/mysql/
# make
# make install
# cp etc/barnyard2.conf /etc/snort/
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo

Edit the file /etc/snort/barnyard2.conf,
change “config hostname:  thor” to “config hostname: localhost”
change “config interface: eth0” to “config interface:  eth2”
add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort host=localhost”
Note: my eth0 use to launch the BASE web page, my eth2(don’t set IP) is myricom 10ge card and use for snort

# /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth2
If it prompts “Initialization Complete”, it proves to work.

Make Snort and Barnyard2 boot up automatically
Edit the file /etc/rc.local, add the below lines
/sbin/ifconfig eth2 up
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth2
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

Reboot and enjoy my pig to snort
# reboot

Install Snort 2.8.6 on CentOS 5.5

Posted by: kezhong | April 1, 2012

Setup Multiple Routes on Fedora 16

Our one server had two network interface cards(NICs) , and they used two different subnets. We wanted to use one NIC for our VIP customers, and the other NIC for normal customers. But when we configured network, we could not implement it.

I searched the solution, found Configuring Multiple Default Routes in Linux, followed the steps, and worked.

For the security reason, I don’t use public IPs here. I assume that
eth0 netmask
eth1 netmask
eth0’s gateway:
eth1’s gateway:

Before setup multiple routes, when I set as default gateway, I could only ping from outside, and could not ping When I set as default gateway, I could only ping from outside, and could not ping

Step 1:  Create new policy routing table entries
# echo “1 s192” >> /etc/iproute2/rt_tables
# echo “2 s172” >> /etc/iproute2/rt_tables

Step 2: Create rc.local script and enable it
# vi /etc/rc.d/rc.local
/sbin/ip route add dev eth0 src table s192
/sbin/ip route add default via dev eth0 table s192
/sbin/ip rule add from table s192
/sbin/ip rule add to table s192
/sbin/ip route add dev eth1 src table s172
/sbin/ip route add default via dev eth1 table s172
/sbin/ip rule add from table s172
/sbin/ip rule add to table s172

# chmod u+x /etc/rc.d/rc.local
# systemctl enable rc-local.service

Step 3:  Reboot and verify
# ip rule show
0: from all lookup local
32762: from all to lookup s172
32763: from lookup s172
32764: from all to lookup s192
32765: from lookup s192
32766: from all lookup main
32767: from all lookup default

After setup, I could ping both and from outside.

We had a server which had 4 hard drivers made RAID10 using LSI hardware RAID card. The total size of hard driver was 4TB. I wanted to install Fedora 16 on it via graphical mode. I choose “Create Custom Layout” to assign partitions. After I assigned BIOS Boot, /boot, and swap partition, and I wanted to assigned the rest size to / partion, it prompted “Could not allocate requested partitions: requested size exceeds maximum allowed”.
I turned back, and pressed Ctrl+Alt+F2 to switch to text terminal,
# parted /dev/sda
(parted) mklabel gpt
(parted) quit
pressed Ctrl+Alt+F6 to switch to graphical terminal, choose “Create Custom Layout” to assign partitions again. Everything was ok.

« Newer Posts - Older Posts »