For security reason, our NOC team should limit ssh access outside from our customers so as to prevent SSH brute force attacks. After tuned the firewall of routers, we need to test if the firewall works. So we installed brutessh to simulate SSH brute force attacks to our test server. Beware, don’t use brutessh to try others’ IPs.

Install the crypto and paramiko for python
# wget http://pkgs.repoforge.org/python-crypto/python-crypto-2.0.1-1.el5.rf.x86_64.rpm
# rpm -ivh python-crypto-2.0.1-1.el5.rf.x86_64.rpm
# wget http://pkgs.repoforge.org/python-paramiko/python-paramiko-1.7.6-1.el5.rf.noarch.rpm
# rpm -ivh python-paramiko-1.7.6-1.el5.rf.noarch.rpm

Install brutessh
# wget http://getwapi.com/archive/download/file/lhgm5_vN/brutessh-06.tar
# tar xvf brutessh-06.tar
# cd brutessh
# chmod 744 *.py

Make up a passlist file named passlist.txt or you can download the dictionary from John the Ripper as my past post https://kezhong.wordpress.com/2011/09/26/installing-thc-hydra-on-fedora-15/

Simulate SSH brute force attacks
# python brutessh.py -h xxx.xxx.xxx.xxx -u root -d passlist.txt
*************************************
*SSH Bruteforcer Ver. 0.6           *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
*************************************

HOST: xxx.xxx.xxx.xxx
Username: root
Password file: passlist.txt
=========================================================
Trying password…
2/3 password

Times — > Init: 0.02 End: 0.28

On our attacked server, we can check the situation.
# tail -f /var/log/secure

My co-worker asked me where was the rc.local file on his Fedora 17 server because he want to add something in it. I helped him for a while, so I think it is necessary to post the way here so that we can deal with this issue as soon as possible next time.

Enable rc-local service
# systemctl enable rc-local.service

Create the rc.local file in the /etc/rc.d directory, and make sure the first line is #!/bin/sh
# cat /etc/rc.d/rc.local
#!/bin/sh
route add -net 10.3.111.0 netmask 255.255.255.0 gw 172.16.100.2 dev eth1.11

Make the rc.local file executable
# chmod 700 /etc/rc.d/rc.local

Verify
Reboot the server to check if the rc.local executes.

Snort is a free lightweight network intrusion detection system(NIDS). The following steps are what I installed Snort 2.9.2.2 on my CentOS 5.8 server.

Install CentOS 5.8 (X86_64)
When I installed the operating system, I installed MySQL, HTTP, Development Tools and Development Libararies, and then update it the latest.

Install the necessary packages
# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++

Download snort and its dependent packages
# mkdir /root/snortinstall
# cd /root/snortinstall
# wget http://www.snort.org/downloads/1538
# wget http://www.snort.org/downloads/1525
# wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
# wget http://www.tcpdump.org/release/tcpdump-4.2.1.tar.gz
# wget http://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz/download
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

Install snort and its dependent packages
# tar xvzf daq-0.6.2.tar.gz
# tar xvzf libdnet-1.12.tgz
# tar xvzf libpcap-1.2.1.tar.gz
# tar xvzf pcre-8.30.tar.gz
# tar xvzf snort-2.9.2.2.tar.gz
# tar xvzf tcpdump-4.2.1.tar.gz

# cd libpcap-1.2.1
# ./configure
# make
# make install
# cd /usr/lib64/
# rm libpcap.so.0
# rm libpcap.so.0.9
# ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1.2.1
# ln -s /usr/lib64/libpcap.so.1.2.1 /usr/lib64/libpcap.so.1
# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so

# cd /root/snortinstall/
# cd daq-0.6.2
# ./configure
# make
# make install

# cd ../pcre-8.30
# ./configure
# make
# make install

# cd ../libdnet-1.12
# ./configure
# make
# make install

# cd ../snort-2.9.2.2
# ./configure –with-mysql-libraries=/usr/lib64/mysql/ –enable-dynamicplugin –enable-zlib –enable-ipv6  –enable-sourcefire
# make
# make install

# groupadd snort
# useradd -g snort snort -s /sbin/nologin
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/so_rules
# mkdir /etc/snort/preproc_rules
# mkdir /var/log/snort
# chown snort:snort /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# cd etc/
# cp * /etc/snort/

Register on Snort official web site and download rules
# cd /root/snortinstall/
# tar xvzf snortrules-snapshot-2921.tar.gz
# cd rules/
# cp * /etc/snort/rules
# cp ../so_rules/precompiled/Centos-5-4/x86-64/2.9.2.1/* /etc/snort/so_rules
# cp ../preproc_rules/* /etc/snort/preproc_rules

Edit /etc/snort/snort.conf file
1.change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”, change “var SO_RULE_PATH ../so_rules” to “var SO_RULE_PATH /etc/snort/so_rules”, change “var PREPROC_RULE_PATH ../preproc_rules” to “var PREPROC_RULE_PATH /etc/snort/preproc_rules”
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128”

Setup MySQL Database
# echo “SET PASSWORD FOR root@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “create database snort;”|mysql -u root -p
# cd /root/snortinstall/
# cd snort-2.9.2.2
# mysql -u root -p -D snort < schemas/create_mysql
# echo “grant create, insert on root.* to snort@localhost”|mysql -u root -p
# echo “SET PASSWORD FOR snort@localhost=PASSWORD(‘yourpassword’);”|mysql -u root -p
# echo “grant create,insert,select,delete,update on snort.* to snort@localhost”|mysql -u root -p

Download and install ADODB and BASE
# yum -y install php-pear
# pear upgrade –force http://download.pear.php.net/package/PEAR-1.9.1.tgz
# pear install Numbers_Roman
# pear install channel://pear.php.net/Numbers_Words-0.16.2
# pear install Image_Color
# pear install channel://pear.php.net/Image_Canvas-0.3.2
# pear install channel://pear.php.net/Image_Graph-0.7.2
# cd /root/snortinstall/
# wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.tgz/download
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
# cd /var/www
# tar xvzf /root/snortinstall/adodb511.tgz
# mv adodb5/ adodb/
# cd html/
# tar xvzf /root/snortinstall/base-1.4.5.tar.gz
# mv base-1.4.5/ base/
# cd base/
# cp base_conf.php.dist base_conf.php

Edit base_conf.php file, change parameters as below
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/adodb’;
$DBtype = ‘mysql’;
$alert_dbname   = ‘snort’;
$alert_host     = ‘localhost’;
$alert_port     = ”;
$alert_user     = ‘snort’;
$alert_password = ‘yourpassword’;

Create BASE AV
# service httpd restart
Launch the web browser, https://yourip/base, click on “Setup Page” and then click “Create BASE AV”

Secure the BASE
# mkdir /var/www/passwords
# /usr/bin/htpasswd -c /var/www/passwords/passwords base

Edit the file /etc/httpd/conf/httpd.conf, and add the following lines
<Directory “/var/www/html/base”>
    AuthType Basic
    AuthName “SnortIDS”
    AuthUserFile /var/www/passwords/passwords
    Require user base
</Directory>

# touch /var/www/html/index.html
# service httpd restart

Install Barnyard2
# cd /root/snortinstall/
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz
# tar xvzf barnyard2-1.8.tar.gz
# cd barnyard2-1.8
# ./configure –with-mysql-libraries=/usr/lib64/mysql/
# make
# make install
# cp etc/barnyard2.conf /etc/snort/
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo

Edit the file /etc/snort/barnyard2.conf,
change “config hostname:  thor” to “config hostname: localhost”
change “config interface: eth0” to “config interface:  eth2”
add the line at the end of file “output database: log, mysql, user=snort password=yourpassword dbname=snort host=localhost”
Note: my eth0 use to launch the BASE web page, my eth2(don’t set IP) is myricom 10ge card and use for snort

Test
# /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth2
If it prompts “Initialization Complete”, it proves to work.

Make Snort and Barnyard2 boot up automatically
Edit the file /etc/rc.local, add the below lines
/sbin/ifconfig eth2 up
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth2
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

Reboot and enjoy my pig to snort
# reboot

Reference
Install Snort 2.8.6 on CentOS 5.5
http://itmanager.blogs.com/notes/2011/04/how-to-install-snort-on-centos-56.html
http://ignoranceisfutile.com/node/18

Our one server had two network interface cards(NICs) , and they used two different subnets. We wanted to use one NIC for our VIP customers, and the other NIC for normal customers. But when we configured network, we could not implement it.

I searched the solution, found Configuring Multiple Default Routes in Linux, followed the steps, and worked.

For the security reason, I don’t use public IPs here. I assume that
eth0 192.168.1.5 netmask 255.255.255.0
eth1 172.16.2.5 netmask 255.255.255.0
eth0’s gateway: 192.168.1.1
eth1’s gateway: 172.16.2.1

Before setup multiple routes, when I set 192.168.1.1 as default gateway, I could only ping 192.168.1.5 from outside, and could not ping 172.16.2.5. When I set 172.16.2.1 as default gateway, I could only ping 172.16.2.5 from outside, and could not ping 192.168.1.5.

Step 1:  Create new policy routing table entries
# echo “1 s192” >> /etc/iproute2/rt_tables
# echo “2 s172” >> /etc/iproute2/rt_tables

Step 2: Create rc.local script and enable it
# vi /etc/rc.d/rc.local
#!/bin/bash
/sbin/ip route add 192.168.1.0/24 dev eth0 src 192.168.1.5 table s192
/sbin/ip route add default via 192.168.1.1 dev eth0 table s192
/sbin/ip rule add from 192.168.1.0/24 table s192
/sbin/ip rule add to 192.168.1.0/24 table s192
/sbin/ip route add 172.16.2.0/24 dev eth1 src 172.16.2.5 table s172
/sbin/ip route add default via 172.16.2.1 dev eth1 table s172
/sbin/ip rule add from 172.16.2.0/24 table s172
/sbin/ip rule add to 172.16.2.0/24 table s172

# chmod u+x /etc/rc.d/rc.local
# systemctl enable rc-local.service

Step 3:  Reboot and verify
# ip rule show
0: from all lookup local
32762: from all to 172.16.2.0/24 lookup s172
32763: from 172.16.2.0/24 lookup s172
32764: from all to 192.168.1.0/24 lookup s192
32765: from 192.168.1.0/24 lookup s192
32766: from all lookup main
32767: from all lookup default

After setup, I could ping both 192.168.1.5 and 172.16.2.5 from outside.

We had a server which had 4 hard drivers made RAID10 using LSI hardware RAID card. The total size of hard driver was 4TB. I wanted to install Fedora 16 on it via graphical mode. I choose “Create Custom Layout” to assign partitions. After I assigned BIOS Boot, /boot, and swap partition, and I wanted to assigned the rest size to / partion, it prompted “Could not allocate requested partitions: requested size exceeds maximum allowed”.
I turned back, and pressed Ctrl+Alt+F2 to switch to text terminal,
# parted /dev/sda
(parted) mklabel gpt
(parted) quit
pressed Ctrl+Alt+F6 to switch to graphical terminal, choose “Create Custom Layout” to assign partitions again. Everything was ok.