Intrusion Detection Systems: snort and fail2ban

Snort is free, a widely used Intrusion Detection and Prevention system (IDS, IPS) that can be configured to alert, react and prevent network intrusion. It can be used to secure a complete network or a single computer. Snort gains direct access to the networking interfaces and monitors all activity. The aim of Snort is mainly larger networks where the devices have more processing power and memory. See further information from the homepage of snort.

A lighter alternative, fail2ban, is also free (written in python) security tool for intrusion detection but it does not monitor any traffic in real time. Instead, it can be configured to monitor various log-files for potential intrusion attempts (e.g., failed login attempts, scans of web-server) and to react in various ways (e.g., send email, add a rule directly to iptables, run a specific program).

For example, the fail2ban is more suitable to customer-grade routers that have some open source firmware, e.g., tomato, installed since the memory consumption is fairly low. Otherwise, when using Snort, the ruleset would have to be ridiculously small, which, therefore, would not be very useful.

Installing & configuring

Snort

Try this on the Server Ubuntu located at

/opt/VMWARE/Server Ubuntu

Launch it with

vmplayer

Installing

On Debian variants install with:

sudo apt-get install snort

If the snort is already installed on that virtual computer, you can remove it with all its configuration with

sudo apt-get purge snort

The installation configuration process will ask you for the interface and network address. Therefore, before installing see what interfaces you have on your computer with

ifconfig

and select the interface that you want to monitor, usually the default route interface, which you can check with

route

To define the address range at install phase use the information route command offers, e.g. 172.16.246.0/24

Configuring

Main configuration :

/etc/snort/snort.conf

Syntax, format and different variable use is defined in snort manual Chapter 2. In the main configuration file you should set at least some ipvars

ipvar HOME_NET #set your home network here
ipvar HTTP_SERVERS #and for example addresses of the HTTP servers in the network

If you install this as system package note that on Debian type systems there is another configuration located at

/etc/snort/snort.debian.conf

Where debian specific overrides are defined. You can change these without touching the config file by

sudo dpkg-reconfigure snort

The snort.conf contains also portvars

portvar SSH_PORTS # Port(s) used by SSH server
# To list multiple ports define them between [] and separate with comma, e.g.:
portvar HTTP_PORTS [80,8080]
# Or range of ports
portvar FTP_PORTS [21,38000:40000]

Further information about decoder, detection engine, preprocessor, etc. can be found from the Snort manual or from readme files that are provided by snort-doc package, install with:

sudo apt-get install snort-doc

After installing they can be found from

/usr/share/doc/snort-doc/

To fully configure snort you can follow all 9 steps defined in the default configuration file. For reference you can check the manual HTML version or PDF version and from aforementioned README-files.

For preprocessor rules you have to create appropriate directory for it with

sudo mkdir -p /etc/snort/preproc_rules

Or set the var PREPROC_RULE_PATH in snort.conf to point into directory of your choosing. In the preprocessor.rules and decoder.rules files (create these) you can define the different actions, see 3.2.1 Rule Actions

Rules

All the different more specific snort rules are defined in:

/etc/snort/rules/

There are multiple different examples that raise only an alert about an incident. In file

/etc/snort/rules/local.rules

You can define your own local rules. Test the snort configuration by adding

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)

Restart snort on the server

sudo service snort restart

And start the other virtual ubuntu (Wireshark Ubuntu) and start to ping the server ubuntu IP address. The alerts should appear at

/var/log/snort/alert

Or if you wish to monitor manually start snort, first stop snort service

sudo service snort stop

And run snort in console

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i <interface here>

And alerts are shown in console.

Different rules can be enabled/disabled at the step 7 of the configuration file, e.g.

include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules #Disable this by adding # to the front
#include $RULE_PATH/blacklist.rules #Enable this by removing first #

TASK:

How to prevent pinging of the server computer with snort?

Fail2ban

Installing

On Debian style distributions install with

apt-get install fail2ban

Configuration:

/etc/fail2ban/jail.conf

Do not edit this, use /etc/fail2ban/jail.local for your custom configuration. Actions to different situations:

/etc/fail2ban/action.d/

Filters for various log files:

/etc/fail2ban/filters.d/

Running

Start Fail2ban with:

sudo fail2ban-client start

After editing the configuration files you can command the fail2ban to restart with:

sudo fail2ban-client reload

For more information about the parameters:

man fail2ban-client

Log of all incidents will be at

/var/log/fail2ban.log

Configuring

In the default configuration different pre-made jails can be enabled by changing

enabled = false #change to true to enable

The defaults for fail2ban

[DEFAULT] #Do not change this
ignoreip = 127.0.0.1 192.168.0.0/24 # What IP addresses to ignore, i.e. never to ban, use single IP or networks
bantime = 600 # How many seconds the host will be banned
maxretry = 3 # how many invalid actions it requires the host to be banned
backend = polling # Do not change this
destemail = root@localhost # The email address that is to be informed
banaction = iptables-multiport # The default banaction that is used unless overridden in jail
mta = sendmail # What program should fail2ban use for sending mails
protocol = tcp # default protocol

A basic rule consists of (manual:

[jail-name] #Set name for your jail
 
enabled = true
filter = jail-filter-name #The name of your own custom filter or existing one in /etc/fail2ban/filter.d
banaction = iptables-allports #different type actions can be set here, you can add more than one, new actions in separate line
action = iptables-multiport[name=filter-name,port="80", blocktype=REJECT] # Or define action with parameters (override)
port = 80 #ports either by commonly known abbreviations or numbers, e.g., http,https (multiple ports separated with comma)
logpath = /path/to/file.log # Path to your logfile
findtime = 300 # What is the time window for the user to be banned
maxretry = 3 # How many retries within findtime results in the default action

A basic filter (/etc/fail2ban/filter.d/filtername.conf

[Definition] # Do not change
failregex = <HOST>$ # Change to correspond to regular expression that will match something in your log file, here this example just searches a host name or IP at the end of each row
ignoreregex = # Set what stuff to ignore from log, again, with regular expression

TASK:

Add a custom rule on the server ubuntu that blocks each client that has inputted password wrong twice in one minute and bans the host for another minute. Apache saves logs in /var/log/apache2/. You can monitor the fail2ban log file or check the iptables with

sudo iptables -L

Use the Wireshark Ubuntu for accessing the web server at Server Ubuntu, more precisely, use the password protected area at

http://server.ubuntu.ip.address/private

Stuff to read

Last modified: 2014/01/20 14:01