Jan 10 11:22:33 mai1 pure-ftpd: (?@xx.xx.xx.xx) [WARNING] Sorry, cleartext sessions are not accepted on this server. Please
reconnect using SSL/TLS security mechanisms.

Ftp can accept three values:

# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don’t use SSL/TLS security mechanisms.

If the “TLS” directive below these options is set to 2, you will receive the face the above stated problem. In order to overcome the issue, change the value of “TLS” from 2 to 1 and restart pure-ftpd service:

/scripts/restartsrv pure-ftpd

This will now allow you to access Ftp without using a SSL/TLS security mechanisms.

Incoming search terms:

• pure-ftpd conf centos plesk (1)

I do not issue any guarantee that this will work for you!

Python 2.6 Installation

As you already know, CentOS only comes with Python 2.4, so you need to install Python 2.6 by using the tutorial from the following link:

http://www.geekymedia.com/tech-articles/rhel5-centos5-rpms-for-python-2-5-and-2-6/.

Important Notes!:

1) Just install the RPMs for the version that you want. You will need at least the base python version package and the libs package.
2) To start Python 2.6, type python26 at your command line rather than python. (Your original Python 2.4 is still installed.)
3) If you are installing packages with setuptools, make sure to use the correct python version. (i.e. python26 setup.py install)

Twisted, Zope Interface And Pycrypto Installation

Twisted is an event-driven networking engine written in Python and licensed under the MIT license. Twisted projects variously support TCP, UDP, SSL/TLS, multicast, Unix sockets, a large number of protocols (including HTTP, NNTP, IMAP, SSH, IRC, FTP, and others), and much more.

cd /tmp
wget http://twistedmatrix.com/Releases/Twisted/10.2/Twisted-10.2.0.tar.bz2
tar -xvf Twisted-10.2.0.tar.bz2
cd Twisted-10.2.0
python26 setup.py build
python26 setup.py install

Zope is an open source web application server primarily written in the Python programming language.

cd /tmp
wget http://www.zope.org/Products/ZopeInterface/3.3.0/zope.interface-3.3.0.tar.gz
tar -xvf zope.interface-3.3.0.tar.gz
cd zope.interface-3.3.0
python26 setup.py build
python26 setup.py install

Pycrypto is a collection of cryptographic algorithms and protocols, implemented for use from Python.

cd /tmp
wget wget http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz
tar -xvf pycrypto-2.0.1.tar.gz
cd pycrypto-2.0.1
python26 setup.py build
python26 setup.py install

ASN.1 types and codecs (BER, CER, DER) implementation in Python programming language.

cd /tmp
wget http://sourceforge.net/projects/pyasn1/files/pyasn1-devel/0.0.12a/pyasn1-0.0.12a.tar.gz/download
tar -xvf pyasn1-0.0.12a.tar.gz
cd pyasn1-0.0.12a
python26 setup.py build
python26 setup.py install

Create Regular User

Kippo doesnt run under root user! So we must create a regular user.

useradd kippouser

Download Kippo Source Package

You need to download latest version of Kippo source package from http://kippo.googlecode.com.

su – kippouser
wget http://kippo.googlecode.com/files/kippo-0.5.tar.gz
tar -xvf kippo-0.5.tar.gz
cd kippo-0.5

Configure Kippo

vi kippo.cfg

#
# Kippo configuration file (kippo.cfg)
#
[honeypot]
# IP addresses to listen for incoming SSH connections.
#
# (default: 0.0.0.0) = any address
#ssh_addr = 0.0.0.0
# Port to listen for incoming SSH connections.
#
# (default: 2222)
ssh_port = 2222
# Hostname for the honeypot. Displayed by the shell prompt of the virtual
# environment.
#
# (default: sales)
hostname = sales
# Directory where to save log files in.
#
# (default: log)
log_path = log
# Directory where to save downloaded (malware) files in.
#
# (default: dl)
download_path = dl
# Directory where virtual file contents are kept in.
#
# This is only used by commands like 'cat' to display the contents of files.
# Adding files here is not enough for them to appear in the honeypot - the
# actual virtual filesystem is kept in filesystem_file (see below)
#
# (default: honeyfs)
contents_path = honeyfs
# File in the python pickle format containing the virtual filesystem.
#
# This includes the filenames, paths, permissions for the whole filesystem,
# but not the file contents. This is created by the createfs.py utility from
# a real template linux installation.
#
# (default: fs.pickle)
filesystem_file = fs.pickle
# Directory for miscellaneous data files, such as the password database.
#
# (default: data_path)
data_path = data
# Directory for creating simple commands that only output text.
#
# The command must be placed under this directory with the proper path, such
# as:
#   txtcmds/usr/bin/vi
# The contents of the file will be the output of the command when run inside
# the honeypot.
#
# In addition to this, the file must exist in the virtual
# filesystem {filesystem_file}
#
# (default: txtcmds)
txtcmds_path = txtcmds
# Public and private SSH key files. If these don't exist, they are created
# automatically.
#
# (defaults: public.key and private.key)
public_key = public.key
private_key = private.key
# Initial root password. Future passwords will be stored in
# {data_path}/pass.db
#
# (default: 123456)
password = 123456
# IP address to bind to when opening outgoing connections. Used exclusively by
# the wget command.
#
# (default: not specified)
#out_addr = 0.0.0.0
# Sensor name use to identify this honeypot instance. Used by the database
# logging modules such as mysql.
#
# If not specified, the logging modules will instead use the IP address of the
# connection as the sensor name.
#
# (default: not specified)
#sensor_name=myhostname
# Fake address displayed as the address of the incoming connection.
# This doesn't affect logging, and is only used by honeypot commands such as
# 'w' and 'last'
#
# If not specified, the actual IP address is displayed instead (default
# behaviour).
#
# (default: not specified)
#fake_addr = 192.168.66.254
# MySQL logging module
#
# Database structure for this module is supplied in doc/sql/mysql.sql
#
# To enable this module, remove the comments below, including the
# [database_mysql] line.
#[database_mysql]
#host = localhost
#database = kippo
#username = kippo
#password = secret

Start Kippo

./start.sh

Log File

By default kippo output will be redirected to the file log/kippo.log. To see the Kippo logging data use the following command:

tail -f log/kippo.log

Note: How To Make Kippo Accessible To The World!

By default,Kippo is running on port 2222. If its running on Windows, port 22 is usually free and it’s ok to run kippo on that port. On linux, port 22 is restricted for root only, except if you do this (quote from #twisted):

iptables -t nat -A PREROUTING -i IN_IFACE -p tcp –dport 22 -j REDIRECT –to-port 2222

Replace IN_IFACE with your real interface name such as eth0!

Testing

Connect to the Kippo server on port 2222 by using root as username and 123456 as password.

ssh 127.0.0.1 -p 2222 -l root

You must see the following banner after successful login:

sales:~#

Links

The Honeynet Project: http://www.honeynet.org/
Honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
Kippo Project: http://kippo.googlecode.com/
Iran Honeynet Project: http://www.honeynet.ir/
CentOS: http://www.centos.org/

Incoming search terms:

• The gioi set (1)

IMPORTANT NOTE: These suggestions may vary from server to server and modify the values as per your server configurations. It is up to you to determine if any of the changes suggested here are not compatible with your requirements.

1. Hide the Apache Version number, and other sensitive information.

By default many Apache installations provides information about version of Apache, operating system/version you’re running, and Apache Modules are installed on the server. Attackers/Hackers can use this information to their advantage when performing an attack.

Open /etc/httpd/conf/httpd.conf file and add OR edit following

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

2. Make sure apache is running under its own user account and group

By default apache installations have it run as the user nobody. So suppose both Apache and your mail server were running as nobody and attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache
Group apache

In case of CPanel, it set the username as the ftp username of the domain which user set at the time of creating domain.

3. Ensure that files outside the web root are not served

Apache shouldn’t able to access any files out side of its web root. So all your web sites should be placed under one directory (public_html for cPanel and httpdocs incase of Plesk as control panel), you would set it up as follows:

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /public_html>
Order Allow,Deny
Allow from all
</Directory>

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override using .htaccess .

4. Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or –Indexes to disable Directory listing for the domain

Options -Indexes

5. Turn off server side includes

SSI (Server Side Includes) is directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.

This can done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

6. Turn off CGI execution

The CGI (Common Gateway Interface) defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs or CGI scripts. It is the simplest, and most common, way to put dynamic content on your web site

If you’re not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

7. Don’t allow apache to follow Symbolic Links

Symbolic Link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.

Symbolic Links can be disabled using the Options directive inside a Directory tag. Set Options to either None or –FollowSymLinks

Options -FollowSymLinks

8.  Turn off support for .htaccess files

.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis.

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

9) Run mod_security

ModSecurity is an open source web application firewall. it’s a super handy Apache module written by Ivan Ristic, the author of Apache Security from O’Reilly press.

You can do the following with mod_security:

* Simple filtering
* Regular Expression based filtering
* URL Encoding Validation
* Unicode Encoding Validation
* Auditing
* Null byte attack prevention
* Upload memory limits* Server identity masking
* Built in Chroot support
* And more

10) Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 92.48 network:

Order Deny,Allow
Deny from all
Allow from 92.48.0.0/16

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Incoming search terms:

• plesk IPCCommTimeout (2)
• centos basic programming (1)
• directadmin rewriteengine (1)
• mysql remote access 10 0 0 0/8 (1)
• secure apache web server (1)
• working with apache basic steps (1)

II. BACKGROUND

WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION

The way WordPress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

”
Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag ”

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.

Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {

global $wpdb;

$key = preg_replace(’/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )

return new WP_Error(’invalid_key’, __(’Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(”SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));

if ( empty( $user ) )

return new WP_Error(’invalid_key’, __(’Invalid key’)); …[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’; $errors = new WP_Error();

if ( isset($_GET['key']) )

$action = ‘resetpass’;

// validate action so as to default to the login screen if ( !in_array($action, array(’logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false === has_filter(’login_form_’ . $action) )

$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :

$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect(’wp-login.php?checkemail=newpass’);
exit();

}

wp_redirect(’wp-login.php?action=lostpassword&error=invalidkey’); exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submiting an array to the $key variable.

Source:

IV. PROOF OF CONCEPT

A web browser is sufficiant to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.

V. BUSINESS IMPACT

An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED

All

VII. SOLUTION

No patch aviable for the moment.

VIII. REFERENCES

http://seclists.org/fulldisclosure/2009/Aug/0113.html

Incoming search terms:

• tar -xzf csf tgz CPANEL (1)
• wp-login php?action=resetpass login=admin key= (1)
• wp_login action wordpress (1)

extract:
# tar zxf rkhunter-<version>.tar.gz

installation:
# cd rkhunter
# ./installer.sh

(Source: http://www.evolution-security.com/)
(Source: http://www.rootkit.nl/articles/rootkit_hunter_faq.html)

Incoming search terms:

• centos xen windows windows\system32\config\system (3)
• qmhandle centos install wget (2)
• rootkit hunter windows 2012 (1)
• rootkit hunter windows (1)
• plesk install rootkit (1)
• linux system files libz2 (1)
• install rootkit plesk (1)
• directadmin rootkit (1)
• directadmin rookit install (1)
• tarzxg (1)

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

2. Increase the backlog queue to 2048 by the command:

# sysctl -w net.ipv4.tcp_max_syn_backlog=”2048″

Incoming search terms:

• linux mail queue maildrop permission denied (1)

OCS Inventory is a great software to make inventories. The NG Server is formed by: communication server, deployment server, and administration console. Click here to know how it works.

The computers that will be inventoried must run an agent (installed on each computer), to connect to the OCS NG Server. We are using the CentOS 5.5 (64bits) distribution, but it will probably work on Fedora (and Red Hat, for sure).

1 Some Prerequisites

Installing MySQL Server

We need to install it (if it’s not already installed):

yum install mysql-server php-mysql php-pecl-zip php-gd

Starting MySQL:

/etc/init.d/mysqld start
chkconfig --level 35 mysqld on

Setting a root password on mysql:

/usr/bin/mysqladmin -u root password 'secret'

Starting Apache:

We need to start Apache (OCS uses it):

/etc/init.d/httpd start
chkconfig --level 35 httpd on

Installing Packages

Next, we need to install EPEL repository:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

Afterwards, let’s install the packages:

yum install -y perl-XML-Simple perl-Compress-Zlib perl-DBI perl-DBD-MySQL perl-Net-IP perl-XML-Entities perl-Apache-DBI perl-Apache2-SOAP perl-SOAP-Lite mod_perl

Configure PHP

Edit the /etc/php.ini file, and change the following lines:

vi /etc/php.ini

post_max_size = 200M
upload_max_filesize = 200M

Restart Apache:

/etc/init.d/httpd restart

2 Installing OCS Inventory NG Server 2

First, we need to download the tarball from OCS Inventory website. Click here.

mkdir /download
cd /download
wget http://launchpad.net/ocsinventory-server/stable-2.0/2.0rc1/+download/OCSNG_UNIX_SERVER-2.0rc1.tar.gz

Initiate the installer:

tar -zxvf OCSNG_UNIX_SERVER-2.0rc1.tar.gz
cd /download/OCSNG_UNIX_SERVER-2.0rc1
sh setup.sh

The install script is very simple, it’s a wizard. Almost all the options, we’ll select the default option.
These are the questions:

If you leave the question in blank, it will select the default option.

Do you wish to continue ([y]/n)?y

Your MySQL client seems to be part of MySQL version 5.0.
Your computer seems to be running MySQL 4.1 or higher, good
Which host is running database server [localhost] ?localhost

On which port is running database server [3306] ? 3306

Where is Apache daemon binary [/usr/sbin/httpd] ?

Where is Apache main configuration file [/etc/httpd/conf/httpd.conf] ?

Which user account is running Apache web server [apache] ?

Which user group is running Apache web server [apache] ?

Where is Apache Include configuration directory [/etc/httpd/conf.d/] ?

Where is PERL Intrepreter binary [/usr/bin/perl] ?

Do you wish to setup Communication server on this computer ([y]/n)?y

Where to put Communication server log directory [/var/log/ocsinventory-server] ?

OCS setup.sh can install perl module from packages for you
The script will use the native package from your operating system like apt or rpm
Do you wish to continue (y/[n])? y

To ensure Apache loads mod_perl before OCS Inventory NG Communication Server,

Setup can name Communication Server Apache configuration file
‘z-ocsinventory-server.conf’ instead of ‘ocsinventory-server.conf’.
Do you allow Setup renaming Communication Server Apache configuration file
to ‘z-ocsinventory-server.conf’ ([y]/n) ?y

Do you wish to setup Administration Server (Web Administration Console)
on this computer ([y]/n)?y

CAUTION: Setup now install files in accordance with Filesystem Hierarchy
Standard. So, no file is installed under Apache root document directory
(Refer to Apache configuration files to locate it).
If you’re upgrading from OCS Inventory NG Server 1.01 and previous, YOU
MUST REMOVE (or move) directories ‘ocsreports’ and ‘download’ from Apache
root document directory.
If you choose to move directory, YOU MUST MOVE ‘download’ directory to
Administration Server writable/cache directory (by default
/var/lib/ocsinventory-reports), especialy if you use deployement feature.
Do you wish to continue ([y]/n)?y

Where to copy Administration Server static files for PHP Web Console
[/usr/share/ocsinventory-reports] ?

Where to create writable/cache directories for deployement packages,
IPDiscover and SNMP [/var/lib/ocsinventory-reports] ?

3 Configuring OCS Inventory NG Server 2

Creating a MySQL database:

First, we need to open mysql shell:

mysql -u root -p”secret”

Then create the database named ocsweb, and grant permissions to user ocs, with password ocs:

CREATE DATABASE ocsweb;
GRANT ALL ON ocsweb.* to ‘ocs’@'localhost’ identified by ‘ocs’;

If you want, you can change these parameters (database name, username or password). This is the default of ocs.

Now, point your browser to ocsreports interface, to manage the server with the administration tool:

http://server-ip/ocsreports/

The default user is “admin” and password is “admin”.

Finally, we must delete the install script:

rm -f /usr/share/ocsinventory-reports/ocsreports/install.php

Now, all you have to do is configure the server with the machine options. Install the agents on the network computers pointing the server ip on them.
For more information, take a look at the wiki of OCS clicking here.

References

OCS Inventory: http://wiki.ocsinventory-ng.org/index.php/Documentation:Main

Incoming search terms:

• centos apache mysql sysnetpro (2)
• ocs inventory (2)
• howto ocs inventory debian (1)
• instalasi ocs inventory (1)
• ocs inventory ng freebsd client (1)
• ocsinventory centos iptables (1)

I am going with the Icinga basic installation and this is similar to Nagios and this document can also be referred for Nagios installation, too. Lots of documents are available on the Internet and they will be installing with nagios user but for my setup I made use of the default user which is already present in the system (daemon) and also I will not be installing it on the default path instead I will be referring to /opt since I find it very convenient. The UI of Icinga is much better than Nagios.

In this tutorial I will using three servers:

192.168.1.20 – Icinga monitoring server (centos5)
192.168.1.30 – win 2008 to be monitored
192.168.1.40 – Ubuntu 10.10 server to be monitored

Requirements

Note: Make sure development tools and development libraries have been installed during installation:

• GCC compiler
• C/C++ development libraries
• GD development libraries

Packages Needed

1. Xampp for Linux:

[root@sunil~]# mkdir /software
[root@sunil~]# cd /software
[root@sunil software]# wget http://sourceforge.net/projects/xampp/files/XAMPP%20Linux/1.7.3/xampp-linux-1.7.3.tar.gz/download

2. Icinga core:

[root@sunil software]# wget http://sourceforge.net/projects/icinga/files/icinga/1.2.1/icinga-1.2.1.tar.gz/download

Installation of Icinga

1. Untar the xampp package:

[root@sunil software]# tar -zxvf xampp-linux-1.7.3.tar.gz
[root@sunil software]# mv lampp/ /opt/

Xampp package is very neatly compilied package and extracting the same is more than enough for more details can refer to xampp page:

http://www.apachefriends.org/en/xampp.html

2. Untar the Icinga package:

[root@sunil software]# tar -zxvf icinga-1.2.1.tar.gz
[root@sunil software]# cd icinga-1.2.1
[root@sunil icinga-1.2.1]# ./configure –prefix=/opt/icinga –with-icinga-user=daemon –with-icinga-group=daemon –with-httpd-conf=/opt/lampp/etc

Note: please make sure you do not get any error while compiling. If you are getting errors make sure the required packages are installed.

[root@sunil icinga-1.2.1]# make all
[root@sunil icinga-1.2.1]# make install
[root@sunil icinga-1.2.1]# make install-config
[root@sunil icinga-1.2.1]# make install-commandmode
[root@sunil icinga-1.2.1]# make install-webconf

3. Now need to configure Apache with Icinga:

[root@sunil icinga-1.2.1]# cd /opt/lampp/etc/
[root@suniletc]# vim httpd.conf

4. Add the following line:

Include etc/icinga.conf

5. Set password for login:

[root@sunil /]# cd /opt/lampp/bin/
[root@sunil bin]# ./htpasswd –c /opt/icinga/etc/htpasswd.users icingaadmin

New password:
Re-type new password:
Adding password for user icingaadmin

6. Start Apache:

[root@sunillampp]# cd /opt/lampp/
[root@sunillampp]# ./lamp startapache

XAMPP: Starting Apache with SSL (and PHP5)…
XAMPP: Error 1! Couldn’t start Apache!
XAMPP: Starting diagnose…
XAMPP: Make the httpd.conf fit your system.
XAMPP: Next try…
XAMPP: Starting Apache with SSL (and PHP5)…

7. Check whether Apache is working:

http://192.168.1.20

8. Now we need to start Icinga but before that we need to check whether Icinga has been compiled properly and all the configuration are set:

[root@sunillampp]# cd /opt/icinga/

9. Before configuring Icinga we will start and see whether we get the page:

[root@sunilicinga]# /opt/icinga/bin/icinga –v /opt/icinga/etc/icinga.cfg

Total Warnings: 0
Total Errors: 0

Things look okay – No serious problems were detected during the pre-flight check.

10. Now start Icinga since we do not get any errors:

[root@sunilicinga]# /opt/icinga/bin/icinga -d /opt/icinga/etc/icinga.cfg
[root@sunilicinga]# ps -ef|grep icinga

daemon 6961 1 0 19:03 ? 00:00:00 /opt/icinga/bin/icinga -d /opt/icinga/etc/icinga.cfg
root 6998 2929 0 19:05 pts/1 00:00:00 grep icinga

[root@sunilrw]# chmod 777 /opt/
[root@sunilrw]# chmod 777 /opt/icinga/
[root@sunilrw]# chmod 777 /opt/icinga/var/
[root@sunilrw]# chmod 777 /opt/icinga/var/rw/
[root@sunilrw]# chmod 777 /opt/icinga/var/rw/icinga.cmd

11. Login to check whether Icinga website opens:

Installation of Nagios plugins for monitoring

1. Download the Nagios plugin and compile the same:

[root@sunil software]# wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.15.tar.gz
[root@sunil software]# tar -zxvf nagios-plugins-1.4.15.tar.gz
[root@sunil software]# cd nagios-plugins-1.4.15
[root@sunil nagios-plugins-1.4.15]# ./configure –prefix=/opt/icinga/ –with-nagios-user=daemon –with-nagios-group=daemon
[root@sunil nagios-plugins-1.4.15]# make && make install

Cutomization of Icinga

Mail alert configuration:

[root@sunil /]# cd /opt/icinga/etc/
[root@suniletc]# vi objects/contacts.cfg

define contact{
contact_nameicingaadmin             ; Short name of user
use     generic-contact         ; Inherit default values from generic-contact template (defined above)
alias Icinga Admin            ; Full name of user
emaildaemon@localhost        ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
        }

Change the email address from daemon@localhost to your email address test@sunil.cc.

Make sure you had configured smarthost in the CentOS server.

To configure smart host in CentOS

[root@suniletc]# rpm -qa|grepsendmail

sendmail-8.13.8-2.el5

[root@suniletc]# vim /etc/mail/sendmail.mc

Disable the following line:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl#DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Enable the following line:

dnl define(`SMART_HOST', `smtp.your.provider')dnl

Give your smtp address here – in this case sunil.cc:

define(`SMART_HOST', `smtp.sunil.cc')dnl

[root@sunil /]#m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
[root@sunil /]#/etc/init.d/sendmail restart

Installing Nagios Plugin and nrpe in Ubuntu 192.168.1.40

1. For Ubuntu to be monitored by the Icinga server we need to install Nagios plugin and nrpe:

root@ubuntu10:~# apt-get install gcc*

root@ubuntu10:~#wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.15.tar.gz

root@ubuntu10:~# tar -zxvf nagios-plugins-1.4.15.tar.gz

2. Compiling Nagios plugin:

root@ubuntu10:~# cd nagios-plugins-1.4.15/
root@ubuntu10:~/nagios-plugins-1.4.15# ./configure –with-nagios-user=daemon –with-nagios-group=daemon
root@ubuntu10:~/nagios-plugins-1.4.15# make && make install
root@ubuntu10:~/nagios-plugins-1.4.15# chown -R daemon:daemon /usr/local/nagios/

Installation of NRPE (Nagios Remote Plugin Executor)

1. Download and compile NRPE:

root@ubuntu10:~# wget http://prdownloads.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz

root@ubuntu10:~# tar -zxvf nrpe-2.12.tar.gz
root@ubuntu10:~# cd nrpe-2.12/
root@ubuntu10:~/nrpe-2.12# apt-get install openssllibssl-dev
root@ubuntu10:~# make all
root@ubuntu10:~# make install-plugin
root@ubuntu10:~# make install-daemon
root@ubuntu10:~# make install-daemon-config
root@ubuntu10:~/nrpe-2.12# apt-get installxinetd
root@ubuntu10:~# make install-xinetd

2. We need to configure the nrpe as a xinetd service:

root@ubuntu10:~/nrpe-2.12# vim /etc/xinetd.d/nrpe

servicenrpe
{
flags           = REUSE
socket_type     = stream
port            = 5666
wait            = no
user            = daemon
group           = daemon
server          = /usr/local/nagios/bin/nrpe
server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure  += USERID
disable         = no
only_from       = 127.0.0.1
}

3. Edit by adding the Icinga server IP in only_from:

servicenrpe
{
flags           = REUSE
socket_type     = stream
port            = 5666
wait            = no
user            = daemon
group           = daemon
server          = /usr/local/nagios/bin/nrpe
server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure  += USERID
disable         = no
only_from       = 127.0.0.1 192.168.1.20
}

4. Now we need to run it as a service by adding the following line:

root@ubuntu10:~# vim /etc/services

nrpe 5666/tcp

5. Restart the xinetd service:

root@ubuntu10:~# /etc/init.d/xinetd restart

6. Check whether nrpe has started:

root@ubuntu10:~# netstat -a |grep nrpe

To check whether Ubuntu is able to communicate with the Icinga server:

root@ubuntu10:~# /usr/local/nagios/libexec/check_nrpe -H localhost

NRPE v2.12

You should be able to get this output.

Client Side Configuration Windows 2008 (192.168.1.30)

1. Download from http://nsclient.org/nscp/downloads.

2. Just follow the screenshots:

3. Verify that nsclient++ is running as a service:

Configuration of Ubuntu and Win 2008 on the server side

1.

[root@sunil /]# cd /opt/icinga/etc/objects/

2. First we configure the Ubuntu client.

3. Create a cfg file for the same with the following content you can also refer to localhost.cfg present in the same directory:

[root@sunil ~]# vim /opt/icinga/etc/objects/ubuntu10.cfg

define host{
uselinux-server
host_name ubuntu10
alias ubuntu10
address 192.168.1.40
}
define service{
use local-service
host_name ubuntu10
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
define service{
use local-service
host_name ubuntu10
service_description Root
check_command check_local_disk!20%!10%!/
}
define service{
use local-service
host_name ubuntu10
service_description Current Users
check_command check_local_users!20!50
}
define service{
use local-service
host_name ubuntu10
service_description Total Processes
check_command check_local_procs!250!400!RSZDT
}
define service{
use local-service
host_name ubuntu10
service_description Current Load
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
}
define service{
use local-service
host_name ubuntu10
service_description Swap Usage
check_command check_local_swap!20!10
}
define service{
use local-service
host_name ubuntu10
service_description SSH
check_commandcheck_ssh
notifications_enabled 0
}

For grouping of servers you can append this line to ubuntu10.cfg:

definehostgroup{
hostgroup_namelinux-servers ; The name of the hostgroup
alias           Linux Servers ; Long name of the group
memberslocalhost, ubuntu10     ; Comma separated list of hosts that belong to this group
        }

4. For Windows 2008 we will referring to windows.cfg:

define host{
use             windows-server  ; Inherit default values from a template
host_namewin2008 ; The name we're giving to this host
alias           My Windows Server       ; A longer name associated with the host
address         192.168.1.30    ; IP address of the host
        }

define service{
use                     generic-service
host_name               win2008
service_descriptionNSClient++ Version
check_commandcheck_nt!CLIENTVERSION
        }
define service{
use                     generic-service
host_name               win2008
service_description     Uptime
check_commandcheck_nt!UPTIME
        }
define service{
use                     generic-service
host_name               win2008
service_description     CPU Load
check_commandcheck_nt!CPULOAD!-l 5,80,90
        }
define service{
use                     generic-service
host_name               win2008
service_description     Memory Usage
check_commandcheck_nt!MEMUSE!-w 80 -c 90
        }
define service{
use                     generic-service
host_name               win2008
service_description     C:\ Drive Space
check_commandcheck_nt!USEDDISKSPACE!-l c -w 80 -c 90
        }

5. We need to set the password to log into the Windows server:

[root@sunil etc]# vim objects/commands.cfg

# 'check_nt' command definition
define command{
command_namecheck_nt
command_line    $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -v $ARG1$ $ARG2$
        }

6. Add your password:

define command{
command_namecheck_nt
command_line    $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 –s password@123 -v $ARG1$ $ARG2$
        }

[root@sunil objects]# chown -R daemon:daemon /opt/icinga/

[root@suniletc]# vimicinga.cfg

cfg_file=/opt/icinga/etc/objects/ubuntu10.cfg
cfg_file=/opt/icinga/etc/objects/win2008.cfg

Add the two lines.

Stop and start Icinga.

Incoming search terms:

• icinga directadmin (6)
• icinga and plesk (3)
• nsclient nagios screenshot (2)
• installing icinga cpanel (2)
• icinga cpanel (2)
• icinga lconf install on centos (1)
• icinga localhost cfg configuration (1)
• icinga nrpe tar file download (1)
• icinga object location centos (1)
• icinga plesk (1)

I highly recommend you read the entire guide before you start, it will most certainly help.

There is a lot of swapping between client and server as I try my best to confuse you, so stay sharp!

Prerequisites

You will need all the required build tools installed as we are going to compile Samhain. Here is a quick refresher:

Red Hat

yum groupinstall “Development Tools”

Debian

apt-get install build-essential

NOTE: Please keep in mind that development tools on production servers is perhaps not the best of ideas. These packages may further assist the wannebe hacker, fill up precious megabyte or eat your cat. It is recommended to build the required packages on your build server, test them, create rpm / deb package and then deploy said packages on your production environment.

Here is a short check list to follow:

1. You will need MySQL and Apache running on your server. This guide will assume a vanilla MySQL and Apache configuration. I leave it up to the reader to figure out how to install and configure these services on your favourite distribution.
2. You will need the MySQL development package (generaly mysql-devel) installed for the server side of things.
3. MySQL must have a root password set. If the MySQL root password is not set, go and do that first. While your at MySQL, you may want to look at this : /usr/bin/mysql_secure_installation
4. The server and client(s) host name must be fully qualified.
5. The server and client(s) /etc/host file must be correct (really correct, not Red Hat default correct), and DNS must be working for both forward and reverse lookups.
6. Port 50888 TCP should be open, or whatever port you set when building.
7. ImageMagick is required on the client.

Download And Install

http://www.la-samhna.de/samhain/s_download.html

The above page has a full description of where to download the latest version of Samhain, and how to verify the integrity of the package. It is critical that the integrity of the package is checked. If you do not have a good foundation to build on, your house will surely crumble

Server Setup

Yule is the server side component of Samhain.

After you have extracted and checked the package, make sure you are the root user, in the top level directory of the unpacked source files.

We start by creating a user for the service, and generating a gpg key as that user:

adduser yule
su - yule
gpg --gen-key

You will be asked the following questions:

gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/home/mytest/.gnupg’ created
gpg: new configuration file `/home/yule/.gnupg/gpg.conf’ created
gpg: WARNING: options in `/home/yule/.gnupg/gpg.conf’ are not yet active during this run
gpg: keyring `/home/yule/.gnupg/secring.gpg’ created
gpg: keyring `/home/yule/.gnupg/pubring.gpg’ created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? <– The default is fine, just press ENTER
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 <– 4096 For the paranoid
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y <– Some may feel 2 years is to long, it’s up to you …
Key expires at Sat 15 Dec 2012 22:24:38 GMT
Is this correct? (y/N) y <– If you are happy and you know it clap your hands
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter)<heinrichh@duesseldorf.de>”

Real name: yules <– Whatever name you want to use
Email address: yules@you.com <– Some e-mail address
Comment: 20 questions is a fun game
You selected this USER-ID:
“yules (20 questions) <yules@you.com>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <– If you are happy, OK it
You need a Passphrase to protect your secret key.

Enter passphrase: This is a long passphrase ! <– Enter a strong passphrase
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++++++++++++++++++++++.++++++++++.++++++++++.++++++++++..+++++.+++++++++++++++.++++++++++.++++++++++++++++++++++++++++++
++++++++++………………………………………………………………………..+++++

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

gpg: /home/yule/.gnupg/trustdb.gpg: trustdb created
gpg: key B7043C9A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2012-12-15
pub 1024D/B7043C9A 2010-12-16 [expires: 2012-12-15]
Key fingerprint = 421E CFE8 533E 017F 95C8 170A DB54 28E7 B704 3C9A
uid yules (20 questions) <yules@you.com>
sub 4096g/EB230E29 2010-12-16 [expires: 2012-12-15]

Quit this shell, so that we are back to the root user.

exit

So now we have a gpg key, lets get on with building the packages.

The default gpg binary does not support the TIGER192 checksum. As such, we first build a vanilla Samhain binary so that we can get that capability from the Samhain binary.

./configure
make

Right, now we build the real thing …

./configure --with-gpg=/usr/bin/gpg --enable-network=server --with-database=mysql --enable-xml-log --with-port=50888 --enable-identity=yule
make
make install

At this point, the following should come up:

You need to sign the configuration file now
/usr/bin/gpg -a –clearsign yulerc
using –homedir /home/yule/.gnupg
gpg: WARNING: unsafe ownership on homedir `/home/yule/.gnupg’
You need a passphrase to unlock the secret key for
user: “yules (20 questions) <yules@you.com>”
1024-bit DSA key, ID BAFB6B91, created 2010-12-21
Enter passphrase: This is a long passphrase ! <– This is the passphrase we set earlier.

Side note: I am unsure why gpg is complaining about the ownership, as the permissions is just fine.

Now install the initialization script, set up MySQL user / permission and fix some file permissions.

make install-boot
mysql -p < sql_init/samhain.mysql.init
echo "grant select, insert on samhain.log to samhain@localhost IDENTIFIED BY 'samhain';" | mysql -p <-- This will ask for your root MySQL password.
echo "FLUSH PRIVILEGES;" | mysql -p <-- This will ask for your root MySQL password.
chown yule:yule /var/log/yule
chown yule:yule /etc/yulerc
chown yule:yule /var/lib/yule

Set yule to start at boot.

Red Hat

chkconfig --add yule
chkconfig yule on

Debian

update-rc.d yule defaults

Start yule with:

/etc/init.d/yule start

Yule may complain with something like :

<log sev=”WARN” tstamp=”2010-12-21T11:46:42+0000″ msg=”Invalid line 102 in configuration file: incorrect format, unrecognized option, or missing section header” />
<log sev=”WARN” tstamp=”2010-12-21T11:46:42+0000″ msg=”Invalid line 106 in configuration file: incorrect format, unrecognized option, or missing section header” />

However, the service should start fine. These two warnings are due to the [Database] header being commented out. Either uncomment it, or comment said two lines out. They are true by default.

For a list of configuration options with full explanations, see http://la-samhna.de/samhain/manual/compilation-options.html

Apache Configuration

Add the following in:

Red Hat

/etc/httpd/conf.d/samhain.conf

Debian

/etc/apache2/conf.d/samhain.conf

<Directory "/var/log/yule/">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
</Directory>
Alias /yule.html "/var/log/yule/yule.html"

Then reload Apache with:

Red Hat

service httpd restart

Debian

/etc/init.d/apache2 restart

Now visit http://yourserver/yule.hml

Client Setup

Log in on the server you wish to install the Samhain client on and make sure you are the root user. Also make sure you have all the essential build packages installed, refer to the overview for installation of these essential build packages.

First, we need a gpg key for root.

See previous example for detailed steps.

gpg –gen-key

Now we need to pull out the fingerprint for this key, so that we can use it when building the Samhain binary.

MY_FP=`gpg –fingerprint root | grep fingerpr | sed ‘s/ //g’ | awk ‘BEGIN { FS = “=” } ; {print $2}’`

As before, we need TIGER192 checksum capability first.

./configure
make

Now, since we are having a bit of fun, we are going to change the name of the binary and process. Classical security by obscurity. I’m picking the name john, a general purpose password cracker. Pick a name that will not stand out in a process listing and shout out “THIS IS A HIDS PROCESS !!!!11″. Then again, know how much/little a name change actually hides what this binary does before you rely on it to hide you’re HIDS from a l33t haxor.

We further specify that the configuration and data files should be pulled from the server. If you want to take this one step further, look into the following compile options : –enable-khide,–enable-suidcheck and –with-kcheck=/path/to/System.map

Make sure to change IP_OF_YOUR_SERVER to the actual IP address of your Yule server.

./configure –with-gpg=/usr/bin/gpg –enable-network=client –with-config-file=REQ_FROM_SERVER –with-data-file=REQ_FROM_SERVER/var/lib/john/john \
–enable-stealth=129 –enable-install-name=john –enable-srp –with-fp=$MY_FP –with-port=50888 \
–with-logserver=IP_OF_YOUR_SERVER –with-sender=john
make

Make the required directories, copy the binary over (with the correct name) and put the initialization script in place.

mkdir /var/lib/john/
cp init/samhain.startLinux /etc/init.d/john
chmod 744 /etc/init.d/john
cp samhain /usr/local/sbin/john
cp samhain_setpwd /usr/local/sbin/john_setpwd
cp samhain_stealth /usr/local/sbin/john_stealth
cd /usr/local/sbin

Set the password and overwrite the binary.

/usr/local/sbin/john_setpwd john jingle 161718abcd212324
mv john.jingle john

“jingle” Does not matter, it’s just the append and the number is what you want in 16 bit 0-9, A-F (A.K.A HEX). You can use yule -G on the server to generate a random number for you.

The output should look something like:

INFO old password found
INFO replaced: f7c312aaaa12c3f7 by: 161718abcd212324
INFO finished

Change the description in the initialization script.

sed -i ‘s/File Integrity Checking/Password Cracking/’ /etc/init.d/john

Make sure the daemon starts at boot.

Red Hat

chkconfig --add john
chkconfig john on

Debian

update-rc.d john defaults

A Little Work On The Server

The HEX key we just embedded in the client binary, we need it now to tell the server about that client.

/usr/local/sbin/yule -P 161718abcd212324 | sed ‘s/HOSTNAME/CliENT_HOSTNAME_HERE/’ >> /etc/yulerc <– Make sure to put the client host name (FQDN) in.

Edit /etc/yulerc and move the key above the GPG signature.

For example, the last couple of lines of /etc/yulerc mihgt look like this:

# Client=HOSTNAME@00000000@C39F0EEFBC64E4A8BBF72349637CC07577F714B420B62882
# Client=HOSTNAME@8F81BA58956F8F42@8932D08C49CA76BD843C51EDD1D6640510FA032A7A2403E572BBDA2E5C6B753991CF7E091141D20A2499C5CD3E14C1639D17482E14E1548E5246ACF4E7193D524CDDAC9C9D6A9A36C596B4ECC68BEB0C5BB7082224946FC98E3ADE214EA1343E2DA8DF4229D4D8572AD8679228928A787B6E5390D3A713102FFCC9D0B2188C92
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFNEI7oerU1Wrr7a5ERAkWqAJ9sZEuRLp8rPOjXdUokT03bEfjGuwCfa+Tr
pDK7/KmGj3Hx8vRMufxNx7A=
=zI4S
-----END PGP SIGNATURE-----
Client=rhc2.sys.local@F1DF72033799940C@37FC42534A812B2351007A24820537466495F97ED352EFC1D9DCAEACBBF5CB98AEF183057CE6D101151F112693C2DAE361435CED1C95E822272FE287A56B4D38EE91B00830A56AE2F26E4738DF099CAEF3372342BE0ACDB78C12FD176EED1FBA376A0399537F848B6FA9AD4E61E6C771A5566F43D62C1F9836AB976CB1111545

We need to change that to look like this:

# Client=HOSTNAME@00000000@C39F0EEFBC64E4A8BBF72349637CC07577F714B420B62882
# Client=HOSTNAME@8F81BA58956F8F42@8932D08C49CA76BD843C51EDD1D6640510FA032A7A2403E572BBDA2E5C6B753991CF7E091141D20A2499C5CD3E14C1639D17482E14E1548E5246ACF4E7193D524CDDAC9C9D6A9A36C596B4ECC68BEB0C5BB7082224946FC98E3ADE214EA1343E2DA8DF4229D4D8572AD8679228928A787B6E5390D3A713102FFCC9D0B2188C92
Client=rhc2.sys.local@F1DF72033799940C@37FC42534A812B2351007A24820537466495F97ED352EFC1D9DCAEACBBF5CB98AEF183057CE6D101151F112693C2DAE361435CED1C95E822272FE287A56B4D38EE91B00830A56AE2F26E4738DF099CAEF3372342BE0ACDB78C12FD176EED1FBA376A0399537F848B6FA9AD4E61E6C771A5566F43D62C1F9836AB976CB1111545
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFNEI7oerU1Wrr7a5ERAkWqAJ9sZEuRLp8rPOjXdUokT03bEfjGuwCfa+Tr
pDK7/KmGj3Hx8vRMufxNx7A=
=zI4S
-----END PGP SIGNATURE-----

The following steps are always required when you’ve made changes to the configuration files.

Edit /etc/yulerc and remove the first 3 and last 7 lines, this is the GPG/PGP signature.

Example:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There will be another line here later on.
#####################################################################
#
# Configuration file template for yule.
#
#####################################################################

Lots of Yule configuration removed ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFNEI7oerU1Wrr7a5ERAkWqAJ9sZEuRLp8rPOjXdUokT03bEfjGuwCfa+Tr
pDK7/KmGj3Hx8vRMufxNx7A=
=zI4S
-----END PGP SIGNATURE-----

Then sign the configuration file again with the user yule and copy the file in place as the root user:

su – yule
gpg -o yulerc.asc -a –clearsign –not-dash-escaped /etc/yulerc <– Type in the passphrase we set earlier.
exit
/bin/mv /home/yule/yulerc.asc /etc/yulerc
service yule reload

A Little More Work On The Client

We will need to create the configuration file and embed it into a postscript file. Make sure you have Imagemagick installed, as you will need convert.

Go and download a good looking picture like http://apod.nasa.gov/apod/image/0903/tycho_chandra_big.jpg. You will want at least a 200K size image, if not larger, to hide the configuration file in it. Also, it is handy to have an original configuration file as backup.

NOTE: The following steps has to be done each time you wish to modify the configuration file of the client.

cd TOPLEVEL_OF_SOURCE_DIR
wget http://apod.nasa.gov/apod/image/0903/tycho_chandra_big.jpg
convert tycho_chandra_big.jpg tycho_chandra_big.ps <– Convert the JPG to a postscript file.
cp samhainrc.linux rc.`hostname` <– Get a default configuration.
gpg -a –clearsign –not-dash-escaped rc.`hostname` <– Clear sign the configuration.
mv rc.`hostname`.asc rc.`hostname` <– Move the signed file to the normal file name for the configuration file.
/usr/local/sbin/john_stealth -s tycho_chandra_big.ps rc.`hostname`<– Steganographically hide the configuration file inside the postscript file.
rm rc.`hostname` tycho_chandra_big.* <– Remove the “clean” files.

Make sure that the resulting postscript file is not very large, or Samhain will fail to download it. I do not have exact numbers, but from experience 66Mb is too large

Now copy the file over to your server:

scp tycho_chandra_big.ps YULE_SERVER:~/rc.`hostname` <– Assuming scp with root. In real life, please do not open ssh for root.

Back to the server:

cp ~/rc.CliENT_FQDN /var/lib/yule/ <– Make sure to fill in the clients FQDN.
chown yule:yule /var/lib/yule/rc.CliENT_FQDN <– Make sure to fill in the clients FQDN.

Back to the client:

/usr/local/sbin/john -t init -p info

This will now build the database in /var/lib/john. Don’t worry about all the output at this stage, we are just getting things up and running now.

After we have a database, we have to sign it and copy it over to the server.

gpg -a –clearsign –not-dash-escaped /var/lib/john/john
scp /var/lib/john/john.asc YULE_SERVER:~/file.`hostname` <– Assuming scp with root. In real life, please do not open ssh for root.
rm /var/lib/john/john*

Back to the server, we move this file to the correct place:

mv ~/file.CliENT_FQDN /var/lib/yule
chown yule:yule /var/lib/yule/*

It is important that all configuration files start with rc and all database files start with file.

Troubleshooting

Trouble, what trouble?

1. Start with tailing the log file on the server : tail -f /var/log/yule/yule_log
2. Change the log level in /etc/yulerc to info or above (always remember to re-sign the configuration file as described).
3. Recompile without some of the options to test.
4. Have a look at this link : http://www.la-samhna.de/samhain/s_documentation.html

Clean Up

Now we don’t want to be leaving breadcrumbs behind us, some clean up is required.

1. Delete all the source files and any tarballs that was downloaded if you built directly on a production server.
2. Delete all entries from your shell history.
3. Remove all the development packages that was installed if you built directly on a production server.
4. Remove /usr/local/sbin/john_stealth and /usr/local/sbin/john_setpwd.

Basically, get rid of any evidence of what you just did.

Tuning

Arguably, this is where the guide should start. Samhain does not understand what is right and what is wrong for this particular server. As such, you need to tune it. The simplest way is to build Samhain without any options what so ever like:

./configure
make
mkdir /var/lib/samhain/

Put the configuration file in /etc/samhainrc, and run

samhain -t init -p info > my_output 2>&1

You can then examine the output file and make the appropriate changes to the Samhain configuration file. The database will be created in /var/lib/samhain. Do not run samhain -t init more than once without deleting the database.

Once you are happy with the configuration, build Samhain in server / client mode.

NOTE: It is however rather important that you profile your server and tune Samhain before it is connected to the Internet.

Honey Pot!

Now for a bit of fun. We really do want intruders to let us know they are on our system. So, we create 2 (or more) files with catchy names and tell Samhain to monitor those files for any changes (that includes access times).

cp /etc/passwd /home/cracked_passwords
cp /etc/hosts /home/customers/credit_cards_2008.xls

Now, in Samhain’s configuration file, there is a section called [IgnoreNone], add these files in that section. You can test this by simply catting those files and then run the check. The output should be something like:

CRIT : [2009-04-27T21:33:11+0100] msg=<POliCY [User1] ——–T->, path=</home/cracked_passwords>, atime_old=<[2009-04-27T20:25:39]>,
atime_new=[2009-04-27T20:32:37]>,

Nagios Integration

I have not tested this yet, this is just on top of my head, so it may well be very wrong.

So now we have alerts for when things go wrong. By default, the standard Nagios plugin pack ships with check_log. Our Nagios check command will look something like:

check_log -F /var/log/yule_log -O /var/log/yule/yule_nagios_diff_log -q "ERROR|CRIT|ALERT"

You will need to modify how to alert on this particular service. By default Nagios will check 3 times before alerting, but with check_log you will never get an alert. The reason is as follows:

1. check 1: The check returns an error, as it spotted your query (lets say CRIT) in the difference from the old stored log file and the current running log file. The check command now updates the old stored log file.
2. check 2: There is no longer a difference between the old stored log file and the current running one, thus the check passes OK.

Either modify Nagios to alert after a single failure, or write a wrapper specifically for this check to create a lock file somewhere. You then check for this lock file and alert if it exists. Both approaches have some down sides. If we alert on a single check, be prepared for false alerts due to packet loss or a shift in the force. If we create a lock file, you will have to manually remove it.

Now that we are monitoring the log file for changes detected, we also need to monitor that the client process is still up and running. Of course, you will also want to monitor that the server process is running all the time.

I am sure someone will come up with a better way of Nagios integration, like I said, this is just thinking out loud.

What It All Means

At the end of the day, the clear text configuration of each machine being monitored, is neither kept on the client nor on the server. The clear text configuration files should be kept on a different machine inside an encrypted partition.

Nagios makes sure we are alerted of anything (via e-mail or SMS) and hopefully, an intruder will bite on the honey so that we can see him, potentially, even quicker.

Further more, you can not access any help files (such as ./samhain –help or man pages) to indicate that there is a HIDS running on the client.

Of course, if you get access to the server, you can see all the clients who logs in. There are further compiler options so that the logs are also encrypted.

Layers

In the voice of Shrek: “Security is like an onion, it has many layers.” Remember that host based intrusion detection is just one more layer in this onion. You also need a good firewall, network intrusion detection, monitoring, centralised logging, log analysis, TCP wrappers, SELinux (or some other mandatory access control mechanism), brute force blockers like fail2ban and much more.

As an example of this, the entire host based intrusion detection is rendered moot if the hacker just kills the process and you are not using monitoring to make sure that the service is running.

Please do not hesitate to contact me with any corrections or improvements or even some constructive criticism.

Incoming search terms:

• /samhain-install sh: error: cannot find signed file yulerc asc (1)
• step by step configuration of samhain in linux (1)
• set up samhianrc to use port 50888 (1)
• samhain windows client (1)
• samhain trusted userid (1)
• samhain logs to yule server (1)
• samhain cpanel (1)
• samhain configuration (1)
• samhain and mysql setup (1)
• red hat samhain (1)

Traditionally, information security has been primarily defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one’s resources. The strategy is to defend one’s organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it [is] purely defensive, the enemy has the initiative. In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.

This tutorial shows how you can compile and install honeyd 1.5c on CentOS 5.5 server. I do not issue any guarantee that this will work for you!

Preliminary Note

In this tutorial I will use the following hosts:

* Host Server : 192.168.245.128
* Virtual Honeypot 1 : 192.168.245.200
* Virtual Honeypot 2 : 192.168.245.201

Here’s a little diagram that shows our setup:

Host IP=192.168.245.128

192.168.245.200 192.168.245.201
——-+————+——–
|                 |
+–+–+         +–+–+
| hp1  |         | hp2   |
+—–+          +—–+
Virtual            Virtual
Honeypot1     Honeypot2

Preparation

You need to remove libdnet and libevent packages otherwise you wont be able to compile honeyd.(See note)

yum remove libevent libevent-devel libdnet libdnet-devel
yum install autoconf gcc python-devel

Note: Don’t use latest version of libevent and libdnet because of some inconsistency in honeyd

Download required packages

You need to download few packages before installing honeyd.

cd /tmp
wget http://monkey.org/~provos/libevent-1.3a.tar.gz
wget http://space.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
wget http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz

Important Note: Don’t download latest version of libevent and libdnet because of some inconsistency in honeyd.

Install required packages

cd /tmp
tar -xvf libevent-1.3a.tar.gz
cd libevent-1.3a
./configure
make
make install

cd /tmp
tar -xvf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure
make
make install

Download Arpd updated packages

For arpd-0.2 to compile under gcc 4.0.0 the file arpd.c must be modified. Replace it with the one from the Iran Honeynet Project web site , then compile and install.

cd /tmp
tar -xvf arpd-0.2.tar.gz
cd arpd
wget http://www.honeynet.ir/software/honeyd/arpd.c
./configure
make
make install

Run arpd

Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots.

/usr/local/sbin/arpd ’192.168.245.200-192.168.245.201′

Install Honeyd 1.5c

cd /tmp
wget http://www.honeyd.org/uploads/honeyd-1.5c.tar.gz
tar -xvf honeyd-1.5c.tar.gz
cd honeyd-1.5c
./configure
make
make install

Configure Honeyd

cd /usr/local/share/honeyd
cp -v config.ethernet honeyd.conf
vi honeyd.conf

Some configurations that outline features available in Honeyd.org Web Site.

This is sample configuration:

create default
set default default tcp  action block
set default default udp  action block
set default default icmp action block
create honeypot-template
set honeypot-template  ethernet "00:22:FA:cc:dd:ee"
set honeypot-template  personality "Microsoft Windows XP SP2"
set honeypot-template  uptime 1234567
set honeypot-template  default tcp  action reset
set honeypot-template  default udp  action reset
set honeypot-template  default icmp action open
add honeypot-template  tcp port 135  open
add honeypot-template  tcp port 139  open
add honeypot-template  tcp port 445  open
add honeypot-template  tcp port 3389 block
add honeypot-template  tcp port 53 proxy 8.8.8.8:53
bind 192.168.245.200 honeypot-template
bind 192.168.245.201 honeypot-template

Important Note: The IP Addresses should be in the same network segment with the hosting machine, or you should modify the routing table of your router to allow the packets destined to those IP Addresses to reach your honeyd hosting computer.

Configure Linux firewall

Modify the rules of your firewall to accept packets for the IP Addresses defined in the honeyd’s configuration file. You should have something like this:

$IPTABLES -A INPUT -d 192.168.245.200 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.245.201 -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Run Honeyd

/usr/local/bin/honeyd -d -f /usr/local/share/honeyd/honeyd.conf -p /usr/local/share/honeyd/nmap.prints -x /usr/local/share/honeyd/xprobe2.conf -a /usr/local/share/honeyd/nmap.assoc --disable-webserver '192.168.245.200-192.168.245.201'

Test Honeyd

Run this test only from an IP Addresses outside host machine.

nmap -T4 -A -v 192.168.245.200

Links

Iran Honeynet Project: http://www.honeynet.ir/
The Honeynet Project: http://www.honeynet.org
Honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
Honeyd Virtual Honeypot: http://honeyd.org/
CentOS: http://www.centos.org/

Incoming search terms:

• add a honeypot to cpanel server (1)
• arp d download (1)
• http ; THE GIOI 4x wen n (1)