基于主机的入侵检测 - Samhain
概述
本文将详细介绍如何安装基于主机的入侵检测系统Samhain。 有关Samhain的更多信息,请参阅http://www.la-samhna.de/samhain/
关于什么是基于主机的入侵检测,或者为什么要使用它,我不会赘述,因为有大量已经涵盖这些主题的文章。 这篇文章只是为了告诉你如何让Samhain在一个客户端/服务器配置中运行,并配有几个钟声和哨声。
我强烈建议您在开始之前阅读整本指南,最有帮助。
客户端和服务器之间有很多交换,因为我尽力混淆你,所以保持尖锐!
先决条件
您将需要安装所需的所有构建工具,因为我们将要编译Samhain。 这是一个快速的复习:
红帽
yum groupinstall "Development Tools"
Debian
apt-get install build-essential
注意:请记住,生产服务器上的开发工具可能不是最好的想法。 这些包可能会进一步协助wannebe黑客,填满宝贵的兆字节或吃你的猫。 建议在构建服务器上构建所需的包,测试它们,创建rpm / deb包,然后在生产环境中部署所述包。
以下是一个简短的检查清单:
- 您需要在服务器上运行MySQL和Apache。 本指南将采用香草MySQL和Apache配置。 我留给读者找出如何安装和配置这些服务在你最喜欢的分发。 (提示: http : //www.youcl.com/howtos/web-server/apache和https://www.youcl.com/howtos/mysql )
- 您将需要为服务器端安装的MySQL开发包(generaly
mysql-devel)。 - MySQL必须设置root密码。 如果MySQL根密码未设置,请先执行此操作。 当你在MySQL时,你可能想看看这个:
/ usr / bin / mysql_secure_installation - 服务器和客户端的主机名必须是完全限定的。
- 服务器和客户端
/ etc / host文件必须正确(真正正确,不是Red Hat默认正确),而DNS必须正向和反向查找。 - 端口50888 TCP应该打开,或建立时设置的任何端口。
- ImageMagick是客户端所必需的。
下载并安装
http://www.la-samhna.de/samhain/s_download.html以上页面有关于何处下载最新版本的Samhain以及如何验证软件包完整性的完整说明。 检查包装的完整性至关重要 。 如果你没有一个很好的基础,你的房子肯定会崩溃:-)
服务器设置
Yule是Samhain的服务器端组件。
解压缩并检查软件包后,请确保您是root用户,位于未打包的源文件的顶级目录中。
我们首先为该服务创建一个用户,并为该用户生成一个gpg键:
adduser yule
su - yule
gpg --gen-key
您将被问到以下问题:
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/home/mytest/.gnupg' created
gpg: new configuration file `/home/yule/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/yule/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/yule/.gnupg/secring.gpg' created
gpg: keyring `/home/yule/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? <-- The default is fine, just press ENTER
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 <-- 4096 For the paranoid
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y <-- Some may feel 2 years is to long, it's up to you ...
Key expires at Sat 15 Dec 2012 22:24:38 GMT
Is this correct? (y/N) y <-- If you are happy and you know it clap your hands
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)<heinrichh@duesseldorf.de>"
Real name: yules <-- Whatever name you want to use
Email address: yules@you.com <-- Some e-mail address
Comment: 20 questions is a fun game
You selected this USER-ID:
"yules (20 questions) <yules@you.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <-- If you are happy, OK it
You need a Passphrase to protect your secret key.
Enter passphrase: This is a long passphrase ! <-- Enter a strong passphrase
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++++++++++++++++++++++.++++++++++.++++++++++.++++++++++..+++++.+++++++++++++++.++++++++++.++++++++++++++++++++++++++++++
++++++++++...................................................................................+++++
Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)
Fed up waiting for this ? Click here :https://www.youcl.com/info/5573
gpg: /home/yule/.gnupg/trustdb.gpg: trustdb created
gpg: key B7043C9A marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2012-12-15
pub 1024D/B7043C9A 2010-12-16 [expires: 2012-12-15]
Key fingerprint = 421E CFE8 533E 017F 95C8 170A DB54 28E7 B704 3C9A
uid yules (20 questions) <yules@you.com>
sub 4096g/EB230E29 2010-12-16 [expires: 2012-12-15]
退出这个shell,让我们回到root用户。
exit
所以现在我们有一个gpg的关键,让我们来构建软件包。
默认的gpg二进制文件不支持TIGER192校验和。 因此,我们首先构建一个香草Samhain二进制文件,以便我们可以从Samhain二进制文件获得该功能。
./configure
make
对,现在我们建立真正的东西...
./configure --with-gpg=/usr/bin/gpg --enable-network=server --with-database=mysql --enable-xml-log --with-port=50888 --enable-identity=yule
make
make install
在这一点上,应该提出以下几点:
You need to sign the configuration file now
/usr/bin/gpg -a --clearsign yulerc
using --homedir /home/yule/.gnupg
gpg: WARNING: unsafe ownership on homedir `/home/yule/.gnupg'
You need a passphrase to unlock the secret key for
user: "yules (20 questions) <yules@you.com>"
1024-bit DSA key, ID BAFB6B91, created 2010-12-21
Enter passphrase: This is a long passphrase ! <-- This is the passphrase we set earlier.
旁注:我不知道为什么gpg抱怨所有权,因为权限是正确的。
现在安装初始化脚本,设置MySQL用户/权限并修复一些文件权限。
make install-boot
mysql -p < sql_init/samhain.mysql.init
echo "grant select, insert on samhain.log to samhain@localhost IDENTIFIED BY 'samhain';" | mysql -p <-- This will ask for your root MySQL password.
echo "FLUSH PRIVILEGES;" | mysql -p <-- This will ask for your root MySQL password.
chown yule:yule /var/log/yule
chown yule:yule /etc/yulerc
chown yule:yule /var/lib/yule
设置yule开始启动。
红帽
chkconfig --add yule
chkconfig yule on
Debian
update-rc.d yule defaults
启动yule与:
/etc/init.d/yule start
尤尔可能会抱怨:
<log sev="WARN" tstamp="2010-12-21T11:46:42+0000" msg="Invalid line 102 in configuration file: incorrect format, unrecognized option, or missing section header" />
<log sev="WARN" tstamp="2010-12-21T11:46:42+0000" msg="Invalid line 106 in configuration file: incorrect format, unrecognized option, or missing section header" />
但是,服务应该开始罚款。 这两个警告是由于[Database]标题被注释掉。 要么取消注释,要么评论说两行。 默认情况下它们是真的。
有关完整说明的配置选项列表,请参阅http://la-samhna.de/samhain/manual/compilation-options.html
Apache配置
添加以下内容:
红帽
/etc/httpd/conf.d/samhain.conf
Debian
/etc/apache2/conf.d/samhain.conf
<Directory "/var/log/yule/"> Options ExecCGI AllowOverride None Order allow,deny Allow from all </Directory> Alias /yule.html "/var/log/yule/yule.html"
然后重新加载Apache:
红帽
service httpd restart
Debian
/etc/init.d/apache2 restart
现在访问http://yourserver/yule.hml
