Home » Portfolio » OpenBSD

Intrusion detection with OpenBSD 3.2

Problem
I want an intrusion detection system for free.

Solution
This is assuming you're starting from a fresh install of OpenBSD and that it is configured to connect and communicate on the internet.

Install Ports

    Ports from CVS

    Ports are specially packaged software editions for OpenBSD. They are maintained especially for OpenBSD and available from most OpenBSD regional mirrors.

       #:/> cd /usr
       #:/> setenv CVSROOT anoncvs@anoncvs.usa.openbsd.org:/cvs
       #:/> cvs -d $CVSROOT -q get -rOPENBSD_3_2 -P ports

    If this is your first time to connect to anoncvs.usa.openbsd.org, it will ask if you want to save a key.
    Say yes. Then go get something to drink because it will take a while to download everything.

    Ports from CD

    Alternatively, if you can use ports.tar.gz from the OpenBSD CD (if you have it).

       #:/> mount /dev/cd0a /mnt
       #:/> cd /mnt/3.2
       #:/> cp ports.tar.gz /usr
       #:/> cd /usr
       #:/> tar -xzf ports.tar.gz

    The location of ports.tar.gz on the CD will depend on whether you made the CD yourself or you purchased one from openbsd.org as you should have.

    Ports from FTP

       #:/> cd /usr
       #:/> lynx ftp://ftp.openbsd.org/pub/OpenBSD/3.2/ports.tar.gz
       #:/> tar -xzf ports.tar.gz

    lynx will ask you some questions. The sequence of answers is 'D' for download, '[enter]' to save to disk, '[enter]' again to accept the default filename, 'q' to quit, and 'y' to say you really want to quit.

Compile and Install Snort 1.8.6

By now, ports should be done downloading or un-taring. You'll need to compile and install it, which will involve both downloading and compiling, so figure out what you're going to do for a little while longer.

   #:/> cd /usr/ports/net/snort
   #:/> env FLAVOR="mysql flexresp" make install

The mysql flavor will also download and install mysql if it isn't already installed as well as support
for snort to record alerts to mysql. You do not want to run make clean on the snort port
because it will get rid of the database structure file you will need to import into MySQL later for Snort to record to MySQL for ACID.

Install PHP

If you want to use ACID to view alerts from Snort, you'll need to install php. Ports has PHP too. It will take longer to download, compile, and install than Snort. If you are experienced with using the FLAVORS environment variable, you can alter the PHP install to cut install time.

   #:/> cd /usr/ports/www/php4
   #:/> make
   #:/> cd core
   #:/> make install
   #:/> cd ../extensions
   #:/> make install
   #:/> cd ../pear
   #:/> make install
   #:/> cd ..
   #:/> make clean

You will probably get an error, but don't worry; we will work around it if you did.

   #:/> /usr/local/sbin/phpxs -s
   #:/> cp /usr/local/share/doc/php4/php.ini-recommended /var/www/conf/php.ini

You will probably need some PHP extensions too:

   #:/> cd /usr/ports/packages/i386/www
   #:/> pkg_add php4-mysql*
   #:/> /usr/local/sbin/phpxs -a mysql
   #:/> pkg_add php4-gd*
   #:/> /usr/local/sbin/phpxs -a gd

You can install and activate other extensions while you're in there if you want.

Install a text editor: Nano

If you are familiar with an editor installed by default in OpenBSD, such as vi, you can skip this step. This is merely to install an editor that will be easier to use for someone unfamiliar with vi.

vi is a commonly used editor in OpenBSD. If you want to learn how to use it quickly, there are pleny of hits on google if you search for "vi tutorial". Otherwise, nano is a simple editor found in ports that has a much lower learning curve for editing files since you will need to edit the Apache configuration file to get PHP to work and later Snort configuration files.

   #:/> cd /usr/ports/editors/nano
   #:/> make install clean

Now you can restart if you want so you can use nano without typing the full pathname to the binary. Otherwise the rest of this tutorial will use the full pathname to refer to the nano binary.

Configure PHP

There are a few remaining things to do to to get PHP to work in Apache.

   #:/> cd /usr/ports/editors/nano
   #:/> make install clean
   #:/> /usr/local/bin/nano /var/www/conf/httpd.conf

Use the CTRL+W function to find "index.html". Add index.php and index.php3 to the DirectoryIndex line to make it look like:

#
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index. Separate multiple entries with spaces.
#
DirectoryIndex index.php index.html index.php3

Then use the CTRL+W function to find "x-httpd-php3". You'll need to uncomment the two lines it finds and alter them. They should look like:

# For example, the PHP3 module (not part of the Apache distribution)
# will typically use:
#
AddType application/x-httpd-php .php .php3 .phtml
AddType application/x-httpd-php-source .phps

If you can't find those lines in your httpd.conf file, that means you have a newer version of Apache for some reason. Just add the lines as you see them above. If there are other file extensions you want to be parsed by the PHP engine, you can add them to the first AddType line too if you want. Some people add .html to obscure the engines running their website. This can be inefficient if you also have a many regular HTML files that do not contain PHP which will require PHP to examine the files anyway.

Save your httpd.conf with CTRL+X and follow the prompts.

Now it might be nice to test your PHP installation. I delete all the default Apache documents in the web root directory. You can skip that if you want.

   #:/> cd /var/www/htdocs
   #:/> rm -fr *
   #:/> /usr/local/bin/nano phpversion.php

You're creating a file named phpversion.php. In it, you want to put:

<?php
echo phpversion();
?>

Save it and test it:

   #:/> apachectl start
   #:/> lynx localhost/phpversion.php

If you see a page that has "4.2.3", all went well. If you see phpversion(); then you messed up somewhere. Go back and make sure you did everything. This won't prevent you from installing Snort, but it will definately keep ACID from working.

Start Apache on boot

   #:/> cd /etc
   #:/> /usr/local/bin/nano rc.conf

Change httpd_flags from NO to YES. Be careful about the comment at the end of the line spilling over to the next line. That is bad. If it does, either get it all on one line again or delete something.

Finishing MySQL Install

For php/mysql applications, php will fail to find the mysql socket in

/var/run/mysql. This is because starting in OpenBSD 3.2, Apache is installed in a chroot, which means it can only see files in /var/www. The workaround is to create /var/www/var/run/mysql (owned by mysql) and start the mysql server using a socket located in /var/www/var/run/mysql/mysql.sock instead of the default location at /var/run/mysql/mysql.sock.

   #:/> mkdir /var/www/var
   #:/> mkdir /var/www/var/run
   #:/> mkdir /var/www/var/run/mysql
   #:/> chown mysql /var/www/var/run/mysql

Check /etc/rc.conf to make sure that the following line is at the bottom:

local_rcconf="/etc/rc.conf.local"

   #:/> /usr/local/bin/nano /etc/rc.conf

The line should be there, but if for some reason it isn't, add it.

/etc/rc.conf.local should not exist. If it does or if it doesn't, do exit nano and do the following:

   #:/> echo "mysql=YES" >> /etc/rc.conf.local

Using echo is just shorthand so you don't have to use an editor to edit a file. If the file doesn't exist, it will be created. If it does exist, mysql=YES will be appended to it. You can use cat to verify the contents of /etc/rc.conf.local. cat is a tool that can be used to output a file right to the screen.

   #:/> cat /etc/rc.conf.local

MySQL isn't done installing. Go back to ports.

   #:/> cd /usr/ports/databases/p5-DBD-Msql-Mysql
   #:/> make install
   #:/> cd /usr/ports/packages/i386/databases
   #:/> pkg_add mysql-server*

Now might be a good time to change the default root password to your MySQL server:

   #:/> /usr/local/bin/mysqladmin -u root -p password 'new-password'
   #:/> /usr/local/bin/mysqladmin -u root -h hostname -p password 'new-password'

That is an exact copy from what pkg_add should tell you. If it's a single user machine and you properly deny outside connections to MySQL, you might be fine leaving the root password blank. Later in this tutorial, we will remove the IP address from your network device(s), so it shouldn't be possible to make a connection from anywhere other than localhost.

Next you need to move the configuration file for MySQL to /etc. In /usr/local/share/mysql look at the files my-small.cnf, my-medium.cnf, my-large.cnf, and my-huge.cnf. my-medium.cnf is good for most server configurations.

   #:/> cd /usr/local/share/mysql
   #:/> cp my-medium.cnf /etc/my.cnf
   #:/> /usr/local/bin/nano /etc/my.cnf

In /etc/my.cnf, change the socket variable to equal what we said earlier. You will have to change it in two places:

socket = /var/www/var/run/mysql/mysql.sock

Save /etc/my.cnf. We're almost done with MySQL.

Edit /etc/rc.conf and change shlib_dirs=   # extra directories for ldconfig at the bottom of the file to read like this:

   #:/> shlib_dirs="/usr/local/lib/mysql"

Or if you have multiple directories:

   #:/> shlib_dirs="/usr/local/lib/{mysql,libmcrypt}"

The following like will add execute permissions to the file that starts mysql.

   #:/> mkdir /var/run/mysql
   #:/> chmod 755 /usr/local/share/mysql/mysql.server

If /var/run/mysql exists already, that's good. If it doesn't exist it'll be created. Either way, it should be there. Add this to the bottom of /etc/rc.local:

if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/safe_mysqld ]; then
echo -n " mysqld"; /usr/local/share/mysql/mysql.server start
/bin/sleep 2
/bin/ln -s /var/www/var/run/mysql/mysql.sock /var/run/mysql/mysql.sock
fi

This will start MySQL when you boot your server. Now might be a good time to reboot if you're curious to see if everything will crash and burn. If you don't want to reboot, you can do this:

   #:/> /usr/local/share/mysql/mysql.server start
   #:/> /usr/local/bin/mysql -u root -p

The second line will try to connect to MySQL. You can either connect or you can't. A connection is good.
The password is blank if you did not set it before. Type exit to get out of mysql. When you
reboot, you should see mysqld in the local daemons list just before logon.

Configuring Snort

There are a lot of rules files in /usr/local/share/examples/snort. We should put them in a different directory.

   #:/> cd /usr/local/share/examples/snort
   #:/> mkdir /etc/snort
   #:/> cp * /etc/snort

Then go to the /etc/snort and edit snort.conf. To log to MySQL for ACID, you will need to find the database section, uncomment the line for MySQL, and change the connection details. I'm not going to step you through this just to make sure you read the whole configuration file.

If you want to add a MySQL user and database for Snort, do this:

   #:/> mysqladmin create snort
   #:/> mysql -u root -p

At the mysql prompt, type

   mysql> grant all on snort.* to snort@localhost identified by 'snort';
   mysql> exit

snort will be the password in the quotes. snort.* says all tables in the snort database. snort@localhost says the snort user can only connect from localhost.

Now add a system user for snort. Edit /etc/group

   #:/> groupadd snort
   #:/> adduser -batch snort snort -shell /bin/nologin -home /home
   #:/> mkdir /var/log/snort
   #:/> chown snort /var/log/snort

We will start Snort a lot like we started MySQL:

   #:/> echo "snort=YES" >> /etc/rc.conf.local
   #:/> /usr/local/bin/nano /etc/rc.local

Add this to the bottom of your rc.local:

if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u snort -g snort
fi

Then we can import the Snort database information into MySQL:

   #:/> mysql -u snort -p snort < /usr/ports/net/snort/w-snort-1.8.6/snort-1.8.6/contrib/create_mysql

Install ADODB database abstraction

   #:/> mkdir /var/www/htdocs/acid
   #:/> cd /var/www/htdocs/acid
   #:/> lynx http://php.weblogs.com/ADODB
   [ download file here and exit lynx ]
   #:/> tar -xzf adodb*.tgz

Install PHPlot graphing scripts

   #:/> cd /var/www/htdocs/acid
   #:/> lynx http://www.phplot.com
   [ download file here and exit lynx ]
   #:/> tar -xzf phplot-*.tar.gz
   #:/> lynx http://www.aditus.nu/jpgraph/jpdownload.php
   [ download file here and exit lynx ]
   #:/> tar -xzf jpgraph-*.tar.gz

Install ACID

   #:/> mkdir /var/www/htdocs/acid
   #:/> cd /var/www/htdocs/acid
   #:/> lynx http://www.cert.org/kb/acid/
   [ download file here and exit lynx ]
   #:/> tar -xzf acid*.tgz
   #:/> cd acid

Configuring the packet filter

This section is completely optional. It is here for people who are running Snort on a machine that has an IP assigned to the network device. For improved security, you should not have an IP assigned to your intrusion detection system in case a remote vulnerability is found for OpenBSD.

It would not be good to have MySQL available to the world. You should use Packet Filter (PF) in OpenBSD to firewall port 3306 and drop all outside connections to MySQL.

Additional Notes

  • Starting in OpenBSD 3.2, Apache is in a strict chroot, which means it can't see the rest of the OpenBSD filesystem, just what's in the /var/www directory. When you're installing OpenBSD, you might consider giving more filesystem space to /var than you would normally have given in the past.
  • Move mysql database to /snort/mysql and chown, chgrp it to mysql and modify datadir in /usr/local/share/mysql/mysql.server to point to /snort/mysql. Then you have to copy /var/mysql to /snort/mysql
‹ Fix /etc/fstab syntax error in OpenBSD 3.1upMounting a floppy disk ›


» Printer-friendly version

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <hr /> <a> <p> <em> <strong> <cite> <code> <blockquote> <ul> <ol> <li> <dl> <dt> <dd> <div> <img> <h1> <h2> <h3> <h4> <h5>
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.

More information about formatting options