Posted on 2006-09-06 00:04
笨蛋啊帆 阅读(327)
评论(0) 编辑 收藏
2006-03-23
by linghood
一、运行环境
1.平台:
Fedora Core 4 (IP Address: 192.168.1.101)
2.所需软件:
报警+数据库:
snort-2.4.0.tar.gz
snortrules-pr-2.4.tar.gz (snortrules for v2.4 unregistered user release)
mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz
create_mysql(script)
客户端显示:
apache_1.3.29.tar.gz
mod_ssl-2.8.16-1.3.29.tar.gz
php-4.4.0.tar.gz
acid-0.9.6b23.tar.gz
adodb465.tgz
jpgraph-1.19.tar.gz
辅助管理工具:
webmin-1.220-1.noarch.rpm
Net_SSLeay.pm-1.21.tar.gz
snort-1.0.wbm(snort's webmin plugin)
3.软件下载地址
snort-2.4.0.tar.gz(http://www.snort.org)
snortrules-pr-2.4.tar.gz(http://www.snort.org)
mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz(http://www.mysql.com)
create_mysql script(http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/)
apache_1.3.29.tar.gz(http://www.apache.org)
mod_ssl-2.8.16-1.3.29.tar.gz(http://www.modssl.org)
php-4.4.0.tar.gz(http://www.php.net)
acid-0.9.6b23.tar.gz(http://acidlab.sourceforge.net)
adodb465.tgz(http://adodb.sourceforge.net/)
jpgraph-1.19.tar.gz(http://www.aditus.nu/jpgraph/index.php)
webmin-1.220-1.noarch.rpm(http://www.webmin.com/)
Net_SSLeay.pm-1.21.tar.gz(http://symlabs.com/Net_SSLeay/)
snort-1.0.wbm (http://www.snort.org/dl/contrib/front_ends/webmin_plugin/)
二、安装
1.准备
ssh root登录FC4,将上述所需文件拷贝至/home
2.安装mysql
# groupadd mysql
# useradd -g mysql mysql
# cd /home
# tar -vxzf mysql-standard-4.1.14-pc-linux-gnu-i686.tar.gz
# mv mysql-standard-4.1.14-pc-linux-gnu-i686 /usr/local/mysql
# cd /usr/local/mysql
# chown -R root .
# chown -R mysql data
# chgrp -R mysql .
# scripts/mysql_install_db --user=mysql
# /usr/local/mysql/support-files/mysql.server start
3.创建snort数据库
# /usr/local/mysql/bin/mysql
mysql>;
mysql>;set password for 'root'@'localhost'=password('linghood');
mysql>;create database snort;
# /usr/local/mysql/bin/mysql -u root -p
mysql>;connect snort;
mysql>;source /home/create_mysql; //指定create_mysql脚本的路径
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql>;grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql>;connect mysql;
mysql>;set password for 'snort'@'localhost'=password('linghoodids');
mysql>;set password for 'snort'@'%'=password('linghoodids');
mysql>;flush privileges;
4.安装并启动snort
# cd/home
# tar -vxzf snort-2.4.0.tar.gz
# mv snort-2.4.0 /usr/local/snort
# cd /usr/local/snort
# ./configure --with-mysql=/usr/local/mysql
# make
# make install
# mkdir /var/snort
# mkdir /var/log/snort
# mkdir /etc/snort(存放rules)
# cd /home
# tar -vxzf snortrules-pr-2.4.tar.gz
# mv rules /etc/snort
# mv doc /etc/snort
修改/etc/snort/rules/snort.conf:
(1)将var RULE_PATH ../rules一行注释掉
(2)增加output database: log, mysql, user=snort password=linghoodids dbname=snort host=localhost
(3)修改include部分
include $RULE_PATH/bad-traffic.rules ->; include bad-traffic.rules
(and so on...)
启动snort(example):
# snort -d -D -c /etc/snort/rules/snort.conf
5.安装apache+mod_ssl
# cd /home
# tar -vxzf apache_1.3.29.tar.gz
# tar -vxzf mod_ssl-2.8.16-1.3.29.tar.gz
# cd mod_ssl-2.8.16-1.3.29
# ./configure --with-apache=../apache_1.3.29
# cd ../apache_1.3.29
# SSL_BASE=SYSTEM \
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--enable-module=so \
--enable-module=rewrite
# make
# make certificate
# make install
6.安装PHP
# cd /home
# tar -vxzf php-4.4.0.tar.gz
# cd php-4.4.0
# CFLAGS="-DEAPI -fPIC" \
./configure \
--prefix=/usr/local/php \
--with-mysql=/usr/local/mysql \
--with-apxs=/usr/local/apache/bin/apxs \
--with-gd
--with-zlib
--enable-sockets
# make
# make install
注:mod_ssl uses Apache's EAPI, so you need compile PHP with -DEAPI.
7.安装acid+adodb+jpgraph
解压acid-0.9.6b23.tar.gz,adodb465.tgz,gd-2.0.33.tar.gz,jpgraph-1.19.tar.gz
并拷贝到/var/www/html(去掉目录名中的版本号)
# vi /var/www/html/acid/acid_conf.php
修改以下内容:
$DBlib_path="../adodb";
$alert_dbname="snort";
$alert_user="snort";
$alert_password="linghoodids";
$Chartlib_path="../jpgraph/src";
8.修改selinux配置及apache配置
# vi /etc/selinux/config
SELINUX=disabled
(否则会导致libphp4.so segment fault)
# vi /usr/local/apache/conf/httpd.conf
ServerName 192.168.1.101
DocumentRoot "/var/www/html"
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
##
## SSL Virtual Host Context
##
# General setup for the virtual host
DocumentRoot "/var/www/html"
ServerName 192.168.1.101
注:不要忘记配置firewall允许https.
9.配置自启动并重启计算机
# vi /etc/rc.d/rc.local
#start mysqld
/usr/local/mysql/support-files/mysql.server start
#start httpd
/usr/local/apache/bin/apachectl startssl
#start snort
/usr/local/bin/snort -d -D -c /etc/snort/rules/snort.conf
# reboot
10.测试连接acid和初始化
https://192.168.1.101/acid or http://192.168.1.101/acid
Click "Setup page" to "Create ACID AG"
到现在为止,Snort+mysql+Apache(with mod_ssl)+php+ACID已经可以正常工作了。
11.辅助管理工具(图形界面管理snort):
(1) 安装Net_SSL(Redhat9 is broken)
# cd /home
# tar -vxzf Net_SSLeay.pm-1.21.tar.gz
# cd Net_SSLeay.pm-1.21
# ./Makefile.PL
# make install
(2)安装webmin
# cd /home
# rpm -ivh webmin-1.220-1.noarch.rpm
(3)测试连接,并安装snort module
https://127.0.0.1:10000,使用root+密码登录
Webmin Configuration ->; SSL Encryption ->; 生成新的SSL key
Webmin Configuration ->; Webmin Modules ->; 安装snort-1.0.wbm
Servers ->; Snort IDS Admin ->; 进行配置:
Full path to snort executable ->;
/usr/local/bin/snort -d -D -c /etc/snort/rules/snort.conf
Full path to snort configuration file ->;
/etc/snort/rules/snort.conf
Full path to snort rule files directory ->;
/etc/snort/rules
Full path to snort PID file ->;
/var/run/snort_eth0.pid
(4)save之后就可以打开snort的配置界面。
12.限定apache只允许https连接
修改/usr/local/apache/conf/httpd.conf如下
;
#Listen 80
Listen 443
;
13.给Apache加简单的访问控制
(1)创建一个授权用户并设置密码
# /usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/auth.users linghood
New password: ******
Re-type new password: ******
Adding password for user linghood
(2)修改/usr/local/apache/conf/httpd.conf文件如下
;
# Options FollowSymLinks
# AllowOverride None
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
;
;
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
AuthType Basic
AuthName "IDS"
AuthUserFile /usr/local/apache/conf/auth.users
Require valid-user
;