SECURETEK Manual Setting up of SecureTek project David Sutherland, Jason Mah, Chau Pham 4/8/2011 Table of Contents Client Set up .................................................................................................................................................. 3 To download ActiveWebcam .................................................................................................................... 3 To install ActiveWebcam........................................................................................................................... 3 To run ActiveWebcam............................................................................................................................... 3 Setting Default Options............................................................................................................................. 3 Setting General Options ........................................................................................................................ 4 Setting up Camera defaults................................................................................................................... 4 Setting up Cameras ............................................................................................................................... 4 Viewing Cameras on a web browser..................................................................................................... 4 Setting up Motion Detection. ............................................................................................................... 5 Camera Positions. ......................................................................................................................................... 6 Server Setup .................................................................................................................................................. 6 Network setup .......................................................................................................................................... 6 Sendmail Setup ............................................................................................................................................. 7 Webmin installation .................................................................................................................................. 7 Easy Configuration .................................................................................................................................... 7 Sending mail .............................................................................................................................................. 7 Manual Honeyd........................................................................................................................................... 10 Download and Install honeyd ................................................................................................................. 10 Download and install binaries................................................................................................................. 10 Turn off ip forwarding ............................................................................................................................. 10 Allow honeyd to run ............................................................................................................................... 10 Edit the honeyd configuration file .............................................................................................................. 11 Setup routes ................................................................................................................................................ 12 Testing honeyd........................................................................................................................................ 12 Optional .................................................................................................................................................. 12 Client Set up We used the program ActiveWebcam, and have been tested on Windows XP. Other Windows Operating Systems may be installed, but we cannot verify their compatibility with the program. Windows XP will need very little user input for first part of the install. As this Guide is more set up for a security install, it will not go into depth on how to install XP. *Note: All steps following on the assumption that XP has been installed and running. To download ActiveWebcam 1. 2. 3. 4. Open up your Internet browser Navigate to to http://www.pysoft.com In the top navigation bar, there will be a "Downloads" link, click on this link Active WebCam is the first download link. To download it "Active WebCam," click on the "click to download" link. *Note: By default the program will be saved to your Desktop. To install ActiveWebcam 1. Double-click on the ActiveWebcam icon; it will be name "AWC-PYS.exe" 2. The installation window will pop up and will ask you where you want to install. Default is "C:\Program Files\Active WebCam" 3. When you are satisfied with the location, select install to finish. To run ActiveWebcam 1. Once installed, you can run the program from Start -> All Programs -> Active WebCam Setting Default Options 1. Once the program is open, it will ask you to search or add for cameras. You can safely cancel it for now. 2. Go to Settings -> Program Settings. Setting General Options 1. If you want this program to start up automatically on system bootup, check "Start on Windows Start up" Setting up Camera defaults 1. Move to "Defaults" tab. 2. You can set default frame rates for camera settings, once settings are to your liking, selecting “Apply Default Settings to All cameras” then selecting "ok". Setting up Cameras 1. Now that you have your default camera settings how you like, you can now search for cameras. A. If your cameras are connected directly to the Machine, it is easier to use "Search Cameras” option. B. If your cameras are connected over a network, and would like to manually add them, please select "New camera from wizard” 2. Once your cameras are added in you can now see a preview screen of one or more of your cameras that have been added into the program. Viewing Cameras on a web browser 1. To set up the http site to view cameras, go to Tools -> Create Website. After Feeling comfortable with every step, please click "Next" to continue. 2. Following the instructions it will ask you where you want to run the website from: A. Your computer B. From an FTP site C. Frames from a picture folder 3. How you will want to be able to view these cameras A. Using a Media player (streaming) B. ActiveX C. Java Applet D. Page Refreshes 4. Where you will be saving the website Template 5. It will bring up a screen, greenlighting what has been started. 6. Next it will ask you to test the website or click "Finish" to complete set up. Setting up Motion Detection. 1. 2. 3. 4. 5. 6. 7. 8. 9. Right click on the camera you want further set up then select "Camera Options" The Main thing we are concerned about is under the "Motion" tab. To turn on motion detection, click "Motion is active all the time" Constant Sensitivity is set for any motion, any time. Hourly sensitivity is set so between any time period, sensitivity can be adjusted so false alarms are reduced. "Define Motion Area" serves to select only certain spots will trigger motion. Under Actions is what the program is set to do upon motion. If you do not have an FTP server set up, then you do not need to check "Start FTP uploading when Motion detected" Check "Send Email" A. The "Email Settings will now show up, select that. B. Enter Sender, can be any email. C. Enter Recipient, those who you want to be informed when a motion is detected. D. To use own SMTP Server, input FQDN name or or IP. *Note: If using FQDN and cannot verify Server, please input name and IP of server into Hosts file located at C:\windows\System32\Drivers\etc\hosts. E. F. G. H. If Server requires authentication, then check name box. Enter username and password Select "Send a Test Email" to verify everything is up and running Select ok to finish. 10. Select "Apply" then "Ok" to implement and save settings. Camera Positions. All cameras should be set up to provide a 360-degree of viewing angle. If you only have a limited number of cameras, it is our suggestion you should have them view at least the server, and entryway and position them in a way to minimize blind spots. Server Setup 1. Go to the Ubuntu web site and download the latest version of Ubuntu server onto a disk from www.ubuntu.com (Make sure that you have an Md5 hash value of your Ubuntu sever ISO before you install. This is to verify that it your ) 2. Insert the disk, and follow the procedures on the screen. 3. Set encryption on the disk for security purposes. Note: Make sure the encryption is something you can remember. 4. Setup the computer name. 5. Setup your user name and password. Make sure to record in a safe place located away from the server and locked up. Network setup Login and setup the network on the server. Go into the /etc/network directory and the use sudo vi interfaces 1. Enter the following into the file: auto eth0 iface eth0 inet static address <your static IP address> netmask <eg. 255.255.255.0> network <IP of network eg. 192.168.1.0> broadcast <IP with 255 at end eg. 192.168.1.255> gateway <IP or router> 2. Restart the network with sudo service network restart or sudo /etc/init.d/networking restart 3. Double check you have a connection by pinging your own IP then try your local area network using ping <IP address>. Sendmail Setup The first step is to install, so the command is sudo apt-get install sendmail and sudo apt-get install sendmail-cf Webmin installation To make it easier to manage the sendmail configurations go to: http://prdownloads.sourceforge.net/webmin/webmin-1.530.tar.gz 1. Enter the command sudo wget http://prdownloads.sourceforge.net/webmin/webmin-1.530.tar.gz (Make sure your in the users home folder before entering the command.) 2. Unzip using the tar command, sudo tar webmin-1.530.tar.gz 3. Once the folder is unzipped change the directory to webmin-1.530 and enter the command sudo ./setup.sh (This command will install the program for you.) When it asks where you want to install this package specify it to go to /etc/webmin . It will also ask to setup a username and password for login, remember your username and password (Do not use the same login password or username as your Ubuntu). Easy Configuration 1. Access your webmin through http://<IP address>:10000. (If you cannot connect, refer back to “Setup Server” instruction 9.) 2. In webmin, select service on the left hand side and open up sendmail. 3. Click on the icon that says “Relay Domains”. 4. Enter in this window what Email domain you would like to point to on your network. (If you take the relay approach, make sure that there is a DNS on your network that the Smtp can search through to find the proper domain to sent the email to. Click the OK button at the bottom of the page. 5. Go to the User Mailboxs and click on configure module at the top right. Scroll down to SMTP Port options where it asks if it is the main Smtp server or to point to the IP address of a Smtp server already. Sending mail Once the configurations are complete restart the sendmail. 1. use apt-get install sendEmail For an easy to use mail command to sendmail 2. Test if mail will send locally fist sendEmail -t <user@localhost> -f <user@localhost> -s This is a test mail -m Hi this is a test mail use –a to send attachments along with this email If the command worked continue to step there, if not trouble shoot by referring to above sendmail set up or http://www.webmin.com 3. Sending out externally Use the same command but in the –t option use an external email address to send to sendEmail -t <user@external.com> -f <user@localhost> -s This is a test mail -m Hi this is a test mail If this works then you sendmail is set up Tip: Make the From user the same as the To user address to double check it is not a local problem Snort To get snort working first start by entering Sudo apt-get install snort If snort does not install double check your network is working. Configuration file Under /etc/snort is where the configuration is located called snort.conf 1. Locate the file called snort.conf, this is the preconfigured file for snort. Create a copy of this file, purpose is to have a back up if configuration file does work after alterations. Sudo cp snort.conf snort.conf.bak 2. Open the file using Sudo vi /etc/snort/snort.conf Now that you are in the configuration file there are a few thing that you want to change to make it work on your network. Change the var HOME_NET from the default to your network Change the var EXTERNAL_NET to be ! HOME_NET Change the Rules 1. Down near the bottom is a bunch of rules that can be disabled or enabled. Rules to keep turned on: Scanning.rules Smtp.rules Exploit.rules Custom.rules (will be created later) Other rules you can turn on if you wish. Note: To many rules can overload the ram because snort requires a lot of ram. The max amount of rules should be 7 or 8 rules per box. Testing configuration 1. Test snort Sudo snort –c /etc/snort/snort.conf for error checking of the snort configurations. If there are no errors continue. If not keep using command to check errors after editing. 2. Start up snort Sudo /etc/init.d/snort start If snort start up fine then your snort is running and ready to capture alerts. Creating automated email 1. Create an new file called snortsend.pl Touch /etc/cron.daily/snortsend.pl Vi /etc/cron.daily/snortsend.pl 2. Now enter the following code into the file to get a working automated email. #!/usr/bin/perl use strict; my $snort_log = '/var/log/snort.log'; # location of snort.log generated by syslog my $snort_log_old = '/var/log/snort/old/snort'; # path to dir where to store old logs my $notify_log = '/var/log/snort/notify.log'; # path to log where to log notifications my $email = 'youremail@external.com'; open(SNORT_LOG, "$snort_log"); if (! <SNORT_LOG>) { print “No alerts in the Alert file”; system(“sudo touch /var/log/snort/alert”); System(“sudo service snort restart”); exit(); } else { system("sendEmail –t $email –f<email > -s This is an alert -a $snort_log"); system(“ sudo service snort restart”); open(NOTIFY, ">>$notify_log"); my $localtime = localtime(); print NOTIFY "$localtime - Alert sent to $email\n"; close NOTIFY; my $time = time(); system("mv $snort_log $snort_log_old.$time"); system("kill -SIGHUP \`cat /var/run/syslogd.pid\`"); exit(); } Close(SNORT_LOG); Now that the code has been entered test the code out to check if it will run. Sudo perl /etc/daily.cron/snortsend.pl If this works then you are on your way. Check your external email to figure out if you got an email. If successful then your snort is complete. Manual Honeyd Download and Install honeyd Apt-get install honeyd Download and install binaries Wget www.monkey.org/~provos/libevent wget www.libdnet.sourceforge.net Wget www.tcpdump.org/libpcap These are needed for honeyd to run on the system. Navigate to each folder and extract the packages with tar –xzf package.tar.gz. then execute the ./configure, make and sudo make install Turn off ip forwarding Go into the file /etc/systcl.conf and edit thefile with vi. Edit the net.inet.ip.forwarding=0 This is needed so that the OS kernel doesn’t forward any IP’s that it receives for any virtual honeypots. If IP forwarding was enabled, then it would lead to packet duplication and packet storms Allow honeyd to run By default honeyd is turned off and can only be activated when you edit one of the conf files. I believe this was done to prevent accidental startup of honeyd without it being configured. Go to /etc/defaults/honeyd and edit the file to : # File: /etc/defaults/honeyd # Defaults for honeyd initscript # run as a daemon RUN="yes" # Network interface where honeyd will listen INTERFACE="eth0" # Network under control od honeyd (in my case: just one host) NETWORK=192.168.1.50 # Options # -c hostname:port:username:password OPTIONS="-c localhost:12345:username:password" the –c will allow collection of stats Edit the honeyd configuration file Here you want to edit the conf file so that you can setup routes, scripts, virtual honeypots, logging and many other things. For basic configuration you just have to setup the virtual honeypots. Go to /etc/honeypots/honeyd.conf and edit the file to something that looks like this: ### Windows NT4 web server create windows set windows personality "Windows NT 4.0 Server SP5-SP6" add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl" add windows tcp port 139 open add windows tcp port 137 open add windows udp port 137 open add windows udp port 135 open set windows default tcp action reset set windows default udp action reset bind bind bind bind bind bind bind bind bind bind bind bind 10.0.1.51 10.0.1.52 10.1.0.51 10.1.0.52 10.1.1.51 10.1.1.52 10.2.0.51 10.2.0.52 10.2.1.51 10.2.1.52 10.3.2.51 10.3.2.52 windows windows windows windows windows windows windows windows windows windows windows windows ##################################################################### ### The routers we have created in the virtual network ### ### also need to be bound to templates to model their ### ### behavior. We have created a template called router ### ### and bound the router IP addresses to that template. ### ##################################################################### ### Cisco Router create router set set set add set set router router router router router router personality "Cisco IOS 11.3 - 12.0(11)" default tcp action reset default udp action reset tcp port 23 "/usr/bin/perl scripts/router-telnet.pl" uid 32767 gid 32767 uptime 1327650 bind 10.0.0.100 router how this works is type of OS you want to virtually create, then personally you want the honeypot to display, followed by the open ports combined with the script that will trap the intruder and lastly the honeypot IP address. You can see the bind command specifies each individual pc that honeyd will emulate. There are many preconfigured scripts in honeypot directory. You can choose which ones your want to use by going to the /usr/share/honeyd/scripts Setup routes We need to configure the virtual network so that we can send packets to the virtual honeypots. Routes are needed so that packets can be sent to the honeypots. In the terminal you want to add a route of the honeypot you are simulating and the honeyd host. The command is route –n add –net (ip of virtual honeypots you want to simulate /30 <- or whatever # of honeypots you want) (ip of honeyd host) Testing honeyd Start honeyd in loopback mode with the command: honeyd – d –I lo –f (ip of virtual honeypot) gw (127.0.0.1) Try accessing one of the scripts, for this example I will use a telnet command for the telnet script. So in the terminal I would enter telnet (ip of virtual honeypot). I should the receive something that says something about only authorized use and then login. Trying pinging the virtual honeypot with ping –n –c1 (ip of virtual honeypots) Lastly try to nmap the honeypot with nmap –sS –O –F (ip of honeypot). You may need to install nmap: apt-get install nmap. Optional You can display a graphical interface to see what is being attacked. You will need to install some files: wget http://www.alunos.di.uminho.pt/~a43175/code/perl/customPie.pm -O /etc/honeypot/customPie.pm wget http://www.alunos.di.uminho.pt/~a43175/code/perl/buildPie.pl -O /etc/honeypot/buildPie.pl follow the directions how to set it up. Make a directory so you can store the images that this program will create. Mkdir name of dir add a cron job in the /etc/crontab and add at the end of the file 6 * * * * root /etc/honeypot/generate-stats.sh Securing History User history will be locked and saved. In terminal enter: chattr +a .bash_history (append) chattr +I .bash_history Edit the motd banner To edit the banner first edit /etc/pam.d/login and /etc/pam.d/sshd and comment out the “pam_motd”. Then edit the /etc/motd to display whatever you want. I suggest removing the OS, kernel verision and Ip. Install rootkit detection Apt-get install chkrootkit. Navigate to the directory where it installed and run it with ./chkrootkit Add a cron job to the daily with vi /etc/cron.daily/chkrootkit.sh and type #!/bin/bash # Enter the directory where the rootkit is installed cd /root/chkrootkit/ # Enter your email address where you want to receive the report ./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com change the permissions to chmod 755 /etc/cron.daily/chkrootkit.sh. now whenever the job is ran you should receive a message of the report in your email. Harden down kernel Edit the /etc/sysctl.conf and edit: # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 # Modify system limits for Ensim WEBppliance fs.file-max = 65000 # Increase the maximum amount of option memory buffers net.core.optmem_max = 57344