Manual

advertisement
SECURETEK
Manual
Setting up of SecureTek project
David Sutherland, Jason Mah, Chau Pham
4/8/2011
Table of Contents
Client Set up .................................................................................................................................................. 3
To download ActiveWebcam .................................................................................................................... 3
To install ActiveWebcam........................................................................................................................... 3
To run ActiveWebcam............................................................................................................................... 3
Setting Default Options............................................................................................................................. 3
Setting General Options ........................................................................................................................ 4
Setting up Camera defaults................................................................................................................... 4
Setting up Cameras ............................................................................................................................... 4
Viewing Cameras on a web browser..................................................................................................... 4
Setting up Motion Detection. ............................................................................................................... 5
Camera Positions. ......................................................................................................................................... 6
Server Setup .................................................................................................................................................. 6
Network setup .......................................................................................................................................... 6
Sendmail Setup ............................................................................................................................................. 7
Webmin installation .................................................................................................................................. 7
Easy Configuration .................................................................................................................................... 7
Sending mail .............................................................................................................................................. 7
Manual Honeyd........................................................................................................................................... 10
Download and Install honeyd ................................................................................................................. 10
Download and install binaries................................................................................................................. 10
Turn off ip forwarding ............................................................................................................................. 10
Allow honeyd to run ............................................................................................................................... 10
Edit the honeyd configuration file .............................................................................................................. 11
Setup routes ................................................................................................................................................ 12
Testing honeyd........................................................................................................................................ 12
Optional .................................................................................................................................................. 12
Client Set up
We used the program ActiveWebcam, and have been tested on Windows XP. Other Windows
Operating Systems may be installed, but we cannot verify their compatibility with the program.
Windows XP will need very little user input for first part of the install. As this Guide is more set up for a
security install, it will not go into depth on how to install XP.
*Note: All steps following on the assumption that XP has been installed and running.
To download ActiveWebcam
1.
2.
3.
4.
Open up your Internet browser
Navigate to to http://www.pysoft.com
In the top navigation bar, there will be a "Downloads" link, click on this link
Active WebCam is the first download link. To download it "Active WebCam," click on the "click
to download" link.
*Note: By default the program will be saved to your Desktop.
To install ActiveWebcam
1. Double-click on the ActiveWebcam icon; it will be name "AWC-PYS.exe"
2. The installation window will pop up and will ask you where you want to install. Default is
"C:\Program Files\Active WebCam"
3. When you are satisfied with the location, select install to finish.
To run ActiveWebcam
1. Once installed, you can run the program from Start -> All Programs -> Active WebCam
Setting Default Options
1. Once the program is open, it will ask you to search or add for cameras. You can safely cancel it
for now.
2. Go to Settings -> Program Settings.
Setting General Options
1. If you want this program to start up automatically on system bootup, check "Start on
Windows Start up"
Setting up Camera defaults
1. Move to "Defaults" tab.
2. You can set default frame rates for camera settings, once settings are to your liking,
selecting “Apply Default Settings to All cameras” then selecting "ok".
Setting up Cameras
1. Now that you have your default camera settings how you like, you can now search for
cameras.
A. If your cameras are connected directly to the Machine, it is easier to use
"Search Cameras” option.
B. If your cameras are connected over a network, and would like to manually add
them, please select "New camera from wizard”
2. Once your cameras are added in you can now see a preview screen of one or more of
your cameras that have been added into the program.
Viewing Cameras on a web browser
1. To set up the http site to view cameras, go to Tools -> Create Website. After Feeling
comfortable with every step, please click "Next" to continue.
2. Following the instructions it will ask you where you want to run the website from:
A. Your computer
B. From an FTP site
C. Frames from a picture folder
3. How you will want to be able to view these cameras
A. Using a Media player (streaming)
B. ActiveX
C. Java Applet
D. Page Refreshes
4. Where you will be saving the website Template
5. It will bring up a screen, greenlighting what has been started.
6. Next it will ask you to test the website or click "Finish" to complete set up.
Setting up Motion Detection.
1.
2.
3.
4.
5.
6.
7.
8.
9.
Right click on the camera you want further set up then select "Camera Options"
The Main thing we are concerned about is under the "Motion" tab.
To turn on motion detection, click "Motion is active all the time"
Constant Sensitivity is set for any motion, any time.
Hourly sensitivity is set so between any time period, sensitivity can be adjusted so false
alarms are reduced.
"Define Motion Area" serves to select only certain spots will trigger motion.
Under Actions is what the program is set to do upon motion.
If you do not have an FTP server set up, then you do not need to check "Start FTP
uploading when Motion detected"
Check "Send Email"
A. The "Email Settings will now show up, select that.
B. Enter Sender, can be any email.
C. Enter Recipient, those who you want to be informed when a motion is
detected.
D. To use own SMTP Server, input FQDN name or or IP.
*Note: If using FQDN and cannot verify Server, please input name and IP of server
into Hosts file located at C:\windows\System32\Drivers\etc\hosts.
E.
F.
G.
H.
If Server requires authentication, then check name box.
Enter username and password
Select "Send a Test Email" to verify everything is up and running
Select ok to finish.
10. Select "Apply" then "Ok" to implement and save settings.
Camera Positions.
All cameras should be set up to provide a 360-degree of viewing angle. If you only have a limited
number of cameras, it is our suggestion you should have them view at least the server, and entryway
and position them in a way to minimize blind spots.
Server Setup
1. Go to the Ubuntu web site and download the latest version of Ubuntu server onto a disk from
www.ubuntu.com (Make sure that you have an Md5 hash value of your Ubuntu sever ISO before
you install. This is to verify that it your )
2. Insert the disk, and follow the procedures on the screen.
3. Set encryption on the disk for security purposes. Note: Make sure the encryption is something
you can remember.
4. Setup the computer name.
5. Setup your user name and password. Make sure to record in a safe place located away from the
server and locked up.
Network setup
Login and setup the network on the server. Go into the /etc/network directory and the use sudo
vi interfaces
1. Enter the following into the file:
auto eth0
iface eth0 inet static
address <your static IP address>
netmask <eg. 255.255.255.0>
network <IP of network eg. 192.168.1.0>
broadcast <IP with 255 at end eg. 192.168.1.255>
gateway <IP or router>
2. Restart the network with
sudo service network restart
or
sudo /etc/init.d/networking restart
3. Double check you have a connection by pinging your own IP then try your local area network
using ping <IP address>.
Sendmail Setup
The first step is to install, so the command is sudo apt-get install sendmail and sudo apt-get
install sendmail-cf
Webmin installation
To make it easier to manage the sendmail configurations go to:
http://prdownloads.sourceforge.net/webmin/webmin-1.530.tar.gz
1. Enter the command sudo
wget http://prdownloads.sourceforge.net/webmin/webmin-1.530.tar.gz (Make sure your
in the users home folder before entering the command.)
2. Unzip using the tar command,
sudo tar webmin-1.530.tar.gz
3. Once the folder is unzipped change the directory to webmin-1.530 and enter the command
sudo ./setup.sh
(This command will install the program for you.)
When it asks where you want to install this package specify it to go to /etc/webmin .
It will also ask to setup a username and password for login, remember your username and
password (Do not use the same login password or username as your Ubuntu).
Easy Configuration
1. Access your webmin through http://<IP address>:10000. (If you cannot connect, refer back to
“Setup Server” instruction 9.)
2. In webmin, select service on the left hand side and open up sendmail.
3. Click on the icon that says “Relay Domains”.
4. Enter in this window what Email domain you would like to point to on your network. (If you
take the relay approach, make sure that there is a DNS on your network that the Smtp can
search through to find the proper domain to sent the email to. Click the OK button at the
bottom of the page.
5. Go to the User Mailboxs and click on configure module at the top right. Scroll down to SMTP
Port options where it asks if it is the main Smtp server or to point to the IP address of a Smtp
server already.
Sending mail
Once the configurations are complete restart the sendmail.
1. use apt-get install sendEmail
For an easy to use mail command to sendmail
2. Test if mail will send locally fist sendEmail -t <user@localhost> -f <user@localhost> -s This is a
test mail -m Hi this is a test mail
use –a to send attachments along with this email
If the command worked continue to step there, if not trouble shoot by referring to above
sendmail set up or http://www.webmin.com
3. Sending out externally
Use the same command but in the –t option use an external email address to send to
sendEmail -t <user@external.com> -f <user@localhost> -s This is a test mail -m Hi this is a test
mail
If this works then you sendmail is set up
Tip: Make the From user the same as the To user address to double check it is not a local
problem
Snort
To get snort working first start by entering
Sudo apt-get install snort
If snort does not install double check your network is working.
Configuration file
Under /etc/snort is where the configuration is located called snort.conf
1. Locate the file called snort.conf, this is the preconfigured file for snort. Create a copy of this file,
purpose is to have a back up if configuration file does work after alterations.
Sudo cp snort.conf snort.conf.bak
2. Open the file using
Sudo vi /etc/snort/snort.conf
Now that you are in the configuration file there are a few thing that you want to change
to make it work on your network.
Change the var HOME_NET from the default to your network
Change the var EXTERNAL_NET to be ! HOME_NET
Change the Rules
1. Down near the bottom is a bunch of rules that can be disabled or enabled.
Rules to keep turned on:
Scanning.rules
Smtp.rules
Exploit.rules
Custom.rules (will be created later)
Other rules you can turn on if you wish.
Note: To many rules can overload the ram because snort requires a lot of ram. The max
amount of rules should be 7 or 8 rules per box.
Testing configuration
1. Test snort
Sudo snort –c /etc/snort/snort.conf for error checking of the snort configurations.
If there are no errors continue. If not keep using command to check errors after editing.
2. Start up snort
Sudo /etc/init.d/snort start
If snort start up fine then your snort is running and ready to capture alerts.
Creating automated email
1. Create an new file called snortsend.pl
Touch /etc/cron.daily/snortsend.pl
Vi /etc/cron.daily/snortsend.pl
2. Now enter the following code into the file to get a working automated email.
#!/usr/bin/perl
use strict;
my $snort_log = '/var/log/snort.log'; # location of snort.log generated by syslog
my $snort_log_old = '/var/log/snort/old/snort'; # path to dir where to store old logs
my $notify_log = '/var/log/snort/notify.log'; # path to log where to log notifications
my $email = 'youremail@external.com';
open(SNORT_LOG, "$snort_log");
if (! <SNORT_LOG>)
{
print “No alerts in the Alert file”;
system(“sudo touch /var/log/snort/alert”);
System(“sudo service snort restart”);
exit();
}
else
{
system("sendEmail –t $email –f<email > -s This is an alert -a $snort_log");
system(“ sudo service snort restart”);
open(NOTIFY, ">>$notify_log");
my $localtime = localtime();
print NOTIFY "$localtime - Alert sent to $email\n";
close NOTIFY;
my $time = time();
system("mv $snort_log $snort_log_old.$time");
system("kill -SIGHUP \`cat /var/run/syslogd.pid\`");
exit();
}
Close(SNORT_LOG);
Now that the code has been entered test the code out to check if it will run.
Sudo perl /etc/daily.cron/snortsend.pl
If this works then you are on your way. Check your external email to figure out if you got an
email. If successful then your snort is complete.
Manual Honeyd
Download and Install honeyd
Apt-get install honeyd
Download and install binaries
Wget www.monkey.org/~provos/libevent
wget www.libdnet.sourceforge.net
Wget www.tcpdump.org/libpcap
These are needed for honeyd to run on the system. Navigate to each folder and extract the packages
with tar –xzf package.tar.gz. then execute the ./configure, make and sudo make install
Turn off ip forwarding
Go into the file /etc/systcl.conf and edit thefile with vi. Edit the net.inet.ip.forwarding=0
This is needed so that the OS kernel doesn’t forward any IP’s that it receives for any virtual honeypots. If
IP forwarding was enabled, then it would lead to packet duplication and packet storms
Allow honeyd to run
By default honeyd is turned off and can only be activated when you edit one of the conf files. I believe
this was done to prevent accidental startup of honeyd without it being configured.
Go to /etc/defaults/honeyd and edit the file to :
# File: /etc/defaults/honeyd
# Defaults for honeyd initscript
# run as a daemon
RUN="yes"
# Network interface where honeyd will listen
INTERFACE="eth0"
# Network under control od honeyd (in my case: just one host)
NETWORK=192.168.1.50
# Options
# -c hostname:port:username:password
OPTIONS="-c localhost:12345:username:password"
the –c will allow collection of stats
Edit the honeyd configuration file
Here you want to edit the conf file so that you can setup routes, scripts, virtual honeypots, logging and
many other things. For basic configuration you just have to setup the virtual honeypots. Go to
/etc/honeypots/honeyd.conf and edit the file to something that looks like this:
### Windows NT4 web server
create windows
set windows personality "Windows NT 4.0 Server SP5-SP6"
add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl"
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
set windows default tcp action reset
set windows default udp action reset
bind
bind
bind
bind
bind
bind
bind
bind
bind
bind
bind
bind
10.0.1.51
10.0.1.52
10.1.0.51
10.1.0.52
10.1.1.51
10.1.1.52
10.2.0.51
10.2.0.52
10.2.1.51
10.2.1.52
10.3.2.51
10.3.2.52
windows
windows
windows
windows
windows
windows
windows
windows
windows
windows
windows
windows
#####################################################################
### The routers we have created in the virtual network
###
### also need to be bound to templates to model their
###
### behavior. We have created a template called router
###
### and bound the router IP addresses to that template.
###
#####################################################################
### Cisco Router
create router
set
set
set
add
set
set
router
router
router
router
router
router
personality "Cisco IOS 11.3 - 12.0(11)"
default tcp action reset
default udp action reset
tcp port 23 "/usr/bin/perl scripts/router-telnet.pl"
uid 32767 gid 32767
uptime 1327650
bind 10.0.0.100 router
how this works is type of OS you want to virtually create, then personally you want the honeypot to
display, followed by the open ports combined with the script that will trap the intruder and lastly the
honeypot IP address. You can see the bind command specifies each individual pc that honeyd will
emulate. There are many preconfigured scripts in honeypot directory. You can choose which ones your
want to use by going to the /usr/share/honeyd/scripts
Setup routes
We need to configure the virtual network so that we can send packets to the virtual honeypots. Routes
are needed so that packets can be sent to the honeypots. In the terminal you want to add a route of the
honeypot you are simulating and the honeyd host.
The command is route –n add –net (ip of virtual honeypots you want to simulate /30 <- or whatever # of
honeypots you want) (ip of honeyd host)
Testing honeyd
Start honeyd in loopback mode with the command: honeyd – d –I lo –f (ip of virtual honeypot) gw
(127.0.0.1)
Try accessing one of the scripts, for this example I will use a telnet command for the telnet script. So in
the terminal I would enter telnet (ip of virtual honeypot). I should the receive something that says
something about only authorized use and then login.
Trying pinging the virtual honeypot with ping –n –c1 (ip of virtual honeypots)
Lastly try to nmap the honeypot with nmap –sS –O –F (ip of honeypot). You may need to install nmap:
apt-get install nmap.
Optional
You can display a graphical interface to see what is being attacked. You will need to install some files:
wget http://www.alunos.di.uminho.pt/~a43175/code/perl/customPie.pm -O
/etc/honeypot/customPie.pm
wget http://www.alunos.di.uminho.pt/~a43175/code/perl/buildPie.pl -O
/etc/honeypot/buildPie.pl
follow the directions how to set it up. Make a directory so you can store the images that this program
will create. Mkdir name of dir
add a cron job in the /etc/crontab and add at the end of the file
6 *
* * *
root
/etc/honeypot/generate-stats.sh
Securing History
User history will be locked and saved. In terminal enter:
chattr +a .bash_history (append)
chattr +I .bash_history
Edit the motd banner
To edit the banner first edit /etc/pam.d/login and /etc/pam.d/sshd and comment out the “pam_motd”.
Then edit the /etc/motd to display whatever you want. I suggest removing the OS, kernel verision and
Ip.
Install rootkit detection
Apt-get install chkrootkit. Navigate to the directory where it installed and run it with ./chkrootkit
Add a cron job to the daily with
vi /etc/cron.daily/chkrootkit.sh and type
#!/bin/bash
# Enter the directory where the rootkit is installed
cd /root/chkrootkit/
# Enter your email address where you want to receive the report
./chkrootkit | mail -s "Daily chkrootkit from Server Name" admin@myhost.com
change the permissions to chmod 755 /etc/cron.daily/chkrootkit.sh. now whenever the job is ran you
should receive a message of the report in your email.
Harden down kernel
Edit the /etc/sysctl.conf and edit:
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Modify system limits for Ensim WEBppliance
fs.file-max = 65000
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344
Download