Tikejhya: Ashish Nepal

Knowledgebase

Category: Security

Integrating IDS [ossec] with custom log and skype alerting system

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Logging is essential for all application and more log you digest more you create “error free application” …

well, ^^ above statement might not be true in all scenario 😀

First, lets get what we are trying to achieve..

1) Configure ossec to monitor application log.

1.1) configure ossec to monitor custom log [ossec client configuration]

      <localfile>
<log_format>syslog</log_format>
<location>/my/custom/logs/*/dddd-mm-yy*</location>
</localfile>

1.2) configure ossec to fire trigger if some exception caught. [i.e. if you see any error or any keyword].

<var name=”PANIC_WORDS”>error|bad|</var>

<group name=”syslogs,bidsys,”>
<rule id=”110000″ level=”2″>
<decoded_as>bidsys</decoded_as>
<description>my log alert Alert</description>
</rule>

<rule id=”110002″ level=”7″>
<if_sid>110000</if_sid>
<match>$PANIC_WORDS</match>
<description>Bad Log.</description>
</rule>

</group>

 

Note: you can always have nested triggers

1.3) create rule to complete 1.2 with decoder so that your logs are parsed correctly.

<decoder name=”mylog”>
<prematch>^dddd-dd-dd dd:dd:dd</prematch>
</decoder>

<decoder name=”php-app-alert”>
<parent>mylog</parent>
<regex>^</regex>
<order>srcip</order>
</decoder>

1.4) test with ossec-logtest.

2) Bind that with Active Response

2.1) create command for active response.

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

2.2) create trigger for active response.

this

 

<command>
<name>skypeMe</name>
<executable>skype.sh</executable>
<timeout_allowed>yes</timeout_allowed>
<expect />
</command>
<active-response>
<command>skypeMe</command>
<location>server2</location>
<rules_id>110002</rules_id>
</active-response>

 

2.3) write script that has to be executed.

#!/bin/sh

MAILADDRESS=”tikejhya”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`

ALERTTIME=`echo “$ALERTID” | cut -d “.” -f 1`
ALERTLAST=`echo “$ALERTID” | cut -d “.” -f 2`
grep -A 10 “$ALERTTIME” /var/ossec/logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 > /var/ossec/active-response/logs/next_message.log

/home/skype/sendim.sh tikejhya $(cat /var/ossec/active-response/logs/next_message.log | grep -v * )
exec “$@”

2.4 ) trigger skype messaging when certain trigger is triggered. ^^

3) Skype on linux

For this please visit my old post integrating zabbix with skype. [http://www.ashishnepal.com/installing-skype-on-linux-centos-5-6-and-sending-message-from-zabbix/]

 

 

 

 

 

Disable php(or script) execution within directory

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

// Apache

disable PHP script execution in upload attachment directory


php_flag engine off

// Nginx

location /sites/default/files/ {
location ~ .*.(php)?$
{
deny all;
}
}

track SSH traffic (bandwidth usage)

track SSH traffic (bandwidth usage)

I would use iptables owner module (perhaps together with other quota/reporting modules).
iptables -A OUTPUT -p tcp –dport 22 -m owner –uid someuser -j ACCEPT

iptables -vL

Password Policy

vi /etc/login.defs

PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 10
PASS_WARN_AGE 7

vi /etc/default/useradd
INACTIVE=-1
EXPIRE=

/usr/bin/chage -M 90 -W 14 ashish.nepal

vi /etc/pam.d/system-auth
password required pam_cracklib.so retry=3 minlen=10 dcredit=1 ocredit=2

Check Hardware Issues or stat

/var/log/dmesg

If Hardware Issue
grep “CPU” /var/log/messages | more

Iptable rule to block multiple ports

Iptable rule to block multiple ports

-A INPUT -p tcp -m multiport –dports port,port,port -j DROP

Sending Logs to Central Log Server

On the log server :

Edit /etc/sysconfig/syslog and change SYSLOGD_OPTIONS

SYSLOGD_OPTIONS=”-m 0 -r -s ashishnepal.com”

-r : listen over the network, only necessary for log servers
-s : strip that value out of the logs (client.ashishnepal.com would become client in the logs)

To send name of host, /etc/hosts
sample
ip [space] hostname

# service syslog restart

start listening on UDP/514 (allow 514 in firewall configuration)

On the “client” – log sender machine :

Edit /etc/syslog.conf and add the following line :
*.* @ashishnepal.com (or ip)

Adding line the logs will be stored and sent as well.

Restart the service :
# service syslog restart

Restart a service

Disadvantage: UDP is an unreliable transport.
Also there’s no authentication, an attacker could send fake log messages to the log server.

Remote File transfer (Remote to Local)

rsync -zarve “ssh -p 21736” root@69.53.222.4:/root/.ssh/* /root/.ssh

structure: [option] port source destination

Chattr (change file attributes)

# chattr +i file.txt

Change file attributes. , but with different options and a different invocation syntax, and it works only on ext2/ext3 filesystems.

This file attribute can be set or removed only by root.

Powered by WordPress & Theme by Anders Norén