Tuesday, August 31, 2010

Intrusion Detection and Prevention Using OSSEC

What is OSSEC?
According to OSSEC "It is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response."

Installation on Debian Server
I installed on Debian .6.24-19-server, already running web service.
Install environment
Make sure you have compiler e.g gcc or cc and 'make' already installed in your system, otherwise you will get error message and abort the installation process.

root@www:/usr/local/src/ossec-hids-2.4.1# apt-get install gcc


Dwonload the latest build from www.ossec.net website

Extract into folder and start installation
imran@web:~/ossec-hids-2.4.1$ tar -zxvf ossec-hids-2.4.1.tar.gz
imran@web:~/ossec-hids-2.4.1$ cd ossec-hids-2.4.1/

Run the installation script;

root@web:~/ossec-hids-2.4.1# ./install.sh
** Para instalação em português, escolha [br].
** 要使用中文进行安装, 请选择 [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** 日本語でインストールします.選択して下さい.[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalować w języku Polskim, wybierz [pl].
** Для инструкций по установке на русском ,введите [ru].
** Za instalaciju na srpskom, izaberi [sr].
** Türkçe kurulum için seçin [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en

-- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local or help)? local

- Local installation chosen.

2- Setting up the installation environment.

- Choose where to install the OSSEC HIDS [/var/ossec]:
/var/ossec

- Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? imran@pingcom.net

- We found your SMTP server as: ASPMX4.GOOGLEMAIL.COM.
- Do you want to use it? (y/n) [y]: y

--- Using SMTP server: ASPMX4.GOOGLEMAIL.COM.

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- xx.xx.xx.xx
- xx.xx.xx.xx

- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): xx.xx.xx.xx

3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---

Error
Error Making os_xml
make: *** [all] Error 1

Error 0x5.
Building error. Unable to finish the installation.


Solution for above Error
root@web:# apt-get install libc6-dev

- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.

- Configuration finished properly.

--- Press ENTER to finish (maybe more information below). ---


Configuration File is stored at
root@web:# nano /var/ossec/etc/ossec.conf
It contains the configrations

How to Start

root@web:#/var/ossec/bin/ossec-control start

How to Stop

root@web:#/var/ossec/bin/ossec-control stop


References:

http://www.ossec.net/main/manual/manual-installation
http://newyork.ubuntuforums.org/showthread.php?t=905034

Wednesday, August 25, 2010

Intrusion Detection Service in IPCOP

Intrusion Detection was stopped in my IPCoP, version 1.4.1, a while a go, I tried to start them all three through GUI but Got message fail to start.
I loged in in console of Ipcop.
I checked the existing version of snort, which was older than latest.

root@firewall:/etc/snort/rules # snort --version
snort: unrecognized option `--version'

,,_ -*> Snort! <*-
o" )~ Version 2.6.1.5 (Build 59)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.


And when tried to start the snort using this command

root@firewall:~ # snort -c /etc/snort/snort.conf -l /var/log/snort/


I got error that there is error in line # 38 in exploit.rules file located in /etc/snort/rules/ folder.
When I tried to comment the line it gives error on line#39.

Solution
Replace the existing rules folder with working one.
For that I installed the latest snort in my laptop, and check the version.
imran@imran-laptop~ $ sudo apt-get install snort-mysql
imran@imran-laptop~ $ snort --version


,,_ -*> Snort! <*-
o" )~ Version 2.8.5.2 (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05


and copied the rules folder in to IPcop
imran@imran-laptop~ $ scp '-P 22' exploit.rules root@10.10.0.1:/root

Then I make .tar of existing rules folder in IPCoP

root@firewall:/etc/snort/rules # tar -cvf rules.tar .

and replaced the one copied from my laptop and changed the permission to user nobody:nobody

root@firewall:/etc/snort/rules # chown -R nobody:nobody rules


Now IP cop has new rules list, although these rules were from new version of Snort 2.8.6
When I restarted snort again from console with above command, this time no error and it started straight away.
Then I can start and stop from GUI successfully.

Wednesday, May 19, 2010

MyCRM Connector Tool for Google Calendar Error

After installation of "MyCRM Connector Tool", followed the procedure described in manual.
The test machine shows successful result when configured Google calander under My Account.
But production CRM gives following error.

"Fatal error
: Call to undefined function curl_init() in /home/path/googlecal/MyCurl.php on line 32"

The solution is install php5-curl libraries.
root@server:~# sudo apt-get install curl libcurl3
root@server:~# sudo apt-get install php5-curl
root@server:~# apt-get install php5

I also restarted the mysql server and apache2 just for precaution, not necessary.


Recheck settings after entering my Google email address it worked.
Got this message.

****** Get events from meetings
Synced successfully.
****** Get events from calls
Synced successfully.
****** Get events from tasks
Synced successfully.

Friday, February 12, 2010

Daily Backup Using RSYNC

Using these steps your system backup automatically using rsync.

Step 1: Generate a Public Key using ssh-keygen at Host machine.


root@home:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
19:44:5f:1c:92:27:26:25:9b:13:df:dc:89:71:f0:c1 root@home


Step 2: Insert the key to authorized_key at host machine
root@home:~# cd /root/.ssh/
root@home:/root/.ssh# ls
id_rsa id_rsa.pub known_hosts
root@home:/root/.ssh# cp id_rsa.pub authorized_keys
root@home:/root/.ssh# ls
authorized_keys id_rsa id_rsa.pub known_hosts
root@home:/root/.ssh#


Step 3: Copy the ~/.ssh/authorized_keys file to the remote(back) machine
As the backup machine storing backup of several machines, authorized_keys file already exits, just copy the line whole string from ~/.ssh/authorized_keys from host machine and append to the file at backup machine.

Step 4: Change permission of ~/.ssh/authorized_keys file, if needed.

#chmod 644 /.ssh/authorized_keys


Step 5: Create a script e.g backup and place in /etc/cron.daily/ and change permission to execute.

This will backup the whole machine, you can add specific files instead of /

#!/bin/sh
#
# backup
#
DEST=root@backup.yourdomain.com
RSYNC="rsync -aqP --delete -e ssh"

dpkg -l | cut -d' ' -f3 > /etc/deblist

$RSYNC / $DEST:/var/backups/.


(Optional)Step6: Change the time of /cron.daily from /etc/crontab file
So that your machines start syncing different time.

/etc/crontab
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
30 4 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

#

Readings
http://www.scrounge.org/linux/rsync.html

Monday, January 11, 2010

Cloning SugarCRM


Step 1: Clone the sugarcrm Directory

There is a script "CopySugarFile.sh", see script also in bottom.
Running the Script, remember you have to provide the paths both source directory and clone directory.


root@imran:~# ./sugarclone
Missing First Argument:
Syntax: copySugarFiles.sh /var/www/html/FROM_SUGAR_DIR /var/www/html/TO_SUGAR_DIR
exited with status -1

root@imran:~# ./sugarclone /var/www/sugar /var/www/clone
Compressing /var/www/sugar Sugar and saving to /home/imran/sugarFilesFromBackup201001111322.tgz
Compressing /var/www/clone Sugar and saving to /home/imran/sugarFilesToBackup201001111322.tgz
tar: Cowardly refusing to create an empty archive
Try `tar --help' or `tar --usage' for more information.
Extracting the /var/www/sugar Sugar tgz to /var/www/clone Sugar directory
Script complete.

Step2: Clone the Database

First
Create a new database for Cloning e.g clone
Export the sugarcrm database using PHPMyAdmin tool e.g sugarcrm.sql
Import the sugarcrm.sql data into clone database.

root@imran:/srv/mysql# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 15595
Server version: 5.1.37-1ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database clone
-> ;
Query OK, 1 row affected (0.18 sec)
mysql> GRANT ALL ON clone.* TO clone@localhost IDENTIFIED BY "clone";
Query OK, 0 rows affected (1.24 sec)
mysql>

Script
#!/bin/bash
# copySugarFiles.sh

exitcode=0
# insert the path to your production directory here to ensure nobody copies to it by mistake
blockdirprefix="/path/to/production/directory"

if [ -z "$1" ]
then
echo -e "\nMissing First Argument:"
exitcode=-1;
elif [ "$1" = "--help" ] || [ "$1" = "-h" ]
then
exitcode=1;
elif [ -z "$2" ]
then
echo -e "\nMissing Second Argument:"
exitcode=-2;
elif [ "$#" != "2" ] && [ "$#" != "3" ]
then
echo -e "\nInvalid number of arguments:"
exitcode=-3;
elif [ ! -d "$1" ]
then
echo -e "\nThe directory $1 doesn't exist."
exitcode=-7;
elif [ ! -d "$2" ]
then
echo -e "\nThe directory $2 doesn't exist:"
exitcode=-8;
elif [ "$1" = "$2" ]
then
echo -e "\nThe 'from' directory must be different than the 'to' directory:"
exitcode=-4;
# this checks that the blockdirprefix above is not being copied to
elif [ "${2:0:${#blockdirprefix}}" = "${blockdirprefix:0:${#blockdirprefix}}" ] && [ "$3" != "iamsure" ]
then
echo -e "\nCan't copy to production ($blockdirprefix) without third parameter of \"iamsure\""
exitcode=-10;
fi

if [ "$exitcode" -lt "0" ]
then
echo -e "Syntax: copySugarFiles.sh /var/www/html/FROM_SUGAR_DIR /var/www/html/TO_SUGAR_DIR\nexited with status $exitcode\n"
exit $exitcode;
elif [ "$exitcode" -gt "0" ]
then
echo -e "The first parameter should be the sugar directory you are copying from."
echo -e "The second parameter should be the sugar directory you are copying to."
echo -e "\nThis script will skip the following directories and files:"
echo -e "./cache\n./custom\n./config.php\n./config_override.php\n./*.log*"
exit $exitcode;
fi

date=$(date +%Y%m%d%H%M);

# Backing up the from sugar directory and saving to the user's home directory
echo -e "\nCompressing $1 Sugar and saving to $HOME/sugarFilesFromBackup$date.tgz\n"
cd "$1"
filelist=$(find . -maxdepth 1 ! -name "." ! -name "cache" ! -name "custom" ! -name "config.php" ! -name "config_override.php" ! -name "*.log*" -exec echo "{}" \;)
tarcommand="tar cfz $HOME/sugarFilesFromBackup$date.tgz $filelist"
$tarcommand;

# Backing up the from sugar directory and saving to the user's home directory
echo -e "\nCompressing $2 Sugar and saving to $HOME/sugarFilesToBackup$date.tgz\n"
cd "$2"
filelist=$(find . -maxdepth 1 ! -name "." ! -name "cache" ! -name "custom" ! -name "config.php" ! -name "config_override.php" ! -name "*.log*" -exec echo "{}" \;)
tarcommand="tar cfz $HOME/sugarFilesToBackup$date.tgz $filelist"
$tarcommand;

cd "$HOME"
# Extracting the from sugar directory to the to sugar directory
echo -e "\nExtracting the $1 Sugar tgz to $2 Sugar directory\n"
cp $HOME/sugarFilesFromBackup$date.tgz "$2"
cd "$2"
tarcommand="tar xf ./sugarFilesFromBackup$date.tgz"
$tarcommand;
rm "./sugarFilesFromBackup$date.tgz"

echo -e "\nScript complete."

exit 0
Readings
Cloning SugarCRM document
Exporting data using PHPMyAdmin

Friday, January 8, 2010

SugarCRM Changing Max file Upload Limit

In sugar while uploading a file as attachment to e.g Marketing->Accounts->youraccount->Create Note or Attachment.
I tried to upload a file size 20M, it did not attached and no error message as well. Here is to fix this.After doing the following changes, performance of site also improves.

Step 1: Change in SugarCRM
Go to Admin->System Settings->Advanced
change Maximum upload size e.g 41943040 (40M) default was 3000000 (3M)

Step 2: Change in php.ini file
Login to your server hosting the site,
Go to /etc/php5/apache2/php.ini and change the following, Max, limit 40M

       post_max_size = 40M
upload_max_size = 40M

max_execution_time = 1000
max_input_time = 60
memory_limit = 128M

imran@venus:/var/www/sugar$ sudo nano /etc/php5/apache2/php.ini

;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;

max_execution_time = 100 ; Maximum execution time of each script, in seconds, 30s default
max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
;max_input_nesting_level = 64 ; Maximum input variable nesting level
memory_limit = 128M ; Maximum amount of memory a script may consume (16MB), change to 50M, 50M defau$

;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;
;

; Maximum size of POST data that PHP will accept, 8M default
post_max_size = 40M


;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;

; Maximum allowed size for uploaded files. change sizd 2M to 10M, 10M default
upload_max_filesize = 40M


Save the file and exit.

Step 3: Restart the apache2 web server
imran@venus:/var/www/sugar$ sudo nano /etc/php5/apache2/php.ini

Step 4: Test the upload Limit
Go to Marketing->Accounts->youraccount->Create Note or Attachment.
and attach a file e.g 20 M, it should be attached now.