Personal tools
You are here: Home Tips and Tricks (old) Network Monitoring Using FreeBSD
Navigation
 
Document Actions

Network Monitoring Using FreeBSD

by xenophon — last modified 2005-09-15 18:48
Contributors: Matthew X. Economou, Jason A. Powell

Maintaining one's operational security involves more than just patching computers, setting up a firewall or IDS, and running anti-virus software. One must be able to monitor the activity of the systems and countermeasures one has deployed. Remote log data storage reduces the risk that an attacker or some other catastrophic failure will make it impossible to trace the attacker's activity or the error leading up to the compromise/failure. Consolidating countermeasure activity reports makes it easier for human analysts to assess and correlate the variety of indicators into useful and reasonable warnings. Even simple statistical indicators can provide a useful warning. For example, a sharp increase in both network and disk utilization may indicate someone is using a hacked server as an FTP warez site. This document describes a centralized logging and monitoring platform based on FreeBSD. While the described model is simple on purpose, the saavy administrator can add fault tolerance and increased capacity in a number of key components, such as MySQL, CARP, and the web-based user interfaces.

This document describes the creation of a centralized location to store server logs, statistical information, network IDS events, or forensic data, as well as the creation of network IDS sensors and the configuration of logging and monitoring clients. This document does not describe sensor placement or network monitoring operations. For a detailed discussion of network security monitoring, see The Tao of Network Security Monitoring: Beyond Intrusion Detection by Richard Bejtlich.

FreeBSD is well suited to service as a logging/monitoring server or a network IDS sensor. The default installation has few services running and requires little additional hardening. Its security team is well organized and prompt. FreeBSD supports a variety of network management, logging, and data acquisition tools, many of which can be installed from pre-built binary packages. This document assumes FreeBSD is installed on the logging/monitoring server and on the IDS sensors and that these computers are members of an Active Directory domain. Bear in mind the following storage requirements when allocating disk space during FreeBSD's installation:

Figure 1: Significant storage locations on the logging/monitoring server
Directory Description Minimum Size
/var/db/mysql ... ... GB
Figure 2: Significant storage locations on an IDS sensor
Directory Description Minimum Size
/var/log/snort ... ... GB

Execute the commands listed in these instructions while logged into the relevant device with administrative privileges.

The Logging/Monitoring Server

Prerequisite Packages

Several key software packages support the centralized logging and network monitoring functions.

MySQL

Many of these programs store event logs and sensor data in an indexed database. While PostgreSQL is also a good choice, the authors of this paper are more familiar with MySQL.

  1. Install MySQL together with a collection of maintenance scripts useful for database administration with the following commands: 
    ed /etc/make.conf
a
# databases/mysql41-server
WITH_XCHARSET=all
WITH_OPENSSL=yes
WITH_NDB=yes
.
wq
portinstall -m BATCH=yes databases/mysql41-server \
			 databases/mysql41-scripts
rehash
  2. Enable MySQL and start it with the following commands: 
    ed /etc/rc.conf
a
mysql_enable="YES"
.
wq
/usr/local/etc/rc.d/mysql-server.sh start
  3. Lock down the default installation running the script /usr/local/bin/mysql_secure_installation. The following procedure will set the administrator's password, remove remote administrative access, and delete the default test database: 
    /usr/local/bin/mysql_secure_installation
<there is no password by default; just press enter>
Y
<enter a suitable administrative password>
<re-enter the password to confirm>
Y
Y
Y
Y

Apache HTTPD

Many of these programs provide a web interface; some, such as ACID, rely on the web server to authenticate their users or to encrypt network traffic. When the Apache 2.0 web server and the mod_auth_pam authentication module is used with Samba's winbind PAM module, users can be authenticated against an Active Directory domain, with logons restricted by domain group membership.

  1. Install Apache and mod_auth_pam with the following commands: 
    ed /etc/make.conf
a
# www/apache2
WITH_SSL_MODULES=yes
.
wq
portinstall -m BATCH=yes www/mod_auth_pam2
rehash
  2. By default, Apache sets the web server document root directory to /usr/local/www/data....
  3. SSL certificate...
  4. Enable Apache and start it with the following commands: 
    ed /etc/rc.conf
a
apache2_enable="YES"
apache2ssl_enable="YES"
.
wq
/usr/local/etc/rc.d/apache2.sh start

PHP

Many of these programs' web interfaces are written in a server-side scripting language called PHP. Several PHP extension modules are needed in addition to the base language runtime, such as LDAP support for Active Directory authentication.

Log Storage and Access

syslog-ng is used to permanently store system logs from computers or routers in a MySQL database. System administrators access the database using php-sylog-ng and a web browser. By storing event logs remotely, attackers cannot alter valuable audit information, and hardware faults cannot destroy diagnostic data. syslog-ng can also be configured to properly store message time stamps, whereas BSD syslog will generate inconsistent time stamps when the time zone offset changes for Daylight Savings.

Figure 3: Log Storage and Access System Design
Log Storage and Access System Design Diagram

..something about features syslog-ng has that the built-in syslogd lacks, plus a configuration that fully replicates the built-in logging configuration, or runs side-by-side with it... Michael Earls' notes re: storing logs in MySQL...

  1. Create the log database with the following commands: 
    mysql -u root -p
<enter the database administrative password as set above>
CREATE DATABASE log;
CREATE TABLE log.entry (date     DATETIME NOT NULL,
                        host     TEXT NOT NULL,
                        facility TEXT NOT NULL,
                        priority TEXT NOT NULL,
                        program  TEXT NOT NULL,
                        message  TEXT NOT NULL);
COMMIT;
QUIT;
  2. It is important to restrict database access in the event that the log-related network-facing services are compromised. Restrict syslog-ng to only inserting records into the database, restrict the web interface to only viewing records, and only allow a third account to delete records with the following commands (replacing password with unique, strong passwords for each service account): 
    mysql -u root -p
<enter the database administrative password as set above>
GRANT INSERT on log.entry to logger@localhost identified by 'password';
GRANT DELETE on log.entry to purger@localhost identified by 'password';
GRANT SELECT on log.entry to viewer@'%'       identified by 'password';
FLUSH PRIVILEGES;
  3. Install sysutils/syslog-ng with the following commands: 
    portinstall -m BATCH=yes sysutils/syslog-ng
rehash
  4. Configure syslog-ng to listen for log messages only on UDP port 514 and to store those logs in the database (while sending log messages related to its own operation to FreeBSD's syslog) with the following commands: 
    ed
a
options {
    use_dns(yes);
    use_fqdn(yes);
};

source myself {internal();};
destination syslogd {unix-dgram("/var/run/log");};
log {source(myself); destination(syslogd);};

source network {udp();};
destination mysql {
    unix-stream("/var/run/dbexec-syslogng.pipe"
      template("INSERT INTO log.entry VALUES ('$ISODATE', '$HOST',
                '$FACILITY', '$PRIORITY', '$PROGRAM', '$MSGONLY');\n")
      template_escape(yes));
};
log {source(network); destination(mysql);};
.
w /usr/local/etc/syslog-ng/syslog-ng.conf
q
  5. Enable syslog-ng and start it with the following commands: 
    ed
a
#!/bin/sh
#

# PROVIDE: syslogng
# REQUIRE: NETWORKING
# BEFORE:  DAEMON

. /etc/rc.subr

name="syslogng"
rcvar=`set_rcvar ${base}`
pidfile="/var/run/syslog-ng.pid"
command="/usr/local/sbin/syslog-ng"
command_args="-p ${pidfile}"

load_rc_config $name
run_rc_command "$1"
.
w /usr/local/etc/rc.d/syslogng.sh
q
ed /etc/rc.conf
a
syslogng_enable="YES"
.
wq
/usr/local/etc/rc.d/syslogng.sh start
  6. Test syslog-ng with the following commands: 
    

  
    7. 

  
  7. Install php-syslog-ng with the following commands:


    

  
    8. 





Device Monitoring Tools



...net-snmp...cacti...argus...flow-tools...



Intrusion Detection



...sguil...



...acid, barnyard...



Event Correlation



Prelude will correlate
log and sensor data from
a
variety of sources....



Routers, Switches, Etc.



Cisco IOS



Nortel Passport



Workstations and Servers



FreeBSD



Windows XP/2003



Solaris



Network Sensors



    

  
  1. Some tools require the assigment of an IP address to a
  monitoring interface...
    2. 

  
  2. Device
  polling can improve sensor performance when using supported
  devices as capture interfaces.  Build a version of the kernel with
  device polling support using the following commands:


    touch /usr/src/sys/`uname -m`/conf/POLLING
ed  /usr/src/sys/`uname -m`/conf/POLLING
a
include GENERIC
options DEVICE_POLLING
.
wq
cd /usr/src
make kernel KERNCONF=POLLING INSTKERNNAME=kernel.polling
ed /boot/loader.conf
a
kernel="kernel.polling"
.
wq
ed /etc/sysctl.conf
a
# Enable device polling (see polling(4) for more information).
kern.polling.enable = 1
.
wq
reboot

    

  Note that device polling is incompatible with
  SMP
  support.  Note also that one must rebuild kernels with device
  polling support manually when security updates are applied.
    3. 





Monitoring Clients



...argus client on FreeBSD...



...sguil client on FreeBSD...



...sguil client on Windows...

 
 
 
 
 
 
 
 
 
 
        


        

    
        
            
        
    


    
    


                    
                      
                 
    
        
    

                    

                  


                


              
            		
            

            
            
              

                
                  

    
        

        
            

    

    

        
            

                
                    «
                
                
                    
                        November
                        2008
                    
                
                  
                    »
                
            

            

                
                    Su
                
                
                    Mo
                
                
                    Tu
                
                
                    We
                
                
                    Th
                
                
                    Fr
                
                
                    Sa
                
            

        

        
        
            
1
            

            
2345678
            

            
9101112131415
            

            
16171819202122
            

            
23242526272829
            

            
30
            

        
    



        

        

        
    
    
        

        
            
        

        

        
    
    
        

        
            
        

        

        
    
    
        

        
            
	
        

        

        
    

                
                 
              

            		
            
          

        
      

      

      


      


      

        

        

      

      
        Powered by Plone CMS, the Open Source Content Management System
      

      

      

        This site conforms to the following standards: