snort and other services

[phishphreek]

Hi all. Its that time of year again. I pick up a dozen projects and run with it.

For this project I'm going to be setting up a server that will function as three things:

HTTP(S)(Apache)/SSHD/SMTP (SquirrelMail)

I figured it'd be a good chance to mess around with snort while I'm doing it.

I have a checklist that Im putting together to make sure that I do it right and want some advice/commnets about the setup.

Here is the setup I'd like...

This is going to be for a small home network and mostly for learning. My buddy runs his websites from a box now that is having more and more problems everyday and we're to the point where we have a script restarting httpd every hour. Rather than fix that box... we are just going to build a new one.

Hardware:

PII 400mhz 384MB RAM
6GB HDD
1 10/100 NIC
cheapo video card
OS = Fedora Core 2

This server will function as a web/smtp/and ssh server. I will have a firewall on it using iptables (policy built with fwbulder). I plan on hardening it further with bastille linux and TCP wrappers, tripwire (if I can still get it), port sentry/log sentry, BitDefenter AV and TIGER (which also has rootkit detection and host based IDS and security checks... nice little set of scripts... though don't hear much about it except from me). For the NIDS I was going to use SNORT, but unsure if its ok to run the other services on the same box. This box will be in the DMZ.

DMZ (setup listed above) --> Router/Firewall --> LAN

The SNORT install guide I'm using is one I found on snort.org and is for installing Snort, Apache, PHP, MySQL and ACID on RH9 (but I'm going to use Fedora Core 2). I also have the user guide... which I'll be tearing through this weekend and fine tuning SNORT until I get what I like.

1.) Is it stupid to run snort and a firewall that is also running the services listed above?

2.) Is it ok to use the HTTPD for both SNORT and for serving webpages?

3.) How does this setup sound to you?

4.) What would you do to make it better?

5.) Any advice you can give me while working on this project?

6.) Is it ok to use bastille even though I'm also be using Core 2 which has the 2.6 kernel and SELinux?

7.) If the firewall is blocking attacks... will SNORT still log them?

8.) If snort will not log them due to the FW... I can just put in a second NIC and unbind everything from that and have that interface go to a hub before the router?

I'm planning on doing this next Wednesday and have the weekend to do further research.

I got some really good answers/feedback on my Win2k3 project (which by the way went very well). So, I figured that I'd try to get some more feedback/suggestions/advice from AO.

Aparently they have already released Core2... I thought that only Core2 (test 3) had been released... so, it'll be Core 2 that I'll be using.

[Und3ertak3r]

my goodness phish,

Here is me interested in what you are doing, well leeching what info I can from the thread..

My project (not a weekend project).. is more a Gateway/Firwall/SMTP .. love to help with advice.. but your a few floors above me..

Cheers

[Tiger Shark]

Phish: I would say that putting your "eyes and ears" on the same box as the potential target isn't very safe. If someone gets on the box then the logs are job one and you will be providing them right there. I would suggest at least pulling the logs somewhere else, (possibly inside the trusted zone).

[phishphreek]

Tiger Shark:

I can make a syslog server and deny access to everything on that box except from the machiens to be logged. Block all but UDP 514 from server...

That should take care of the potiential log problem.

I have limited hardware resources. 1 P1 200mhz and the PII...

So, should I just make the P1 the snort box?
Keep snort separate from the server?

[Tiger Shark]

Phish: Can you do this....

1. Cheap hub outside firewall.
2. Second NIC on internal, (LAN), box.
3. No protocols bound to second NIC.
4. Connect second NIC to hub outside firewall
5. Run Snort on second NIC.
6. Have syslog running on snort box
7. have snort syslog to localhost
8. Have firewall Syslog to Internal box.

I don't know how much traffic you might expect but you may be able to run Ethereal on the second NIC too and capture all packets going to the host if you are really paranoid.

[phishphreek]

Tiger: Thanks for the advice. That was an option I had considered but wanted to only use one PC. This is the first time I'm setting up an IDS (besides smoothwall/ipcop/eaglex).

I'll propose that to my buddy and see if he is ok with it. If not, then we'll exclude SNORT for the time being. But, I have some spare hardware in the blackhole that I call my closet... I'll probably just end up doing that on my own LAN instead of his.

Thanks again!

[Tiger Shark]

Phish: A NIC, properly dis-associated from all protocols is pretty difficult to locate. Firstly you have to be in the same collision zone because the only way you might get a response is through a broadcast that shouldn't, (technically), be passed through routers, especially cable/dsl modem types... So an attacker needs to gain a foothold in the collision domain of the sniffer..... That would be the cable/dsl modem itself or your firewall. If he's on your firewall then you have a bigger issue than worrying about him finding the logger...

It's pretty safe.... I have run it at work for 18 months or more..... It's interface shows 1 packet transmitted at each restart... that's all.... I restart every 2-3 weeks on average and check the packets sent/received every couple of days.... It works fine from here...... Sure as hell, your average skiddie isn't going to find it and the really talented chaps aren't really interested enough to try to come in.

[phishphreek]

Tiger: OK, so that brings me to my next question... how do you properly dis-associate all protocols from your NIC in linux? I know how to do it in m$...

I have yet to do any research on this...

Feel free to point me to google... Thats where I'm headed after I "submit reply" anyway.

[Tiger Shark]

ROFL.... You haven't seen my thread in the OS forum.....

/me putting on californian surfer accent

Duuude, linux sux maaaan.... They make it, like, haaaard to even do **** maaaan....

/me growing up....

I have no clue..... Use what you know... If that's Windows use that.... If you try to use something you don't know and expect security you may be unpleasantly surprised.....

I'm just, and I mean just... count days.... starting to play with Fedora myself..... I'm not keen.... But I understand that I expect my OS to do certain things... Fedora doesn't do it - or, probably more accurately, doesn't do it automatically or intuitively....

Sorry.... You reached past me..... and found.... not much......

[phishphreek]

Tiger: I know linux fairly well. I've just never had to do that.

If I only use stuff that I "know"... how do I expect to learn anything other than what I already know?

Thanks for the advice. I'm sticking with linux...

I'll figure it out. It was just a random thought that I posted without searching.