Archive for the ‘Security’ Category

Installing Snort on a flash based FreeBSD system

June 14th, 2009 Comments off

For some years I have run Snort on my main server, along with Apache, bind etc and this solution has the obvious limit to only check traffic accessing the server. In a perfect world, it should be placed either before or behind the router/firewall so all traffic to the internal network is examined. This can be accomplished by various techniques, such as getting a passive network tap or using a hub. Since I already had an ITX system, Alix 2D3, which is a small flash based mobo with 3 NICs, 256 MB, 600 MHz, I decided to give it a try and use it. In theory it seems straight forward, bridge two NICs together, connect the cablemodem to one NIC and the router to the second and let Snort sniff the bridged interface. In practice, it was not much more difficult.



Being the FreeBSD guy I am, I decided to install it on the 4 GB flash card. A few things to keep in mind.. Since compact flash cards has a finit number of writes, it is important to try and minimize the write operations, which can be solved by mounting the filesystems with noatime which stops the system from writing when the files were last accessed, and by mounting /tmp and /var/log to RAM by using tmpfs. One caveat with the Alix mobo is that it has no VGA output and to install the operating system, I did an install using PXE and a serial cable. It’s pretty simple, a good guide can be found here and another one here. To be able to remotely manage the box without connecting a console cable to it, I used the first interface (vr0) as management and applied a local address to it.

When installation was complete, I SSH’d into the box and upgraded ports. Then installed some must have apps like vim, screen and bash before installing Snort and Oinkmaster (to keep the rules updated).  Since I am running BASE (a web GUI for querying and analyzing alerts) on my main server and it’s using Mysql as the backend, I compiled Snort with support for logging to mysql. Before starting Snort, I had to bridge two physical interfaces (vr1 & vr2) to create one logical interface (bridge0)  that Snort could listen on.  After a few modications to snort.conf (specifying logging, etc) I started it with snort -i bridge0 and lo and behold! It worked!

Alix2C2 as a firewall with M0n0wall

May 26th, 2009 Comments off

For some time I have been pondering the option of getting a stand-alone router/firewall, since the combined modem/router provided by my ISP has some drawbacks (very rudimentary logging, max 10 ports forwarded etc). A few years back, I used my main multi-homed server (running FreeBSD 4.5 at that time) as a gateway/firewall. What I did like about it was the configurability and the logging options, but when I retired that box and moved FreeBSD over to a virtual machine, I simply got myself a modem/router combo.

One of my criterias now when I had moved into a new apartment, was that the firewall should be small, quiet and energy efficient. PC Engines has become one of the better



known manufacturers of ITX boards, starting with the WRAP which has know been succeeded by its Alix series. These are fanless, compact, and sports a compact flash socket. I settled for an Alix2C2, which has 2 NICs, 256 MB DDR DRAM, USB and a 500 Mhz AMD Geode LX800. LinITX also sold suitable enclosements for the Alix boards, and I bought a black one.
The next option was to choose the software, which there are plenty to choose from, M0n0wall, PFSense, IPcop , Smoothwall, etc. They can all be run from a CF card and doesn’t require a hard disk. Since using a CF card, the write cycles  are limited and everything is kept in RAM to reduce number of writes on the card and increase overall speed. I chose to go with M0n0wall, since its known to run well on Alix2C2, but I guess is’s a matter of taste, personal preferences and what features you are interested in.

Alix2c2 enclosement

Alix2c2 enclosement

When all had been settled it was time to get the hands dirty. Several guides has been written about this, and I followed the one on M0n0walls site. After downloading the embedded image from their site, I had to transfer it to the CF, which I did by writing the image with the help of a card reader. Since I was sitting at my Windows machine when doing the install, I downloaded physwriteimage and wrote the embedded image. Tried to use the GUI but since my CF card was larger than 2 GB (a waste, I know) it wouldn’t work. But using the command prompt and adding the ‘u’ flag to the arguments, it wrote the image fine. Inserted the CF card in the slot on the Alix board, slid it into its enclosement, added the power adapter and it was booting. But since the default configuration has the management IP as and I wanted it to have I had to connect a null-modem cable to its serial port (it doesn’t have a VGA connector) and connect to it through HyperTerminal. After the settings were committed, the box was ready for some action. Connected it to a local switch and the rest of the configuration was easy done through the web interface.