Mittwoch, 25. Juni 2014

some security features

I have a tiny vserver running an "RedHat like OS". Mostly i use it for my owncloud stuff, saving some files and reading my RSS files. So it is a nice playground for features especially in case of security.

Today i installed two tools:

  1. suricata
    (http://suricata-ids.org/) is an IDS/IPS system which was originally founded by the homeland security. It is free and open source, the advantage regarding Snort is that it is able to use multiple CPUs.
  2. mod_security
    (http://www.modsecurity.org/) is an apache module which adds some security extensions like XSS prevention.
Suricata needs to be installed by hand, as the packages are not available on the repos. But it isnt that hard if you follow some instructions and the documentation.
When you have all the files you need there are some additional steps.
  1. create  /etc/suricata/ and /etc/suricata/rules
  2. any copy all the .config files to /etc/suricata, you will find them within the suricata source package
  3. change to suricata and fetch all the files from https://rules.emergingthreats.net/open/suricata/rules/
  4. Now we need to adjust some settings within the suricata.yaml file, for example which modules you will use. Important is to enable the logging to file and syslog, so we can run suricata in daemon mode. Just take a look on the other options. Basically you can adjust settings for everything suricata can handle.
  5. Finally start it: suricata -c /etc/suricata/suricata.yaml -i eth0 -D
  6. It will log all it output to /var/log/suricata
mod_security can be installed via repos.
yum install mod_security_crs.noarch mod_security_crs-extras.noarch

after restart of the httpd it will be running by default. You can find the output for debugging and auditing within the httpd log directory.