Thursday, March 26, 2015

HOWTO : Protect My Home Network With Croissants

*** THE CURRENT VERSION OF CROISSANTS IS 0.1.2 (CROISSANTS-20150701.TAR.GZ) which is released on July 01, 2015 ***


What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10GB traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low-end x86 computer, such as Intel ATOM D2550 CPU with 4GB or 8GB RAM. I recommend to use at least 8GB RAM for home security purpose. More memory and faster as well as more cores Intel CPU for Home Office or larger business is suggested.

What Is My Home Network Looks Like?

I have 10Mbps internet connection. I do not run with any modem. I have a home router (TP-LINK TL-WR1043 v1.x with stock firmware). I have two home switches (TP-LINK TL-SG1008D, it is like a hub more than a switch in general).

I have a Linux web server, a Windows 7 desktop, several Linux boxes and some Mac machines as well as a Time Capsule. I connect these boxes to the home switches. I disabled the wireless function on my home router and use Time Capsule as wireless router and Time Machine for Mac machines.

I implement two IPS on my home network. The IPS is connected between ISP and the home router. The other IPS is connected between home router and home switches. Therefore, I can monitor the traffic outside and inside my home network. I do not trust internet and intranet at all.








What Is The Hardware?

I use MINIX Mini HD PC as my IPS. You can watch its unboxing at YouTube.

Since MINIX Mini HD PC comes with 2 network interfaces, I need one more USB Gigabit Network interface on each box for monitoring purpose. You can either choose Level One USB-0401 USB Gigabit Ethernet Adapter or PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 as they are fully compatible to Linux.

I installed 8GB RAM and 4GB RAM on IPS for experiment purpose. I suggest you to install 8GB RAM as MINIX Mini HD PC supports up to 8GB RAM even the official does not claimed that.

Internet -- IPS -- router -- IPS -- switch -- PCs and Time Capsule (including web server)

For better performance, I suggest you to use this motherboard with one more Intel LAN card and at least 8 GB RAM.

How About The Installation?

I select Ubuntu 14.04.2 LTS Server as the OS of the IDS/IPS. Since the network interfaces of MINIX Mini HD PC are Broadcom, the name of the interfaces on Ubuntu 14.04 is p2p1 and p4p1. While the USB Gigabit network interface is eth0.

Install Ubuntu Server on the MINIX Mini HD PC as usual. Make sure you only connect the network cable to one of the network interfaces. I recommend you to install the OpenSSH when asks. Update and/or upgrade the Ubuntu Server when necessary.

Download the Croissants from here. The current version at the time of this writing is version 0.1.2 dated July 01, 2015.

Please follow the instructions on the official site to install. Configure the nsm.conf. Make sure to remember the password of MySQL as it will be asked when install. The username and password of control panel (Snorby) will also be configured. At the end of the installation, you will be asked for the time zone. Please select UTC. By the way, you may notice that there will have some error warning on the screen when installing. You just ignore it.

After the installation is completed, you can plug in the other network cables and the USB network interface. Then, reboot the MINIX Mini HD PC(s). One more important thing is that you should configure your router to either DHCP or static IP addresses. If you selected DHCP, make sure it is reserved for the monitor interfaces (that is the USB Gigabit network interfaces). The p2p1 and p4p1 do not have any IP address.

If everything correct, you can access to the monitor interfaces by using your browser, such as http://192.168.20.180. Enter your pre-set username and password when login. At the top right corner, select "Settings" to configure your time zone. Make sure you enter your password at "Current password (we need your current password to confirm your changes)" and then update the settings.

At this moment, your two MINIX Mini HD PC are in IDS mode. How to enable it to IPS mode?

How To Configure To IPS?

Log in to the MINIX Mini HD PC via ssh or terminal. Then run the following command to configure the DROP rules.

sudo nano /etc/pulledpork/dropsid.conf

I suggest to append the following lines at the end of the files. They will block most unwanted traffic.

# HTTP request header invalid
1:2221013
# HTTP missing host header
1:2221014
# masscan port scanner
1:2017615,1:2017616
# DOS possible ssdp amplification scan
1:2019102
# DoS attacks -- UDP & ICMP Invalid checksum & packet too small
1:2200075,1:2200038,1:2200076,1:2200024
# IP & TCP Invalid checksum
1:2200073,1:2200074
# TCP packet too small
1:2200033
# stream established retransmission packet before last ack
#1:2210021
# stream established packet out of window
#1:2210020
# GPL attack response id check returned root
1:2100498
# COMPROMISED & DROP & CINS Active Threats
pcre:ET\sCOMPROMISED
pcre:ET\sDROP
pcre:ET\sCINS
# MALWARE, TROJAN, WORM, MOBILE_MALWARE, Amplification DoS, DDoS
pcre:ET\sMALWARE
pcre:ET\sTROJAN
pcre:WORM
pcre:ET\sMOBILE_MALWARE
pcre:ET\sSCAN
#pcre:ET\sSHELLCODE
pcre:Amplification
pcre:ET\sDOS
pcre:ET\sEXPLOIT
pcre:ET\sUSER_AGENTS
pcre:ET\sWEB_SERVER
pcre:GPL\sSNMP
#pcre:SURICATA\sSTREAM
pcre:ET\sCURRENT_EVENTS
pcre:ET\sWEB_SPECIFIC_APPS
# Outgoing basic auth base64 http password
1:2006380
# Quantum Insert Attack (by NSA)
# (SURICATA STREAM reassembly overlap with different data - 2210050)
# (LOCAL QI 302 and possible inject - 12345)
# https://github.com/fox-it/quantuminsert/tree/master/detection/suricata
1:2210050,1:12345
# GPL WEB_SERVER 403 Forbidden
1:2101201
# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935
# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937


*** Please remember that you may enable some already disabled rules by the captioned setting. If you encounter any false positive alert, you can disable such rule(s) by the following.

sudo nano /etc/pulledpork/disablesid.conf

Append the following at the end of the file, for example.

# TROJAN 1.1.1.1
1:2017000
# DELETED
pcre:ET\sDELETED
# MOBILE_MALWARE Google Android Device HTTP Request
1:2012251
# MALWARE WhenUClick.com Weather App Checkin (2)
1:2000915
# SURICATA STREAM alerts
#pcre:SURICATA\sSTREAM
# SURICATA STREAM
#1:2210000-1:2210049
#1:2210051-1:2210057
# SURICATA STREAM alert when downloading
1:2210021
1:2210020
1:2210029
1:2210045
1:2200074
1:2210038
1:2210044
# ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack
1:2014445
# ET WEB_SERVER WebShell
1:2016683
1:2016992
# ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
1:2009207
1:2009205
1:2009208
# ET TROJAN UPX compressed file download possible malware
1:2001046
# ET TROJAN VMProtect Packed Binary Inbound via HTTP
1:2009080
# ET WEB_SERVER Fake Googlebot UA 1 Inbound
#1:2015526



After that, you can reload the rules by the following command.

sudo nsm_cronjob_rules_update

or

sudo nsm_rules_update

How To Delete All Testing Traffic?

It is very easy to delete all testing traffic if you want to. However, it only delete all the traffic in the Snorby and leave all other setting untouched.

sudo nsm_snorby_db_reinstall

In addtion, I also suggest you to install anti-virus program on your Windows boxes for play safe. Meanwhile, you can classified the traffic on Snorby too.

The last thing should inform you that you are recommend to set the QoS at your router. Otherwise, the bandwidth will be consumed by one of the connections.

How About Performance Tuning?

You can follow this guide to tune the IDS/IPS to make it running more smoothly.

To have a more secured IDS/IPS, you can append the following line to the "/etc/fstab".

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0

Then run the following commands before reboot. If you encountered any error, please do not reboot your boxes or you cannot boot them up.

sudo mount -a
sudo mount -o remount /


Hope you enjoy your secured home network.

That's all! See you.