Thursday, July 02, 2015

HOWTO : Protect My Home Network With Croissants 2



What is Croissants?

Croissants is an Intrusion Detection and Prevention System and running with Suricata. The components also including Snorby (Event Manager & Web Interface), Pigsty (Event Spooler) and Pulledpork (Rules Manager).

Suricata is a high performance Network IDS, IPS and Network Security Monitoring Engine. Croissants running on AF_PACKET with Suricata and it throughtput is up to 10Gbps traffic. AF_PACKET is one of Linux kernal modules since version 3.6 and it is designed for packet capturing. It is almost plug and play.

AF_PACKET can be running on a very low power consumption x86 computer, such as Intel Avoton C2750 Octa-Core CPU with 8GB RAM or more. This CPU is only running at 20W. I recommend to use at least 8GB RAM for home security purpose. More memory and faster as well as more cores Intel CPU for Home Office or larger business is suggested.

What Is My Home Network Looks Like?

I have 10Mbps internet connection. I do not run with any modem. I have a home router (TP-LINK TL-WR1043 v1.x with stock firmware). I have two home switches (TP-LINK TL-SG1008D, it is like a hub more than a switch in general).

I have a Linux web server, a Windows 7 desktop, several Linux boxes and some Mac machines as well as a Time Capsule. I connect these boxes to the home switches. I disabled the wireless function on my home router and use Time Capsule as wireless router and Time Machine for Mac machines.

I implement two IPS on my home network. The IPS is connected between ISP and the home router. The other IPS is connected between home router and home switches. Therefore, I can monitor the traffic outside and inside my home network. I do not trust internet and intranet at all.








What Is The Hardware?

I use Asrock Rack C2750D4I motherboard with one more Intel Gigabit Desktop LAN card as my IPS.

Since Asrock Rack C2750D4I motherboard comes with 2 network interfaces, I need one more Intel Gigabit Desktop network interface on each box for monitoring purpose.

I installed 32GB RAM and 320GB Hard Drive on each box as IPS.

Internet -- IPS -- router -- IPS -- switch -- PCs and Time Capsule (including web server)

How About The Installation?

I select Ubuntu 14.04.2 LTS Server as the OS of the IDS/IPS. Since the network interfaces of Asrock Rack C2750D4I are Intel i210, the name of the interfaces on Ubuntu 14.04 is p119p1 and p121p1. While the Intel Gigabit Desktop network interface is eth0.

Install Ubuntu Server on the Asrock Rack C2750D4I as usual. Make sure you only connect the network cable to one of the network interfaces. I recommend you to install the OpenSSH when asks. Update and/or upgrade the Ubuntu Server when necessary.

Download the Croissants from here. The current version at the time of this writing is version 0.1.2 dated July 01, 2015.

Please follow the instructions on the official site to install. Configure the nsm.conf. Make sure to remember the password of MySQL as it will be asked when install. The username and password of control panel (Snorby) will also be configured. At the end of the installation, you will be asked for the time zone. Please select UTC. By the way, you may notice that there will have some error warning on the screen when installing. You just ignore it.

After the installation is completed, you can plug in the other network cables. Then, reboot the box. One more important thing is that you should configure your router to either DHCP or static IP addresses. If you selected DHCP, make sure it is reserved for the monitor interfaces (that is the Intel Gigabit Desktop network interfaces). The p119p1 and p121p1 do not have any IP address.

If everything correct, you can access to the monitor interfaces by using your browser, such as http://192.168.20.180. Enter your pre-set username and password when login. At the top right corner, select "Settings" to configure your time zone. Make sure you enter your password at "Current password (we need your current password to confirm your changes)" and then update the settings.

At this moment, your two boxes are in IDS mode. How to enable it to IPS mode?

You may need to change the name of the Intel Gigabit Desktop network interfaces when they are changed unexpected. You can change the name back to eth0 with the following command :

sudo nano /etc/udev/rules.d/70-persistent-net.rules

How To Configure To IPS?

Log in to the two boxes via ssh or terminal. Then run the following command to configure the DROP rules.

sudo nano /etc/pulledpork/dropsid.conf

I suggest to append the following lines at the end of the files. They will block most unwanted traffic.

# HTTP request header invalid
1:2221013
# HTTP missing host header
1:2221014
# masscan port scanner
1:2017615,1:2017616
# DOS possible ssdp amplification scan
1:2019102
# DoS attacks -- UDP & ICMP Invalid checksum & packet too small
1:2200075,1:2200038,1:2200076,1:2200024
# IP & TCP Invalid checksum
1:2200073,1:2200074
# TCP packet too small
1:2200033
# stream established retransmission packet before last ack
#1:2210021
# stream established packet out of window
#1:2210020
# GPL attack response id check returned root
1:2100498
# COMPROMISED & DROP & CINS Active Threats
pcre:ET\sCOMPROMISED
pcre:ET\sDROP
pcre:ET\sCINS
# MALWARE, TROJAN, WORM, MOBILE_MALWARE, Amplification DoS, DDoS
pcre:ET\sMALWARE
pcre:ET\sTROJAN
pcre:WORM
pcre:ET\sMOBILE_MALWARE
pcre:ET\sSCAN
#pcre:ET\sSHELLCODE
pcre:Amplification
pcre:ET\sDOS
pcre:ET\sEXPLOIT
pcre:ET\sUSER_AGENTS
pcre:ET\sWEB_SERVER
pcre:GPL\sSNMP
#pcre:SURICATA\sSTREAM
pcre:ET\sCURRENT_EVENTS
pcre:ET\sWEB_SPECIFIC_APPS
# Outgoing basic auth base64 http password
1:2006380
# Quantum Insert Attack (by NSA)
# (SURICATA STREAM reassembly overlap with different data - 2210050)
# (LOCAL QI 302 and possible inject - 12345)
# https://github.com/fox-it/quantuminsert/tree/master/detection/suricata
1:2210050,1:12345
# GPL WEB_SERVER 403 Forbidden
1:2101201
# ET POLICY Suspicious inbound to MSSQL port 1433
1:2010935
# ET POLICY Suspicious inbound to mySQL port 3306
1:2010937
# SURICATA HTTP Host header ambiguous
1:2221015
# ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
1:2016149


*** Please remember that you may enable some already disabled rules by the captioned setting. If you encounter any false positive alert, you can disable such rule(s) by the following.

sudo nano /etc/pulledpork/disablesid.conf

Append the following at the end of the file, for example.

# TROJAN 1.1.1.1
1:2017000
# DELETED
pcre:ET\sDELETED
# MOBILE_MALWARE Google Android Device HTTP Request
1:2012251
# MALWARE WhenUClick.com Weather App Checkin (2)
1:2000915
# SURICATA STREAM alerts
#pcre:SURICATA\sSTREAM
# SURICATA STREAM
#1:2210000-1:2210049
#1:2210051-1:2210057
# SURICATA STREAM alert when downloading
1:2210021
1:2210020
1:2210029
1:2210045
1:2200074
1:2210038
1:2210044
# ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack
1:2014445
# ET WEB_SERVER WebShell
1:2016683
1:2016992
# ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
1:2009207
1:2009205
1:2009208
# ET TROJAN UPX compressed file download possible malware
1:2001046
# ET TROJAN VMProtect Packed Binary Inbound via HTTP
1:2009080
# ET WEB_SERVER Fake Googlebot UA 1 Inbound
#1:2015526



After that, you can reload the rules by the following command.

sudo nsm_cronjob_rules_update

or

sudo nsm_rules_update

How To Delete All Testing Traffic?

It is very easy to delete all testing traffic if you want to. However, it only delete all the traffic in the Snorby and leave all other setting untouched.

sudo nsm_snorby_db_reinstall

In addtion, I also suggest you to install anti-virus program on your Windows boxes for play safe. Meanwhile, you can classified the traffic on Snorby too.

The last thing should inform you that you are recommend to set the QoS at your router. Otherwise, the bandwidth will be consumed by one of the connections.

How About Performance Tuning?

You can follow this guide to tune the IDS/IPS to make it running more smoothly.

To have a more secured IDS/IPS, you can append the following line to the "/etc/fstab".

tmpfs /tmp tmpfs mode=1777,nosuid,nodev,noexec 0 0

Then run the following commands before reboot. If you encountered any error, please do not reboot your boxes or you cannot boot them up.

sudo mount -a
sudo mount -o remount /


Hope you enjoy your secured home network.

That's all! See you.