This tutorial will show you how to install a snort sensor on Ubuntu and use ssh to log the alerts to a central server.

This assumes you have a central server with snort, mysql, apache, ssh-server, and already installed.

If you need assistance with these things, these links may help :

Ubuntu Forums Intrusion Detection

Ubuntu Wiki How to SSH

Ubuntu Wiki Advanced Open SSH (Security tips)

If you followed the how-to on the Ubuntu forums you already have a central server with a user “snort”. We will set up the server for ssh connections using this user “snort” then install snort locally and use ssh to transmit the alerts to the central server.

First, on the server,

1. Configure the ssh-server.

Edit /etc/ssh/sshd_conf:

see : Ubuntu Wiki Advanced Open SSH (Security tips)

PermitRootLogin no
LogLevel VERBOSE
AllowUsers snort #Add additional users as needed
LoginGraceTime 20
X11Forwarding no
PasswordAuthentication no
Port 2500 # Change the ssh port

Edit /etc/hosts.deny and add :

sshd: ALL
ALL: PARANOID

Edit /etc/hosts.allow and add :

sshd: 192.168.0.0/255.255.255.0 # Change this to your LAN netmask.

2.  Make a ssh key for snort. You will need to do this as root as the user snort has no shell.

sudo cd ~snort
sudo mkdir .ssh
sudo chown snort.snort .ssh
sudo cd .ssh
sudo ssh-keygen -t dsa -f snort
sudo chown snort.snort snort
sudo chmod 440 snort
sudo cat snort.pub > authorized_keys

edit the key (if you use nano, use sudo nano -w ):

sudo vim authorized_keys

Add this command to the start of the key (keep the key all on one line) :

command=”/dev/null no-agent-forwarding,no-X11-forwarding,no-pty”

then set ownership and permissions of the key :

sudo chown root.snort authorized_keys
sudo chmod 440 authorized_keys

Transfer the key, snort, to the client(s).

Client setup.

1. Configure ssh. Edit /etc/ssh/ssh_config

sudo vim /etc/ssh/ssh_config

Add a line and change the port:

ServerAliveInterval 120
Port 2500 # Change port to 2500

Make a user, snort, on the client.

sudo adduser snort
sudo chsh snort
# Use a shell of /bin/true
sudo passwd -l snort

copy the ssh key, snort, to /home/snort/.ssh

sudo mkdir ~snort/.ssh

save the ssh key as /home/snort/.ssh/snort

sudo chown -R snort.snort ~snort/.ssh
sudo chmod 700 ~snort/.ssh
sudo chmod 400 ~snort/.ssh/snort

2. Install and configure a snort sensor (all one line):

sudo apt-get -y install libc6-dev g++ gcc pcregrep libpcre3-dev libpcap0.8-dev libmysqlclient15-dev

Either copy the /usr/src/snort-2.8.3 from the server to the client or again download the latest snort and a set of rules from the snort web site.

cd /usr/src/snort-2.8.3
sudo ./configure -enable-dynamicplugin –with-mysql
sudo make
sudo make install
# Snort should compile without errors
mkdir -p /etc/snort/rules /var/log/snort
chown -R root.snort /var/log/snort
chmod 770 /var/log/snort
cp etc/* /etc/snort/
cp rules/* /etc/snort/rules

Now edit /etc/snort/snort.conf

output database: log, mysql, user=snort password=snort_password dbname=snort host=localhost

Use the same script to start snort on the client as you use on the server or write a new one.

3. Open a ssh tunnel with (you *may* wish to add this command to /etc/rc.local, but to do that you may need a key with no password):

ssh -L 3306:localhost:3306 snort@server_ip -Nf -i /home/snort/.ssh/snort

Manually start snort with :

/usr/local/bin/snort -c /etc/snort/snort.conf -u snort -g snort &

Assuming snort starts with no errors, you may now use your start script and set a cron job (to re-start snort every 6 hours).

If you get an error message re snort account being locked:

sudo passwd –unlock root
sudo passwd –unlock snort
sudo usermod –lock root

https://bugs.launchpad.net/ubuntu/hardy/+source/shadow/+bug/238755