Firewall/IDS project

[charlie205]

I'm a relatively new to Linux (i.e. I've configured sendmail, but I've never compiled anything). I've been using Linux for around a year in my spare time. I'm comfortable moving around the file system and writing basic shell scripts but I'd like to take it to the next level (I sort of hit a plateau). For a number of reasons, not the least of which is learning, I'd like to start a Linux project.
I'd like to build a Firewall/IDS box that is at least dual-homed (so it should have at least 2 NICs but maybe more). I'm looking for a step-by-step style guide or book or something to help me along in the process. It seems like most tutorials out there either assume you know nothing at all or assume you know everything.

Here are my thoughts right now
------------------------------
CentOS - locked down
IPtables for the firewall
Snort for the NIDS
Tripwire or aide for the HIDS

I know there are pre-existing linux firewalls out there, but using one of those would really defeat the purpose. Truth be told, I what I really want to do is build my own cut-down version of linux using a guide such as Welcome to Linux From Scratch! to make it an actually-dedicated firewall/IDS.

So what does everyone think? Any ideas out there? I'm all ears.

[Thrillhouse]

I don't know if it would be necessary to use LFS for this purpose. You certainly can if you want to but I think a stripped down CentOS install would suit your purposes just fine. You can really benefit from its stability.

Anyways, I think you have a good idea. I've installed and configured Snort a number of times and you can really spend a lot of time tuning it to your liking. I would set it up to log alerts to MySQL instead of the default log files. Then, you can install BASE on top of it and have a very professional system. There's lots of documentation (for both beginners and more experienced users) on snort's website. I would start there.

I've never used an HIDS so I can't help you there.

[anomie]

Here are my thoughts right now
------------------------------
CentOS - locked down
IPtables for the firewall
Snort for the NIDS
Tripwire or aide for the HIDS

Sounds ok to me. I think you'll find aide is pretty flexible. There will be some minor aide-related tweaking required, such as shutting off prelink and evaluating how you want to handle log rotation situations.

[charlie205]

I've stumbled upon an ingerity checker called Integrit. I've got it compiled (my first time compiling, yeay) and installed. Now I am ready to run it, except it requires a configuration file. I've looked all over the sourceforge page and google. There are many sources that explain some of the syntax of the configuration file, but they all seem to leave out one detail: the name of the file.

Does anyone know the name of the config file for integrit? there are serveral config files in the install directory:

config.h
config.h.in
config.in
config.status

It almost seems like you can create your own from scratch. If that's the case, does are there any examples out there to mimic?

[charlie205]

Clarification
------------


what I'm looking for is the conf file which is required for the tool to run

ex: integrit -u -C /path/to/conf.file

[Lazydog]

Check the dir where you complied the software. There should be information files in there that should tell you what to do. Also you could look in your DOC dir for it might have install documentation there.

[charlie205]

I just wrote my own and it seemed to work.

I guess that's it.

[anomie]

I've looked all over the sourceforge page and google. There are many sources that explain some of the syntax of the configuration file, but they all seem to leave out one detail: the name of the file.

Did you read the manpages for the app you installed?

Likely directories for the config file to be installed in would be /etc or /usr/local/etc. Sometimes a complete, default config file is installed, and sometimes a sample is installed with the expectation that you'll copy it and customize it.

[RobinVossen]

You know I almost posted a Tutorial about this..
But there was no intrest in so, sorry..
If you still need help just yell at me

[kissotdragon]

I'm a relatively new to Linux (i.e. I've configured sendmail, but I've never compiled anything). I've been using Linux for around a year in my spare time. I'm comfortable moving around the file system and writing basic shell scripts but I'd like to take it to the next level (I sort of hit a plateau). For a number of reasons, not the least of which is learning, I'd like to start a Linux project.
I'd like to build a Firewall/IDS box that is at least dual-homed (so it should have at least 2 NICs but maybe more). I'm looking for a step-by-step style guide or book or something to help me along in the process. It seems like most tutorials out there either assume you know nothing at all or assume you know everything.

Here are my thoughts right now
------------------------------
CentOS - locked down
IPtables for the firewall
Snort for the NIDS
Tripwire or aide for the HIDS

I know there are pre-existing linux firewalls out there, but using one of those would really defeat the purpose. Truth be told, I what I really want to do is build my own cut-down version of linux using a guide such as Welcome to Linux From Scratch! to make it an actually-dedicated firewall/IDS.

So what does everyone think? Any ideas out there? I'm all ears.

J,

I would look at Cipherdyne.org

It has several tools that are all open source which will be perfect for what you are trying to accomplish. Very little compiling is involved and I have used it for my home network... I believe it has the robustness to work in any capacity. Works really well. I use both TCP Wrappers and iptables. The denyhosts program is an excellent program for adding unwanted IP's to the hosts.deny file. It doesn't take away from a firewall but gives another form of protection. Not all daemon's use TCP Wrappers and may need to be compiled with TCP Wrappers to use it.

I do think that the cipherdyne.org site is something worth looking into

JFK