zz FC4: Snort+mysql+Apache(with mod_ssl)+php+ACID安装日志

http://www.chinaunix.net 作者:linghood发表于：2006-01-02 20:06:53

【发表评论】【查看原文】【系统和网络安全讨论区】【关闭】

<!-- 正文begin --> bylinghood<linghood_at_gmail.com> 一、运行环境 1.平台： FedoraCore4(IPAddress:192.168.1.101) 2.所需软件： 报警+数据库： snort-2.4.0.tar.gz snortrules-pr-2.4.tar.gz(snortrulesforv2.4unregistereduserrelease) mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz create_mysql(script) 客户端显示： apache_1.3.29.tar.gz mod_ssl-2.8.16-1.3.29.tar.gz php-4.4.0.tar.gz acid-0.9.6b23.tar.gz adodb465.tgz jpgraph-1.19.tar.gz 辅助管理工具： webmin-1.220-1.noarch.rpm Net_SSLeay.pm-1.21.tar.gz snort-1.0.wbm(snort'swebminplugin) 3.软件下载地址 snort-2.4.0.tar.gz(http://www.snort.org) snortrules-pr-2.4.tar.gz(http://www.snort.org) mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz(http://www.mysql.com) create_mysqlscript(http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/) apache_1.3.29.tar.gz(http://www.apache.org) mod_ssl-2.8.16-1.3.29.tar.gz(http://www.modssl.org) php-4.4.0.tar.gz(http://www.php.net) acid-0.9.6b23.tar.gz(http://acidlab.sourceforge.net) adodb465.tgz(http://adodb.sourceforge.net/) jpgraph-1.19.tar.gz(http://www.aditus.nu/jpgraph/index.php) webmin-1.220-1.noarch.rpm(http://www.webmin.com/) Net_SSLeay.pm-1.21.tar.gz(http://symlabs.com/Net_SSLeay/) snort-1.0.wbm(http://www.snort.org/dl/contrib/front_ends/webmin_plugin/) 二、安装 1.准备 sshroot登录FC4，将上述所需文件拷贝至/home 2.安装mysql #groupaddmysql #useradd-gmysqlmysql #cd/home #tar-vxzfmysql-standard-4.1.14-pc-linux-gnu-i686.tar.gz #mvmysql-standard-4.1.14-pc-linux-gnu-i686/usr/local/mysql #cd/usr/local/mysql #chown-Rroot. #chown-Rmysqldata #chgrp-Rmysql. #scripts/mysql_install_db--user=mysql #/usr/local/mysql/support-files/mysql.serverstart 3.创建snort数据库 #/usr/local/mysql/bin/mysql mysql>; mysql>;setpasswordfor'root'@'localhost'=password('linghood'); mysql>;createdatabasesnort; #/usr/local/mysql/bin/mysql-uroot-p mysql>;connectsnort; mysql>;source/home/create_mysql;//指定create_mysql脚本的路径 mysql>;grantCREATE,INSERT,SELECT,DELETE,UPDATEonsnort.*tosnort; mysql>;grantCREATE,INSERT,SELECT,DELETE,UPDATEonsnort.*tosnort@localhost; mysql>;connectmysql; mysql>;setpasswordfor'snort'@'localhost'=password('linghoodids'); mysql>;setpasswordfor'snort'@'%'=password('linghoodids'); mysql>;flushprivileges; 4.安装并启动snort #cd/home #tar-vxzfsnort-2.4.0.tar.gz #mvsnort-2.4.0/usr/local/snort #cd/usr/local/snort #./configure--with-mysql=/usr/local/mysql #make #makeinstall #mkdir/var/snort #mkdir/var/log/snort #mkdir/etc/snort(存放rules) #cd/home #tar-vxzfsnortrules-pr-2.4.tar.gz #mvrules/etc/snort #mvdoc/etc/snort 修改/etc/snort/rules/snort.conf: (1)将varRULE_PATH../rules一行注释掉 (2)增加outputdatabase:log,mysql,user=snortpassword=linghoodidsdbname=snorthost=localhost (3)修改include部分 include$RULE_PATH/bad-traffic.rules->;includebad-traffic.rules (andsoon...) 启动snort(example): #snort-d-D-c/etc/snort/rules/snort.conf 5.安装apache+mod_ssl #cd/home #tar-vxzfapache_1.3.29.tar.gz #tar-vxzfmod_ssl-2.8.16-1.3.29.tar.gz #cdmod_ssl-2.8.16-1.3.29 #./configure--with-apache=../apache_1.3.29 #cd../apache_1.3.29 #SSL_BASE=SYSTEM\ ./configure\ --prefix=/usr/local/apache\ --enable-module=ssl\ --enable-module=so\ --enable-module=rewrite #make #makecertificate #makeinstall 6.安装PHP #cd/home #tar-vxzfphp-4.4.0.tar.gz #cdphp-4.4.0 #CFLAGS="-DEAPI-fPIC"\ ./configure\ --prefix=/usr/local/php\ --with-mysql=/usr/local/mysql\ --with-apxs=/usr/local/apache/bin/apxs\ --with-gd --with-zlib --enable-sockets #make #makeinstall 注:mod_sslusesApache'sEAPI,soyouneedcompilePHPwith-DEAPI. 7.安装acid+adodb+jpgraph 解压acid-0.9.6b23.tar.gz,adodb465.tgz,gd-2.0.33.tar.gz,jpgraph-1.19.tar.gz 并拷贝到/var/www/html(去掉目录名中的版本号) #vi/var/www/html/acid/acid_conf.php 修改以下内容: $DBlib_path="../adodb"; $alert_dbname="snort"; $alert_user="snort"; $alert_password="linghoodids"; $Chartlib_path="../jpgraph/src"; 8.修改selinux配置及apache配置 #vi/etc/selinux/config SELINUX=disabled (否则会导致libphp4.sosegmentfault) #vi/usr/local/apache/conf/httpd.conf ServerName192.168.1.101 DocumentRoot"/var/www/html" AddTypeapplication/x-httpd-php.php AddTypeapplication/x-httpd-php-source.phps ## ##SSLVirtualHostContext ## #Generalsetupforthevirtualhost DocumentRoot"/var/www/html" ServerName192.168.1.101 注：不要忘记配置firewall允许https. 9.配置自启动并重启计算机 #vi/etc/rc.d/rc.local #startmysqld /usr/local/mysql/support-files/mysql.serverstart #starthttpd /usr/local/apache/bin/apachectlstartssl #startsnort /usr/local/bin/snort-d-D-c/etc/snort/rules/snort.conf #reboot 10.测试连接acid和初始化 https://192.168.1.101/acidorhttp://192.168.1.101/acid Click"Setuppage"to"CreateACIDAG" 到现在为止,Snort+mysql+Apache(withmod_ssl)+php+ACID已经可以正常工作了。 11.辅助管理工具(图形界面管理snort): (1)安装Net_SSL(Redhat9isbroken) #cd/home #tar-vxzfNet_SSLeay.pm-1.21.tar.gz #cdNet_SSLeay.pm-1.21 #./Makefile.PL #makeinstall (2)安装webmin #cd/home #rpm-ivhwebmin-1.220-1.noarch.rpm (3)测试连接，并安装snortmodule https://127.0.0.1:10000,使用root+密码登录 WebminConfiguration->;SSLEncryption->;生成新的SSLkey WebminConfiguration->;WebminModules->;安装snort-1.0.wbm Servers->;SnortIDSAdmin->;进行配置： Fullpathtosnortexecutable->; /usr/local/bin/snort-d-D-c/etc/snort/rules/snort.conf Fullpathtosnortconfigurationfile->; /etc/snort/rules/snort.conf Fullpathtosnortrulefilesdirectory->; /etc/snort/rules FullpathtosnortPIDfile->; /var/run/snort_eth0.pid (4)save之后就可以打开snort的配置界面。 12.限定apache只允许https连接 修改/usr/local/apache/conf/httpd.conf如下 <IfDefineSSL>; #Listen80 Listen443 </IfDefine>; 13.给Apache加简单的访问控制 (1)创建一个授权用户并设置密码 #/usr/local/apache/bin/htpasswd-c/usr/local/apache/conf/auth.userslinghood Newpassword:****** Re-typenewpassword:****** Addingpasswordforuserlinghood (2)修改/usr/local/apache/conf/httpd.conf文件如下 <Directory/>; #OptionsFollowSymLinks #AllowOverrideNone AuthTypeBasic AuthName"IDS" AuthUserFile/usr/local/apache/conf/auth.users Requirevalid-user </Directory>; <Directory"/var/www/html">; #OptionsIndexesFollowSymLinksMultiViews #AllowOverrideNone #Orderallow,deny #Allowfromall AuthTypeBasic AuthName"IDS" AuthUserFile/usr/local/apache/conf/auth.users Requirevalid-user </Directory>;