FC4: Snort+mysql+Apache(with mod_ssl)+php+ACID安裝日志 ??-???技術的東東

by?linghood?
?
一、運行環境

1.平臺：

Fedora?Core?4?(IP?Address:?192.168.1.101)

2.所需軟件：

報警+數據庫：
snort-2.4.0.tar.gz
snortrules-pr-2.4.tar.gz?(snortrules?for?v2.4?unregistered?user?release)
mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz
create_mysql(script)

客戶端顯示：
apache_1.3.29.tar.gz
mod_ssl-2.8.16-1.3.29.tar.gz
php-4.4.0.tar.gz
acid-0.9.6b23.tar.gz
adodb465.tgz
jpgraph-1.19.tar.gz

輔助管理工具：
webmin-1.220-1.noarch.rpm
Net_SSLeay.pm-1.21.tar.gz
snort-1.0.wbm(snort's?webmin?plugin)

3.軟件下載地址

snort-2.4.0.tar.gz(http://www.snort.org)
snortrules-pr-2.4.tar.gz(http://www.snort.org)
mysql-standard-4.1.13-pc-linux-gnu-i686.tar.gz(http://www.mysql.com)
create_mysql?script(http://cvs.sourceforge.net/viewcvs.py/snort/snort/contrib/)

apache_1.3.29.tar.gz(http://www.apache.org)
mod_ssl-2.8.16-1.3.29.tar.gz(http://www.modssl.org)
php-4.4.0.tar.gz(http://www.php.net)
acid-0.9.6b23.tar.gz(http://acidlab.sourceforge.net)
adodb465.tgz(http://adodb.sourceforge.net/)
jpgraph-1.19.tar.gz(http://www.aditus.nu/jpgraph/index.php)

webmin-1.220-1.noarch.rpm(http://www.webmin.com/)
Net_SSLeay.pm-1.21.tar.gz(http://symlabs.com/Net_SSLeay/)
snort-1.0.wbm?(http://www.snort.org/dl/contrib/front_ends/webmin_plugin/)

二、安裝

1.準備

ssh?root登錄FC4，將上述所需文件拷貝至/home

2.安裝mysql

#?groupadd?mysql
#?useradd?-g?mysql?mysql
#?cd?/home
#?tar?-vxzf?mysql-standard-4.1.14-pc-linux-gnu-i686.tar.gz
#?mv?mysql-standard-4.1.14-pc-linux-gnu-i686?/usr/local/mysql
#?cd?/usr/local/mysql
#?chown?-R?root??.
#?chown?-R?mysql?data
#?chgrp?-R?mysql?.
#?scripts/mysql_install_db?--user=mysql
#?/usr/local/mysql/support-files/mysql.server?start

3.創建snort數據庫

#?/usr/local/mysql/bin/mysql
mysql>;
mysql>;set?password?for?'root'@'localhost'=password('linghood');
mysql>;create?database?snort;

#?/usr/local/mysql/bin/mysql?-u?root?-p
mysql>;connect?snort;
mysql>;source?/home/create_mysql;?//指定create_mysql腳本的路徑
mysql>;grant?CREATE,INSERT,SELECT,DELETE,UPDATE?on?snort.*?to?snort;
mysql>;grant?CREATE,INSERT,SELECT,DELETE,UPDATE?on?snort.*?to?snort@localhost;
mysql>;connect?mysql;
mysql>;set?password?for?'snort'@'localhost'=password('linghoodids');
mysql>;set?password?for?'snort'@'%'=password('linghoodids');
mysql>;flush?privileges;


4.安裝并啟動snort


#?cd/home
#?tar?-vxzf?snort-2.4.0.tar.gz
#?mv?snort-2.4.0?/usr/local/snort
#?cd?/usr/local/snort
#?./configure?--with-mysql=/usr/local/mysql
#?make
#?make?install

#?mkdir?/var/snort
#?mkdir?/var/log/snort
#?mkdir?/etc/snort(存放rules)

#?cd?/home
#?tar?-vxzf?snortrules-pr-2.4.tar.gz
#?mv?rules?/etc/snort
#?mv?doc?/etc/snort


修改/etc/snort/rules/snort.conf:
(1)將var?RULE_PATH?../rules一行注釋掉
(2)增加output?database:?log,?mysql,?user=snort?password=linghoodids?dbname=snort?host=localhost
(3)修改include部分
???include?$RULE_PATH/bad-traffic.rules??->;??include?bad-traffic.rules?
???(and?so?on...)

啟動snort(example):
#?snort?-d?-D?-c?/etc/snort/rules/snort.conf


5.安裝apache+mod_ssl

#?cd?/home
#?tar?-vxzf?apache_1.3.29.tar.gz
#?tar?-vxzf?mod_ssl-2.8.16-1.3.29.tar.gz

#?cd?mod_ssl-2.8.16-1.3.29
#?./configure?--with-apache=../apache_1.3.29

#?cd?../apache_1.3.29?
#?SSL_BASE=SYSTEM?\
??./configure?\
??????--prefix=/usr/local/apache?\
??????--enable-module=ssl?\
??????--enable-module=so?\
??????--enable-module=rewrite?
??????
#?make
#?make?certificate
#?make?install


6.安裝PHP

#?cd?/home
#?tar?-vxzf?php-4.4.0.tar.gz
#?cd?php-4.4.0
#?CFLAGS="-DEAPI?-fPIC"?\
??./configure?\
??????--prefix=/usr/local/php?\
??????--with-mysql=/usr/local/mysql?\
??????--with-apxs=/usr/local/apache/bin/apxs?\
??????--with-gd
??????--with-zlib
??????--enable-sockets
#?make
#?make?install

注:mod_ssl?uses?Apache's?EAPI,?so?you?need?compile?PHP?with?-DEAPI.


7.安裝acid+adodb+jpgraph

解壓acid-0.9.6b23.tar.gz,adodb465.tgz,gd-2.0.33.tar.gz,jpgraph-1.19.tar.gz
并拷貝到/var/www/html(去掉目錄名中的版本號)

#?vi?/var/www/html/acid/acid_conf.php
修改以下內容:
$DBlib_path="../adodb";?
$alert_dbname="snort";?
$alert_user="snort";?
$alert_password="linghoodids";?
$Chartlib_path="../jpgraph/src";


8.修改selinux配置及apache配置

#?vi?/etc/selinux/config
??
????SELINUX=disabled
????(否則會導致libphp4.so?segment?fault)

#?vi?/usr/local/apache/conf/httpd.conf

????ServerName?192.168.1.101?
????DocumentRoot?"/var/www/html"
????
????AddType?application/x-httpd-php?.php
????AddType?application/x-httpd-php-source?.phps

????##
????##?SSL?Virtual?Host?Context
????##
????
????#??General?setup?for?the?virtual?host
????DocumentRoot?"/var/www/html"
????ServerName?192.168.1.101
?

注：不要忘記配置firewall允許https.

9.配置自啟動并重啟計算機

#?vi?/etc/rc.d/rc.local

????#start?mysqld
????/usr/local/mysql/support-files/mysql.server?start
????#start?httpd
????/usr/local/apache/bin/apachectl?startssl
????#start?snort
????/usr/local/bin/snort?-d?-D?-c?/etc/snort/rules/snort.conf

#?reboot


10.測試連接acid和初始化

https://192.168.1.101/acid?or?http://192.168.1.101/acid

Click?"Setup?page"?to?"Create?ACID?AG"

到現在為止,Snort+mysql+Apache(with?mod_ssl)+php+ACID已經可以正常工作了。


11.輔助管理工具(圖形界面管理snort):


(1)?安裝Net_SSL(Redhat9?is?broken)

#?cd?/home
#?tar?-vxzf?Net_SSLeay.pm-1.21.tar.gz
#?cd?Net_SSLeay.pm-1.21?
#?./Makefile.PL
#?make?install

(2)安裝webmin

#?cd?/home
#?rpm?-ivh?webmin-1.220-1.noarch.rpm

(3)測試連接，并安裝snort?module

https://127.0.0.1:10000,使用root+密碼登錄

??Webmin?Configuration?->;?SSL?Encryption?->;?生成新的SSL?key
??Webmin?Configuration?->;?Webmin?Modules?->;?安裝snort-1.0.wbm
??Servers?->;?Snort?IDS?Admin?->;?進行配置：
?????Full?path?to?snort?executable?->;??
?????/usr/local/bin/snort?-d?-D?-c?/etc/snort/rules/snort.conf
?????
?????Full?path?to?snort?configuration?file?->;???
?????/etc/snort/rules/snort.conf
?????
?????Full?path?to?snort?rule?files?directory?->;??
?????/etc/snort/rules
?????
?????Full?path?to?snort?PID?file?->;??
?????/var/run/snort_eth0.pid

(4)save之后就可以打開snort的配置界面。

12.限定apache只允許https連接

修改/usr/local/apache/conf/httpd.conf如下

;
#Listen?80
Listen?443
;

13.給Apache加簡單的訪問控制

(1)創建一個授權用戶并設置密碼
#?/usr/local/apache/bin/htpasswd?-c?/usr/local/apache/conf/auth.users?linghood
New?password:?******
Re-type?new?password:?******
Adding?password?for?user?linghood

(2)修改/usr/local/apache/conf/httpd.conf文件如下

;
#????Options?FollowSymLinks
#????AllowOverride?None
AuthType?Basic
AuthName?"IDS"
AuthUserFile?/usr/local/apache/conf/auth.users
Require?valid-user
;

;
#????Options?Indexes?FollowSymLinks?MultiViews
#????AllowOverride?None
#????Order?allow,deny
#????Allow?from?all
AuthType?Basic
AuthName?"IDS"
AuthUserFile?/usr/local/apache/conf/auth.users
Require?valid-user

;