IDS Install with Tap
I wanted to install a small network ids on my home network using Snort. I wanted to stick the nids outside of my firewall, so it would be able to examine all Internet traffic coming in & out of the network. Of course, putting a device online outside my firewall without any protection isn’t terribly attractive, so I decided to install using a tap. Ignoring the fact that this is really the only possible configuration, given my home ISP (FiOS), it allows me to do a completely stealthed deployment of a nids. Unfortunately, this type of deployment also precludes the ability to interact with any traffic seen on the wire, so flexresp is out of the question.
Construction of a passive tap
The other bad part about using a tap is that simply by the nature of the tap, you need to have 2 Ethernet ports to sniff on. Why? Check out the Snort docs on the subject. When you setup a tap, you can only push one direction’s worth of traffic onto a single port. This means you have to combine the traffic on the sniffing device. Since you can only receive traffic and can’t send on these ports, you must have a third Ethernet port to connect to your internal network, or if you’ve got a larger network, a management LAN.
So, building your tap is pretty simple, when you’ve got the picture here on the right to work from. Need the parts? Head over to Home Depot and grab yourself the following parts:
- A plastic electric box (get one marked for “Old Work”). An 8 cubic inch box will probably not be deep enough, so go for the one of the 14 cubic inch ones. Unscrew the little anchor flaps and toss them in the trash.
- A 4-jack faceplate. Whatever color you like. I used white.
- 4 Cat 5e Ethernet jacks. I got 2 white and 2 blue. The white jacks are the Host jacks, and the blue ones are Tap A & B, as shown in the figure at the right.
- About 6 inches of Ethernet cable.
Strip off the jacket and remove the 8 wires. Wire up the jacks as shown in the figure. I found it easiest to wire up one of the host jacks, then run the wires through the tap jacks and finally up to the other host jack. Try to keep the twists in the wire as much as possible, to prevent NEXT (Near End Crosstalk). Cap off the jacks and screw the thing into the electric box.
I made two, one to use for the NIDS, and another to carry around for work if I need a tap.
I’m not going to go into how to install Snort, ACID, or any of that stuff. There are already enough guides out there on that topic. I will, however, address the need to join the two sniffing interfaces into a single full-duplex interface for Snort to sniff on. You’ll be using the Linux kernel’s bonding module for this. I’m going to assume Debian or Ubuntu here. Add the bonding module to your /etc/modules file, then execute the command modprobe bonding. In the /etc/network/interfaces file, you’ll need something like this:
auto bond0 iface bond0 inet manual up ifconfig $IFACE 0.0.0.0 up down ifconfig $IFACE down post-up ifenslave bond0 eth0 eth1 pre-down ifenslave -d bond0 eth0 eth1
Obviously, you’ll need to configure Snort to sniff on the bond0 interface. Don’t forget to install the ifenslave package. It’s not installed by default on Ubuntu.
The biggest concern lots of tap novices have is accidentally introducing traffic onto the wire via the tap. Let’s be clear. This is simply impossible. Can’t happen. At all. Why? The only pins that are live on the tap ports are 3 and 6. Guess what happens on those pins? It’s only RX, not TX, so you can’t transmit on the tap ports.
This afternoon, I upgraded, well, more accurately, rebuilt my server using Ubuntu’s latest release, Intrepid Ibex, aka 8.10. After several hours of transferring data back and restoring configurations, I’m quite pleased with the results.
The installer is largely unchanged from Hardy Heron, 8.04. One new & welcome change is the newly integrated support for installation to dmraid devices. These devices are largely SATA RAID controllers, such as the Intel Matrix controllers, largely software-driven. I preferred this to the Linux RAID code, since replacing a drive/rebuilding a mirror seems more straight-forward this way. As my server includes an Intel Matrix controller onboard, I went for this option. It worked very well. The device names are a bit long (/dev/mapper/isw_diaedigfhd_Volume03), but that’s fine. I did a pretty basic layout, with 250MB of ext3 for /boot, a 4GB swap partition and the rest as JFS for /.
Also new in Intrepid is DKMS. What’s that, you say? Your lucky day, I say. At least, if you use software that requires special kernel modules. Back in the good old days, when you did something like that, every time you upgraded your kernel, you had to rebuild your custom kernel modules as well, a largely manual process. DKMS takes the manual part out of the picture here. You install a DKMS package, and when you update a kernel, the drivers from you DKMS packages are automagically built and installed. I’m excited about the possibility of vmware module and DAHDI (the new name for zaptel) DKMS packages!
I’ve already installed VMware Server 2.0, which went well, aside from a bit of trouble compiling the vsock module. I suspect this will get worked out before too long as well..
Intrepid Ibex, it’s worth the trip. If you’re looking to update an existing server, change your sources.list and dist-upgrade away.
I took the plunge. I did a clean installation of the Ubuntu Intrepid Ibex 8.10 beta on my eeePC 1000.
So far, it’s pretty smooth. Adamm’s even got a new kernel spun for Intrepid. This time, I skipped over using the very good UNetbootin, in favor of connecting a USB DVD drive. Mind you, my eee 1000 is no longer in a stock configuration, having changed out the wifi card in favor of an Intel Wifi Link 5300, so I don’t have to worry about the rt2860 driver. That said, someone’s already created a package that uses dkms to install the driver on Intrepid. For me, the driver is now in the box. No more downloading snapshots of drivers and building them myself. Yay.
So, what’s working? Everything. No, really, at least hardware-wise. In truth, I didn’t try the microphone, but I’d bet it works, since Adam knocked that one out in a previous kernel release for Hardy. What’s not working? Hotkeys. Newer ACPI drivers, so different interface (no longer under /proc), so scripts && utilities need to be rebuilt/adjusted a bit. That’s bound to happen over the next few weeks, as this release heads out the door. I’ve hacked a bit on the scripts I was using for my Hardy install (courtesy of elmurato), and I’ve got CPU scaling and control of the webcam working with the hotkeys. More to come later on that.
What’s new & cool?
Network Manager 0.7 – Now your 3G devices should work automatically. At least mine (Pantech UM175) does.
Xorg 7.4 – Hotplug support for pretty much everything you’d want to throw at it. Most users can run without an xorg.conf with this release. Speaking as someone who’s spent years hacking away on XF86Config and xorg.conf files, that’s mighty cool.
DKMS – This one’s a monster. So, you’ve got some kind of special bit of hardware that requires a special driver of some sort. In Hardy & earlier, you’d have to install new packages for the driver each time, or rebuild it every time you installed a new kernel. With DKMS, the modules are automagically recompiled for each new kernel version.
GNOME 2.24 – The latest & greatest.
So far, Intrepid’s behaving pretty well for me. By the time it rolls at the end of the month, it should be pretty solid. I do wish that the Ubuntu gang would swap out Usplash for Splashy though.. Oh well, I’ll wind up doing that myself in the end, I suppose..
My latest project with the eee 1000 was to get some better wifi range, possibly saving some battery life in the process. My first thought was to go for a replacement antenna. I ordered one on eBay, and was prepared to do a bit of mod work to get it done. Just then, the seller didn’t send me my antenna parts, but instead sent me an Intel Wifi Link 5300 MiniPCIe card. We agreed to just call it even at that point. I bought a different antenna at that point. You’ll see why.
Conventional wisdom calls for (as many others have done previously) an Intel 4965 MiniPCIe card. The 5300 seems to be the successor to the 4965, boasting up to 450 Mbps of 802.11n performance. Not having any 802.11n APs, I wouldn’t know about that just yet. We’ll see. Unfortunately, this card doesn’t have drivers in the mainline Linux kernel until version 2.6.27. As I’m running Ubuntu Hardy (until Intrepid Ibex rolls out), and on kernel 2.6.24, no drivers exist, outside of the backported ones from compat-wireless guys. Well, since the drivers exist, I decided to give it a go.
First up, grab the firmware and the drivers package. Unpack the firmware and drop it in /lib/firmware. Next, you’ll need to install the “build-essential” package, as well as the linux-headers packages appropriate for your kernel. Unpack the drivers, check the config.mk file. You should probably (as I did) uncomment the lines that enable support for the RFKILL code. This is what gives you the ability to toggle the wifi on & off. Do a make & make install (as root) to load the drivers up. It will not overwrite existing mac80211 modules, and that’s a good thing. Halt your machine and do the card swap.
Installing the card was pretty easy. Pull the battery and unplug first. After all, you don’t want to short things out, right? Ok, now remove the two screws that hold down the existing Ralink wifi card and pop the two antenna leads off. Now install the Intel card and put the screws back. Connect the white wire to terminal 1, and the black to terminal 2. Terminal 3 is where you’ll need to connect the extra antenna. I opted for a small antenna, typically used for a bluetooth radio, but since it’s a 2.4 Ghz antenna, it also works fine here. I snaked the wire through one of the small gaps in the plastic housing adjacent to the wifi card, and used the adhesive backing on the antenna to stick it in the hole where the hard drive goes on a 1000h. Not sure where you’d want to put the antenna on a 1000h, but then again, that’s not my chief concern, as I’m working on a 1000. Put back all the screws and you’re done.
Boot the system, and you should be all done. The card should be automagically detected and have the iwlagn module loaded. You’ll likely want to gently massage your /etc/acpi/eeepc-wifi-toggle.sh script to work with the proper modules. Removing the module and echoing a 0 into /proc/acpi/asus/wlan (to power down the card) results in the card going into “deep sleep”. My last bit is to figure out how to wake it from deep sleep, other than a reboot.
So, wasn’t it cool last week when you got your UM175 working under Hardy? What’s not so cool? Since it’s not integrated with Network Manager, every time you launch Firefox, Pidgin or anything else that queries NetworkManager for a connection status, you get to go nowhere. There are guides out there to create scripts that go in /etc/chatscripts and /etc/ppp/peers to integrated with the stock NM that ships with Hardy, but unfortunately, those don’t register as valid Internet connections with NM, as shipped.
Enter the NetworkManager PPA. This is the development ground for what’s going to be included in Intrepid Ibex, aka Ubuntu 8.10. It only takes a few minutes to get it started.
1. Add the PPA repo to /etc/apt/sources.list:
deb http://ppa.launchpad.net/network-manager/ubuntu hardy main
deb-src http://ppa.launchpad.net/network-manager/ubuntu hardy main
2. apt-get update and upgrade the packages, be sure to install the unauthenticated ones. You may find it easier to do this part with Administration > Update Manager, from the menu.
3. It will probably ask for a reboot when all is done. Don’t do it yet. You need to patch one file to make the UM175 work.
4. Open up /usr/share/hal/fdi/information/10freedesktop/10-modem.fdi
At line 175, add a couple of USB ids, specifically 0×3711 and 0×3714, so the line looks like:
<match key=”@info.parent:usb.product_id” int_outof=”0×3701;0×3702;0×3711;0×3714″>
5. Reboot, now you’re nearly done.
6. After login, right click on the Network Manager icon in the notification area. Edit Connections. Go to the Mobile Broadband tab, add a new connection.
7. I only filled in a name for the connection, used the following parameters:
- Phone Number: #777
- Username: <phonenumber> @vzw3g.com (use your device’s phone # here)
- Password: vzw
- Check the “System Setting” box.
8. ???
9. Profit!
To connect, plug in the evdo device, click on the NM icon, select your 3G connection.
EDIT: If you’re feeling just a bit adventurous, why not upgrade to NetworkManager 0.7 out of the PPA and then not only will your UM175 work, you’ll also be able to use apps that rely on NetworkManager’s connection status, like Pidgin! See this other post on that topic. The PPA version of NM 0.7 is essentially what’s going to be in Intrepid Ibex when it rolls next month.
Just today I traded in my old Verizon Wireless V740 ExpressCard for a shiny new UM175 USB EVDO device. Sure, both are Rev-A devices, but the new device gives me a bit more flexibility, and is nowhere near as huge as previous USB EVDO devices. I’ll spare you the shtick on the folding and rotating USB connector, oh wait.. The Windows XP software worked pretty much as you’d expect. Stay tuned for a similar guide featuring this device with Mac OS X.
Mind you, I only tried doing this on Ubuntu Hardy and the Desktop version at that. I’m sure it would work much the same on Kubuntu or Xubuntu, but you’d need to use a different application than I used (gnome-ppp).
Before you get started, be sure you’re up to date on updates. At the time this was written, the current -generic kernel for Hardy Desktop was 2.6.24-19, though I’m sure it will work much the same with other reasonably similar kernel versions. Also, install gnome-ppp (apt-get install gnome-ppp) before you get rolling. The last bit of information you’ll need before starting is the phone number of your device. For the sake of this guide, let’s assume your device’s phone number is 212-555-1212.
Step 1. Plug the device in. Ok, you’re done Step 1.
Step 2. Launch gnome-ppp, configure settings, other than the defaults:
- Modem Tab
- Device: /dev/ttyACM0
- Type: USB Modem
- Speed: 460800
- Phone Line: Tone
- Volume: Off
- Options Tab
- Minimize: checked
- Dock in Notification Area: checked
Click Close. Fill in the fields in the main Gnome PPP window:
- Username: 2125551212@vzw3g.com
- Password: vzw
- Phone Number: #777
Step 3. Click Connect
Step 4. There is no step 4. You’re connected.
Congratulations, you’re online, EVDO style.
Netbook Remix is an alternative Linux UI targetted at small screen devices, or the so-called Netbooks like the eeePC. I just loaded it up tonight, and so far, I’m very impressed. All I can say is go try it out for yourself. If you find you hate it, backing it out is as easy as removing a couple of startup items and panel widget, followed by a logout/login.
Details on the installation procedure are here.. Relatively simple stuff. Add a repo, install 4 packages, add 1 to your gnome session, massage panel widgets, done.
It’s really quite a nice setup. Check it out…
1. Get Ubuntu Installed.
To get the ball rolling, you’re going to need a way to install Ubuntu on your shiny new eeePC. If you don’t have a USB CD/DVD drive laying around, all is not lost. You’ll first want to download the Ubuntu Hardy Desktop x86 iso, either from the Ubuntu Website, or a torrent, or whatever. In the end, you want to have an ISO to work from.
Next, hit the UNetbootin site and download the latest UNetbootin. Get a USB flash drive formatted with the FAT32 filesystem, at least a 1GB drive please. The Ubuntu install unpacks onto the drive to the tune of about 700MB. Fire up UNetbootin, point it at the ISO you downloaded, tell it which USB drive to write the image to and wait. Go get a cup of tea, or something. Come back in 5-10 minutes.
Plug that thumb drive into your eeePC and turn the system on. Tap gently on the ESC key several times, until presented with a boot menu. Select USB: from the list and boot away into the Ubuntu livecd installer. Now just do what comes naturally. Read a bit about your particular system’s setup first, to make your life easier down the road. For example, my eeePC 1000 ships with 2 SSDs inside, an 8GB and a 32GB.
I left the /dev/sda3 and /dev/sda4 partitions alone (the BIOS loader partition and an EFI loader partition, respectively), and created a single /dev/sda1 partition with what space was available after removing partitions 1 & 2. This is mounted on /, as fs type ext2. I’ve got the larger SSD split into a 30GB /dev/sdb1, mounted on /home as ext2 and left the remainder unpartitioned (for the moment).
Let’s stop and talk filesystems for a minute. Why ext2 and not ext3, xfs or jfs? As much as I’d like to use a journaling filesystem, those cause more write operations than a non-journaled fstype, such as ext2. And as we all know, flash devices have a finite lifespan for write operations.
2. Kernels, Drivers and Flash Drives, oh my..
If you’re on an eeePC 901 or 1000 model, after you reboot, there will be no working network for you. This is easily remedied, thanks to Adam M. Hit his site, get the kernel and modules debs, toss them on a flash drive, connect the drive to the eeePC, install & reboot into that new kernel. Voila, now your onboard Ethernet (Attansic) works, as does your Wifi (Ralink). Log in and get that stuff all setup, per Adam’s docs.
3. More Flash Life Prolonging…
What writes to the drive constantly without mercy? Syslog. You want syslog to stop doing that. Don’t worry, it’s pretty painless.. Open your /etc/fstab, as root (use sudo or gksudo along with the text editor of your choice) and add these 4 lines:
tmpfs /tmp tmpfs defaults 0 0 tmpfs /var/tmp tmpfs defaults 0 0 tmpfs /var/log tmpfs defaults 0 0
After saving, reboot. You’ll now occasionally see errors about files in /var/log missing, or something like that, but are you really that interested in reading the log files on your netbook? If you need to really capture log data from it, either add a small SD card mounted on /var/log, or send your syslogs to a syslog server over the network.
4. Hotkeys
On the eeeuser forum, there’s a great thread, started by elmurato, which is all about getting the various hotkey combinations working on your eeePC. I used his “new” scripts on my eeePC 1000 and it all worked fllawlessly. There’s really not much to say here on this.
5. Disk Encryption
I tried using full disk encryption on my /home, but personally found it far too slow for everyday use on a machine this small. If you want to go this route, be warned, performance delays will come along for the ride. You’ve been warned.
Log out, and drop to the console, login as root (if you haven’t set a root password yet, do a sudo passwd root before trying to log in). Do a ps -fu <yourusername> and make sure you’ve killed all remaining processes belonging to that user that hung on after you logged out. Now, in order:
cd /home tar -cvf /root/<yourname>.tar yourname/ cd /root umount /home modprobe aes-i586 modprobe sha256 modprobe dm-mod modprobe dm-crypt luksformat -t ext2 /dev/sdb1 cryptsetup luksOpen /dev/sdb1 home mount /dev/mapper/home /home cd /home tar -xpvf /root/<yourname>.tar
Next, update your /etc/fstab to mount from the correct spot. You’ll change from mounting /home from /dev/mapper/home, rather than the UUID=…. entry. Next, you’ll also need an entry in /etc/crypttab like:
home /dev/sdb1 none luks
This entry creates a /dev/mapper/home that uses the physical volume of /dev/sdb1 at boot time. During the boot process, you’ll get prompted for the passphrase that you set way back when you did the luksformat. Lastly, don’t forget to add the aes-i586, sha256, dm-mod and dm-crypt modules to your /etc/modules file. Since you don’t boot from /home, no need to worry about re-creating the initrd with the right files in it.
A new toy found its way onto my desk this week. An Asus eeePC 1000 came my way the other day.. I’d long been eyeing up the eeePC line, since they first came out.
The eeePC line is one of a new generation of the so-called Netbooks. An amazingly small, yet powerful line of sub-notebooks that have lots of built-in networkability.
The 1000 model builds on prior models, adding upgrades like Bluetooth 2.0+EDR and 802.11n, to complete the package. The 1000 also kicks it up a notch in screen size, now up to 10″, driven by an Intel i915 chipset at a resolution of 1024×600.
Storage-wise, the 1000 has 40GB of SSD (Solid State Drive), split over 2 drives, one 8GB, the other 32GB, as well as a built-in SD slot that’s SDHC capable. The system shipped standard with a variant of Xandros Linux installed, though if Windows is your thing, you can get a similar unit with Windows XP Home Edition loaded on it. I spent the better part of an hour looking at the pre-installed Xandros setup, until I dumped it in favor of Ubuntu Hardy. Installing Ubuntu on the system is a breeze, thanks to UNetbootin. It chews up an Ubuntu (or a ton of other distributions for that matter) install CD and turns a FAT32 formatted USB thumbdrive into a USB installer. For the Hardy desktop version, you need a 1GB drive, as the installer files take about 700MB on the drive.
Once you’ve got Hardy installed, the fun just gets started. Now you’ve got a machine that boots fine, but has no networking, be it wired or wifi. Fortunately, others have already gone boldly and taken care of this. Head over to Adam’s site and pick up the kernel and modules, reboot, setup the repository and you’re off to the races.. There are some scripts out there to setup hotkeys, etc., but I didn’t really care for those, preferring to do it myself. Check the wiki over at eeeuser.com and read all about it.
Bottom line? It’s a great little machine. About the only thing I haven’t done yet is setup my 3G card, because I haven’t gotten around to switching out my Verizon ExpressCard for a USB model, but stay tuned..
