How Secure Your Linux Server Using Snort NIDS

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Snort is a free, open source and one of the most commonly used signature-based network intrusion detection system (NIDS) that monitors the package data sent and received through a specific network interface. Snort performs protocol analysis, content searching and matching, real-time traffic analysis and packet logging on Internet Protocol (IP) networks. You can determine the most recent strikes, malware infections, compromised systems, and community policy violations using Snort. Snort comes with a powerful set of features like, detection of buffer overflow, stealth port scan, CGI Attacks and other thousands of worms and vulnerability attempts. Snort is lightweight, so you can easily installed it on the smallest cloud server instances.

In this tutorial, we will going to learn how to install and configure Snort NIDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 instance.

Prerequisites

  1. A fresh Alibaba cloud instance with Ubuntu 16.04 server installed.
  2. A static IP address 192.168.0.103 is configured on the instance.
  3. A root password is setup on the server.

Launch an Alibaba Cloud ECS Instance

First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

Install Required Packages

Next, install all the dependencies required to install Snort with the following command:

Next, you will also need to install DAQ (Data Acquisition Package) to your system. First, download the latest version of the DAQ using the following command:

Once the DAQ is downloaded, extract the downloaded file using the following command:

Next, change the directory to the daq-2.0.6 and run the following command to compile and install DAQ:

Once DAQ is installed, you can proceed to install Snort.

Install Snort

By default, the latest version of the Snort is not available in the Ubuntu 16.04 repository. So, you will need to download Snort source and compile it.

First, download Snort source code using the following command:

Next, extract the downloaded file with the following command:

Next, change the directory to the snort-2.9.11.1 and compile it with the following command:

Next, update the shared libraries with the following command:

Next, create a symbolic link of Snort binary using the following command:

Finally, check the Snort with the following command:

If everything is ok, you should see the following output:

Configure Snort

Snort can be configured in three modes:

Sniffer Mode: In this mode, output will dump to the terminal. You can see packets in continuous flow in live mode.

Packet Logger Mode: In this mode, output will be stored in the disk. You can monitor it later.

Network IDS Mode: In this mode, some parameters are configured that allow snort to match defined parameters while scanning the network.

In this tutorial, we will configure Snort for Network IDS (NIDS) Mode.

First, you will need to create a directory structure for Snort. You can do this by running the following command:

Next, give proper permissions to all the directories:

Next, copy all the configuration files from Snort source:

Next, comment out all rulesets with the following command:

Next, you will need to configure Snort configuration file. You can do this using the following command:

Make the following changes:

Save and close the file, when you are finished. Then, validate the configuration file with the following command:

You should see the following output:

Test Snort

Snort is now installed and configured, it’s time to test Snort.

First, create a rule for (FTP, ICMP, Web and SSH) Snort. This rules will generate an alert, when someone tries to make Ping, SSH, FTP and Web connection attempt. You can do this by editing following file:

Add the following lines:

Save and close the file, when you are finished.

Now, start Snort daemon in Network IDS mode from the terminal and tell it to output any alert to the console:

Snort is now up and listening on interface eth0.

Next, from the remote machine. Make the SSH, FTP, ICMP and Web connection attempt with the following command:

Note: 192.168.0.103 is the IP address of the Snort server.

On the Snort server, you should see the following output:

You can stop Snort at any time by pressing Ctrl+C from your keyboard.

Create Snort Upstart Script

You will also need to create an Upstart script for Snort to start Snort at boot time. You can do this by creating following file:

Add the following lines:

Save the file, when you are finished, then start Snort service and enable it to start on boot time with the following command:

You can check the status of the Snort using the following command:

You should see the following output:

You can also check the connection attempt on Snort server later using the following command:

Output:

Congratulations! You have successfully installed and configured Snort NIDS on Ubuntu 16.04 server. You can now monitor any connection attempt made to your server.

Related Alibaba Cloud Products

Alibaba Cloud Anti-DDoS Basic is a cloud-based security service that integrates with Alibaba Cloud ECS instances to safeguard your data and applications from DDoS attacks, and provides increased visibility and control over your security measures.

As an Alibaba Cloud global service, Anti-DDoS Basic enables you to meet stringent security requirements for your cloud hosting architecture without any investment. This service is available to all Alibaba Cloud users free of charge.

Alibaba Cloud Server Guard protects servers from various malicious attacks by installing a lightweight agent on the server that provides cloud threat information linkage. It also provides real-time alerts in case of suspicious logins, and safeguards the servers from the website backdoor attacks.

The product is easy to use and setup, and provides you with complete overview and analysis of your website and systems. This helps you increase the efficiency of your mission critical applications.

CloudMonitor is a flexible monitoring service that provides in-depth insights into your cloud deployments. CloudMonitor provides advanced analytics on critical metrics such as CPU utilization, latency and also lets you customize metrics specific to business requirements.

You can closely monitor your resources in real time including ECS (Elastic Compute Service), RDS (Relational Database Service), Server Load Balancer, Block Storage volumes and tweak deployments to optimize performance and save on operational costs.

CloudMonitor also provides a solution that adds another layer of security to your cloud deployments as it can detect intrusions and security breaches according to the metrics you define. This can raise an alarm that you set through Social Networking Service (SNS), Social Messaging Service (SMS), Instant Messenger (Ali Trade Manager only) and/or email.

Reference:

https://www.alibabacloud.com/blog/how-secure-your-linux-server-using-snort-nids_593775?spm=a2c41.11721511.0.0

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store