IPS / IDS question / suggestion

Support
,
1

Hello Forum,

Firstly, since this is my first post here, I wish to thank you for the Dev. Team for making this awsome system. :slight_smile: It helps me a lot mainly because of the following:

  • It has PPPoE option
  • I can set static IP addresses for DHCP easily
  • It has IPS / IDS
  • I can set firewall rules fairly easy

I just have one question regarding to useage: When I want to use the IPS, I constantly get an error when I make a modification with the rule level. The error sais:

Task completed with errors
# (exit status )

Where can I look up the logs about it, so I can provide you some more information about the issue?

Also, where can I see, for example, banned IP-s, who’ve tried to SSH into our server and have been banned by Snort? At least I hope it bans and logs them. :slight_smile: This should be a good feature for the IPS site and not for the Log.

Another thing is I’ve found that the IPS is using Snort. I know Snort quite well, but I’ve been using Fail2Ban with more joy and effectiveness. Have you ever considered using it instead of Snort?

Hope I’ve not asked stupid questions. Looking forward hearing from you!

Best Regards:
Imre Bertalan (Bert)

P.S.: Do not ever remove the PPPoE funcion please since this is the only out-of-the-box server that still has it! Not ClearOS, nor Zentyal has it anymore… This makes NethServer very unique and awsome. :slight_smile:

2

Hi Imre, and welcome. You’ll be happy to know there are some community modules, like the ones from @stephdl who kindly maintains a fail2ban implemetation for NethServer.

About snort, you can read more here:
http://docs.nethserver.org/en/latest/snort.html

Regarding the error you may find more info on /var/log/messages

3

Thank you, I’ve just found and installed it and testing it now. I’m going to install it on live server today night. :slight_smile:

/var/log/messages

At the time of activating IPS:

Jan 18 16:16:23 firewall /sbin/e-smith/db[3941]: /var/lib/nethserver/db/configuration: OLD suricata=service|EveLog|no|status|disabled
Jan 18 16:16:23 firewall /sbin/e-smith/db[3941]: /var/lib/nethserver/db/configuration: NEW suricata=service|EveLog|no|status|enabled
Jan 18 16:16:24 firewall dbus[543]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
Jan 18 16:16:24 firewall dbus-daemon: dbus[543]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
Jan 18 16:16:24 firewall systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Jan 18 16:16:24 firewall systemd: Starting Time & Date Service...
Jan 18 16:16:24 firewall dbus[543]: [system] Successfully activated service 'org.freedesktop.timedate1'
Jan 18 16:16:24 firewall dbus-daemon: dbus[543]: [system] Successfully activated service 'org.freedesktop.timedate1'
Jan 18 16:16:24 firewall systemd: Started Time & Date Service.
Jan 18 16:16:24 firewall /sbin/e-smith/db[3944]: /var/lib/nethserver/db/configuration: OLD firewall=configuration|CheckIP|8.8.8.8,208.67.222.222|Docker|disabled|ExternalPing|enabled|HairpinNat|disabled|MACValidation|disabled|MACValidationPolicy|drop|MaxNumberPacketLoss|5|MaxPercentPacketLoss|10|NotifyWan|disabled|NotifyWanFrom|root@localhost|NotifyWanTo|root@localhost|PingInterval|5|Policy|permissive|WanMode|balance|nfqueue|disabled
Jan 18 16:16:24 firewall /sbin/e-smith/db[3944]: /var/lib/nethserver/db/configuration: NEW firewall=configuration|CheckIP|8.8.8.8,208.67.222.222|Docker|disabled|ExternalPing|enabled|HairpinNat|disabled|MACValidation|disabled|MACValidationPolicy|drop|MaxNumberPacketLoss|5|MaxPercentPacketLoss|10|NotifyWan|disabled|NotifyWanFrom|root@localhost|NotifyWanTo|root@localhost|PingInterval|5|Policy|permissive|WanMode|balance|nfqueue|enabled
Jan 18 16:16:24 firewall esmith::event[3947]: Event: nethserver-pulledpork-save
Jan 18 16:16:24 firewall esmith::event[3947]: expanding /etc/snort/dropsid.conf
Jan 18 16:16:24 firewall esmith::event[3947]: expanding /etc/snort/pulledpork.conf
Jan 18 16:16:24 firewall esmith::event[3947]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.259969]
Jan 18 16:16:24 firewall esmith::event[3947]: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply: line 3: /usr/bin/pulledpork.pl: No such file or directory
Jan 18 16:16:24 firewall esmith::event[3947]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply FAILED: 127 [0.003784]
Jan 18 16:16:24 firewall esmith::event[3947]: Event: nethserver-pulledpork-save FAILED
Jan 18 16:16:24 firewall esmith::event[3954]: Event: nethserver-suricata-save
Jan 18 16:16:24 firewall esmith::event[3954]: expanding /etc/logrotate.d/suricata
Jan 18 16:16:24 firewall esmith::event[3954]: expanding /etc/suricata/suricata.yaml
Jan 18 16:16:24 firewall esmith::event[3954]: expanding /etc/sysconfig/suricata
Jan 18 16:16:24 firewall esmith::event[3954]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.247545]
Jan 18 16:16:25 firewall systemd: Reloading.
Jan 18 16:16:25 firewall systemd: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Jan 18 16:16:25 firewall systemd: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Jan 18 16:16:25 firewall systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Jan 18 16:16:25 firewall systemd: Started Suricata Intrusion Detection Service.
Jan 18 16:16:25 firewall systemd: Starting Suricata Intrusion Detection Service...
Jan 18 16:16:25 firewall suricata: 18/1/2017 -- 16:16:25 - <Notice> - This is Suricata version 3.1.3 RELEASE
Jan 18 16:16:25 firewall esmith::event[3954]: [INFO] suricata has been started
Jan 18 16:16:25 firewall esmith::event[3954]: 
Jan 18 16:16:25 firewall esmith::event[3954]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.245492]
Jan 18 16:16:25 firewall esmith::event[3954]: Event: nethserver-suricata-save SUCCESS
Jan 18 16:16:25 firewall suricata: 18/1/2017 -- 16:16:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/suricata.rules
Jan 18 16:16:25 firewall suricata: 18/1/2017 -- 16:16:25 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Jan 18 16:16:25 firewall suricata: 18/1/2017 -- 16:16:25 - <Notice> - all 6 packet processing threads, 4 management threads initialized, engine started.
Jan 18 16:16:25 firewall esmith::event[3985]: Event: firewall-adjust
Jan 18 16:16:25 firewall esmith::event[3986]: Event: nethserver-firewall-base-save firewall-adjust
Jan 18 16:16:25 firewall esmith::event[3986]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S02providers-cleanup SUCCESS [0.163304]
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/lsm/lsm.conf
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/actions
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/hosts
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/interfaces
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/maclist
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/mangle
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/masq
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/modules
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/nat
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/policy
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/providers
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/rtrules
Jan 18 16:16:25 firewall esmith::event[3986]: expanding /etc/shorewall/rules
Jan 18 16:16:26 firewall esmith::event[3986]: expanding /etc/shorewall/shorewall.conf
Jan 18 16:16:26 firewall esmith::event[3986]: expanding /etc/shorewall/stoppedrules
Jan 18 16:16:26 firewall esmith::event[3986]: expanding /etc/shorewall/tcinterfaces
Jan 18 16:16:26 firewall esmith::event[3986]: expanding /etc/shorewall/tcpri
Jan 18 16:16:26 firewall esmith::event[3986]: expanding /etc/shorewall/tunnels
Jan 18 16:16:26 firewall esmith::event[3986]: expanding /etc/shorewall/zones
Jan 18 16:16:26 firewall esmith::event[3986]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.4706]
Jan 18 16:16:26 firewall systemd: Reloading.
Jan 18 16:16:26 firewall systemd: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Jan 18 16:16:26 firewall systemd: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Jan 18 16:16:26 firewall logger: Shorewall reloaded
Jan 18 16:16:26 firewall esmith::event[3986]: [NOTICE] Shorewall restart
Jan 18 16:16:26 firewall esmith::event[3986]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart SUCCESS [0.844463]
Jan 18 16:16:27 firewall systemd: Reloading.
Jan 18 16:16:27 firewall systemd: [/usr/lib/systemd/system/microcode.service:10] Trailing garbage, ignoring.
Jan 18 16:16:27 firewall systemd: microcode.service lacks both ExecStart= and ExecStop= setting. Refusing.
Jan 18 16:16:27 firewall esmith::event[3986]: [INFO] lsm is disabled: skipped
Jan 18 16:16:27 firewall esmith::event[3986]: [INFO]
Jan 18 16:16:27 firewall esmith::event[3986]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.21234]
Jan 18 16:16:27 firewall esmith::event[3986]: Event: nethserver-firewall-base-save SUCCESS
Jan 18 16:16:27 firewall esmith::event[3985]: Action: /etc/e-smith/events/firewall-adjust/S20firewall-adjust SUCCESS [1.778278]
Jan 18 16:16:27 firewall esmith::event[3985]: Event: firewall-adjust SUCCESS
4

Oh, you are using NethServer 7. Then it comes with suricata. On my previous post I linked the manual for NethServer 6.8, not 7. Sorry.

5

No worries. :wink: I’m still in love with NS7 at the moment.

We should add an “S” to the Mass Effects N7 logo and voala. :smiley:

n7-mass-effect-iii-men-black-leather-jacket.jpg800Ă—800 59.8 KB

2 Likes
6

EPEL recently released a new version of pulledpork which breaks our configuration.

We have two open issues:

Please be patient a couple of days, we will try to fix it and we will notify you! :wink:

3 Likes
7

The issue should be fixed, try to install the package from testing repo:

yum --enablerepo=nethserver-testing update nethserver-pulledpork
1 Like
8

@Imre_Bertalan could you verify our issues? Let me know if you need further help