This howto describes how to install Prelude IDS (LML, Manager, database, and Prewikka) on a Debian Etch, using the packages from unstable (which are backported to Etch in this repository).
Base Installation
Etch
We suppose that this part is ok, so you already have a working Debian Etch installation
The following packages are useful, so please check that they are installed correctly:
# apt-get install ntpdate # apt-get install dbconfig-common
Database
At this point, you will have to choose between MySQL and PostgreSQL to store your alerts. Both are equivalent in terms on functionnalities, the differences will mainly concern administration, and performance. This howto will work for both databases.
At the moment, the SQLite backend is not supported by the Debian package, because SQLite supported was added to dbconfig only very recently, and to get compatibility with previous packages.
MySQL
There are several versions of MySQL available. The most recent is the better:
# apt-get install mysql-server
The default is to install MySQL without any root password. This is bad ! Remember to add a password before continuing.
PostgreSQL
There are 2 version of PostgreSQL in Etch: 7.4 and 8.1. There are huge differences between both versions, and the 8.x series is clearly better (functions and performance).
# apt-get install postgresql-8.1
The default configuration of PostgreSQL is to check for ident (instead of passwords). As we don't wan't that (and don't trust ident anyway), just edit file /etc/postgresql/8.1/main/pg_hba.conf, and comment the ident line. You might also want to change the CIDR-ADDRESS if your database is not on the same host as the manager.
#local all all ident sameuser
Don't forget to reload the server:
# /etc/init.d/postgresql-8.1 reload
Prelude-Manager
Normally, we would have to compile and install libprelude, libpreludedb, and then create the databases. Hopefully, the packages are here to simplify this tasks.
Just add the following to /etc/apt/sources.list:
deb http://packages.inl.fr/ stable/
Don't forget the trailing / after stable, or it won't work.
Download the repository public signature, and import it to the debian keyring:
# wget 'http://packages.inl.fr/public_key.asc' # cat public_key.asc | apt-key add - # rm public_key.asc
Run apt-get update.
Install package prelude-manager. Apt-get will take care of installing the required dependencies.
# apt-get install prelude-manager
- Using default TLS settings from /etc/prelude/default/tls.conf:
- Generated key size: 1024 bits.
- Authority certificate lifetime: unlimited.
- Generated certificate lifetime: unlimited.
- Creating analyzer prelude-manager.
- Creating /etc/prelude/profile/prelude-manager...
- Allocated ident for prelude-manager: 4232957740008155.
- Generating RSA private key... This might take a very long time.
[Increasing system activity will speed-up the process.]
- Generating 1024 bits RSA private key...
During the installation, the manager will create the profile for the prelude user. It can take a (very) long time, since GnuTLS tries to access /dev/random instead of /dev/urandom (for security reasons). This may change in the future (maybe using an option to have a faster generation, but crytographically less secure).
dbconfig will then ask you if you want it to configure the database automatically. If you don't want to, just say no, and configure everything manually (the sql scripts are in directory /usr/share/libpreludedb/). Let's suppose the answer is yes.
Note: the number of questions may change, depending on debconf verbosity (set using dpkg-reconfigure debconf), and dbconfig parameters, in file /etc/dbconfig-common/config
configure database with dbconfig-common: yes database type:
Set the type to the database you previously installed.
(For MySQL)
Database admin password: ******
dbconfig-common will ask for a password for the 'prelude' user. If you don't provide any (just pressing enter), it will generate a random one. Don't worry, the configuration file will be update automatically.
dbconfig-common: writing config to /etc/dbconfig-common/prelude-manager.conf Creating config file /etc/dbconfig-common/prelude-manager.conf with new version granting access to database prelude for prelude@localhost: success. verifying access for prelude@localhost: success. creating database prelude: success. verifying database prelude exists: success. populating database via sql... done. dbconfig-common: flushing administrative password Starting Prelude Manager: prelude-manager.
The Debian package automagically create the user and the database, configure the database to grant permissions, populate the db using the sql script, and update parameters in /etc/prelude-manager/prelude-manager.conf (yes, that's all).
Prelude-Manager should now be running:
# ps auxw | grep manager prelude 28530 0.0 0.1 59384 4480 ? Ssl 13:49 0:00 /usr/sbin/prelude-manager
The first part is over, you now have a manager up and running.
Listen address
The default listen address is localhost (127.0.0.1). This means that you have to change this to add sensors on different hosts.
Edit /etc/prelude-manager/prelude-manager.conf:
listen = 192.168.66.1
Restart the server, and check the address:
# /etc/init.d/prelude-manager stop Stopping Prelude Manager: prelude-manager. # /etc/init.d/prelude-manager start Starting Prelude Manager: prelude-manager. # netstat -pantu | grep prelude tcp 0 0 192.168.66.1:4690 0.0.0.0:* LISTEN 30544/prelude-manager
Prelude-LML (aka, give me sensors)
You need to install prelude-lml on every host you want to monitor. Prelude-LML will analyze your logs and reports event to the managers.
# apt-get install prelude-lml ... Starting Prelude LML: prelude-lml.
Before it can be used, two things needs to be done:
- The address of the manager must be configured on the lml
- The manager won't trust sensors, until they are registered
Manager address
The adress of the manager is stored in file /etc/prelude/default/client.conf:
[prelude] server-addr = 192.168.66.1
Registering sensor
Registering the sensor is a four-step process, which requires to run commands on both the sensor and the manager:
- On the LML client, run the register command:
# prelude-adduser register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
Tip: if you don't remember the command, just run prelude-lml. Since it is not registered, it will fail, but is smart enough to display the help:
# prelude-lml - Subscribing plugin pcre[default] - pcre plugin loaded 394 rules. - Monitoring /var/log/messages through pcre[default] * WARNING: /var/log/everything/current does not exist. * WARNING: /var/log/apache2/access_log does not exist. prelude-client: error starting prelude-client: could not open '/etc/prelude/profile/prelude-lml/analyzerid' for reading Profile 'prelude-lml' does not exist. In order to create it, please run: prelude-adduser register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0.
LML must be registered with uid and gid 0, since the process will be executed as root (to be able to analyze logs).
LML will then one for the One-Time Password(OTP), which will be provided by the manager:
Enter the one-shot password provided by the "prelude-adduser" program: - enter registration one-shot password:
- On the manager, run the following:
# prelude-adduser registration-server prelude-manager ... - Starting registration server. - generated one-shot password is "l2b63ytl". ...
- Enter the password to the LML prompt:
- enter registration one-shot password: - confirm registration one-shot password: - connecting to registration server (127.0.0.1:5553)... - Anonymous authentication to registration-server successful. - Sending certificate request.
The LML is now waiting for the Manager to sign the certificate.
- On the manager, validate the certificate signing request:
- Anonymous authentication one-shot password check successful. - Waiting for client certificate request. - Analyzer with ID="3559090256170900" ask for registration with permission="idmef:w". Approve registration [y/n]: y
The certificate is generated and sent to the client:
Registering analyzer "3559090256170900" with permission "idmef:w". - Generating signed certificate for client. - Sending server certificate to client. - ::ffff:127.0.0.1:47054 successfully registered.
- LML registration is successful
- Receiving signed certificate. - Receiving CA certificate. - prelude-lml registration to 127.0.0.1 successful.
Now, the manager and the sensor have a trust relation, and can send messages to each other.
If you find this process difficult, just think of it as a secure registration process (you don't wan't to know what would happen if the manager blindly trust unknown sources). In the future, some modifications will help making it easier, but keeping the same level of security.
Finally, the LML sensor should be up too:
# /etc/init.d/prelude-lml start Starting Prelude LML: prelude-lml. # ps auxw | grep lml root 1946 0.3 0.0 20856 3424 ? Ss 14:35 0:00 /usr/bin/prelude-lml -d -q -P /var/run/prelude-lml.pid
For a detailed explanation of the registering process, look the Prelude Handbook page.
Prewikka
Prewikka is a graphical frontend to Prelude, using a web server.
Installation
Prewikka requires two databases: one to get the Prelude alerts (which is the same as configured before), and one to store its own data (prewikka). Actually, the Debian packages does only create the prewikka database, and does not configure access to Prelude alerts, so alert installation this part will be done manually.
Install prewikka:
# apt-get install prewikka
The package will install required dependencies (python, for ex), and will ask for the database configuration. As for Prelude, we choose to use dbconfig-common, give the administrator password and press enter for the DB password to let dbconfig-common generate one for us.
Configure prelude-manager access
Get the password from prelude-manager configuration file (/etc/prelude-manager/prelude-manager.conf) and edit prewikka configuration file (/etc/prewikka/prewikka.conf):
[idmef_database] type: mysql host: localhost user: prelude pass: ********** name: prelude
The [database] section is automatically configured by dbconfig-common, so do not modify it.
Web server configuration
The configuration is explained in file /usr/share/doc/prewikka/README.Debian. You can choose between 3 configurations:
- Apache / CGI setup with VirtualHost
- Apache / mod_python setup with VirtualHost
- Prewikka from the command line tool
Apache / CGI setup with VirtualHost
Apache / mod_python setup with VirtualHost
The configuration described here show how to setup a dedicated server for prewikka. If you want to use only a VirtualHost, you have to change the corresponding directives in Apache (not covered here).
Install apache2:
# apt-get apache2
Then install mod_python:
# apt-get install libapache2-mod-python
Create a file /etc/apache2/sites-available/prewikka containing the configuration:
NameVirtualHost *
<VirtualHost *>
ServerAdmin admin@domain.com
<Location />
SetHandler mod_python
PythonHandler prewikka.ModPythonHandler
PythonOption PrewikkaConfig /etc/prewikka/prewikka.conf
</Location>
<Location /prewikka>
SetHandler None
</Location>
Alias /prewikka /usr/share/prewikka/htdocs
Alias /htdocs /usr/share/prewikka/htdocs
</VirtualHost>
Enable only this virtual host, since the server is dedicated:
# a2dissite 000-default # a2ensite prewikka # apache2ctl restart
Restart apache, then you're done. The server is directly accessible at http://<yourserver>. The default login/password is admin/admin, so please change it immediatly.
Command line tool
The last one is the most useful for testing. Just run:
prewikka-httpd
and point your browser to http://<yourserver>:8000. The default login/password is admin/admin, so please change it immediatly.
For more details about Prewikka installation, see the Prelude Handbook Prewikka installation page.
