Cloud Threat Protection with OSSEC and Suricata
The idea of this setup is to protect the Small Systems as well as we protect the Big Systems.
This solution uses a proven stack to protect webservers from modern threats. Using OSSEC, Suricata, and the built-in firewall capabilities of a modern Linux system it is possible to build a low maintenance and stable threat protection platform with relatively low performance impacts.
It’s been specifically designed to be simple. The idea is that it will keep you on a ‘need to know basis’ and otherwise stay quiet and do it’s job.
Overview
Together, these components protect a web server from hacks, bots, spammers, and other nasty network attacks.
The components of this system are:
- Suricata to detect malicious network traffic,
- OSSEC for system integrity checking and log analysis,
- MailGun for mail relay services
However, there are some substantial limitations of this system. Here’s what it’s not:
- NOT a performance monitoring system
- NOT a downtime detection system
- NOT really an IPS (OSSEC will block high-scoring threats)
- NOT an accounting/auditing system
- Probably not going to get you past a HIPAA/FIPS/PCI-DSS auditor - that will be a lot more involved
Note: IPv4 Addresses
Throughout this post, I will be using RFC-5737 specified public IPv4 addresses. These will represent the three hosts used:
| Name | Address |
|---|---|
| Server | 198.51.100.44 |
| Client | 203.0.113.12 |
| Hacker/Bot | 192.0.2.241 |
These IPv4 addresses are ‘fake’ and non-routable. Don’t try any weird stuff with these.
Configure Emails
Since the primary means for notifications will be good-old-Email, that’s the staring place.
Set up MailGun
To send monitoring emails we’ll set up MailGun as an SMTP relay. This simplifies things slighly by using a dedicated subdomain for mail relay where the Postfix server will connect. It also prevents the server from holding credentials for the main email account.
Mailgun is essentially free, but it does require payment information to prevent abuse of the system.
Once the account is set up, the domain ‘example.com’ is verified, the required TXT and MX records are added to the DNS zone. I will be working with ‘mail.example.com’ for this project, and my primary email server lives under the root ‘example.com’ domain.
After it’s set up, the wizard will produce a set of SMTP credentials. Save those for the next step.
Set up Postfix
On the server, a mail relay is set up using the Postfix package. This will let the server send emails to the admin mailbox, but it will not be able to receive any or read any mailboxes outside of its own spool.
First, install the packages on the server:
sudo apt install postfix mailutils
Then, the config can be written into /etc/postfix/main.cf
mynetworks = 127.0.0.0/8, [::1]/128
inet_interfaces = 127.0.0.1
relayhost = [smtp.mailgun.org]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/thawte_Primary_Root_CA.pem
smtp_use_tls = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
Then, the address where alerts will be received is added to /etc/aliases
postmaster: root
root: name@example.com
Next, the credentials can be added to /etc/postfix/sasl_passwd
[smtp.mailgun.org]:587 postmaster@mail.example.com:xxx-password-xxx
After the file is created, make sure the permissions are correct:
sudo chown root:root /etc/postfix/sasl_passwd
sudo chmod 0600 /etc/postfix/sasl_passwd
Once all the config files are in place the SASL db can be created.
sudo postmap /etc/postfix/sasl_passwd
Finally, the Postfix service can be restarted to pick up the new config.
sudo systemctl restart postfix
The mail relay can be tested by sending yourself an email:
echo "Hello!" | mail -s 'Test Email' you@example.com
If the email doesn’t arrive within a minute or two, double check the config and look in the syslog for clues.
Suricata Network IDS
Suricata is one of my all time favourite tools for security monitoring. It’s fast, scalable, uses surprisingly few resources, and creates high quality network alerts. I’ve previously used it in another project for a custom Firewall/IDS appliance. In this project, it will only be used to generate an alert feed.
Install Suricata
This will be a typical installation of Suricata based on the official Install Docs.
First, set up the Ubuntu PPA repository.
sudo add-apt-repository ppa:oisf/suricata-stable
The package lists will need to be refreshed before the package can be installed.
sudo apt update
Then the package itself, along with all the runtime dependancies, can be installed on the system.
sudo apt install suricata
Configure Suricata
Once installed, the most important config change to make is to disable the eve.json log output. While this is very useful when building a SIEM, we’re working on something much simpler, so the disk space usage of writing every single packet that hits the server isn’t a great idea.
These changes can be made towards the top of the default config file:
...
outptus:
...
- eve-log:
#enabled: yes
enabled: no
Make sure the classic snort-style output is enabled:
...
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
Otherwise, the default settings will be sufficient for this system.
sudo systemctl restart suricata
sudo systemctl enable suricata
Then a set of rules can be loaded. With version 4 and higher, all rule management is handled through the suricata-update utility. So, the initial set of rules (ET Open) can be downloaded and installed.
sudo suricata-update
sudo kill -USR2 `pidof suricata`
Examine the output of /var/log/suricata/suricata.log and check that all the rules were loaded correctly.
OSSEC Host IDS
OSSEC is a host-based Intrusion Detection System with a proven track record in the field. While it is very scalable and can connect hundreds of nodes to a central server, for this deployment we will install a single standalone system.
Install OSSEC
The OSSEC mainainers have published an easy-install script. It seems to work fairly well for setting up the Apt repository and keys.
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash
Once the repository is set up, update the package lists:
sudo apt update
And install OSSEC.
sudo apt install ossec-hids-server
Once the package and dependancies are installed, stop the service until it can be fully configured.
sudo systemctl stop ossec
Configure OSSEC
Most of the configuration pieces for OSSEC are hidden from normal linux users, so for the rest of this seciton we’ll have to run as an interactive root user:
sudo -i
cd /var/ossec
The main configuration file is located at /var/ossec/etc/ossec.conf and is structured as XML. The first part to change is the email notification settings inside the ‘global’ section. The notable piece is that ossec itself is not sending email directly - instead, it’s handing it off to the local Postfix relay server on localhost.
<global>
<email_notification>yes</email_notification>
<email_to>name@example.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossec@mail.example.com</email_from>
<email_maxperhour>6</email_maxperhour>
</global>
If desired, you can whitelist your own IPv4 address as well. This will prevent being locked out of the system if you do something dumb.
<global>
<white_list>203.0.113.12</white_list>
</global>
Next, modify the email alert threshold if desired. The default level is ‘7’ - Which does give a lot of useful albeit slightly spammy notifications about integrity changes. If this isn’t desired it can be increased. In my case, I prefer to set up unattended-upgrades on my cloud servers so that they stay up to date on security patches. This can generate lots of unnecessary email alerts that are just annoying. Like everything security related, there are tradeoffs.
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>9</email_alert_level>
</alerts>
Active Responses
Active-response is a built in system that will take action to block a detected attack. In a base OSSEC install it is configured reasonably - however once we add network alerts it can quickly start to block legitimate traffic. So, the default intervention level will be increased from 7 to 9. I also suggest decreasing the ‘ban time’ from the default (30 minutes) to 5 minutes until all the false-positives can be resolved.
<!-- Active Response Config -->
<active-response>
<command>host-deny</command>
<location>local</location>
<level>9</level>
<timeout>300</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>local</location>
<level>9</level>
<timeout>300</timeout>
</active-response>
Full documentation for this feature is available in the ossec manual.
Integrate Suricata logs into OSSEC
Finally, the most important piece of the puzzle is to direct OSSEC to read the Suricata alert log. This gives the monitoring system full visibility into both OS behaviour, and incoming/outgoing network activity.
<localfile>
<log_format>snort-fast</log_format>
<location>/var/log/suricata/fast.log</location>
</localfile>
Once complete, the OSSEC service can be started.
sudo systemctl start ossec
The log file, /var/ossec/logs/ossec.log can be checked for errors after startup. If it’s successful, there should be an email sent within a minute of startup.
OSSEC HIDS Notification.
2020 May 16 02:17:16
Received From: my-cool-server->ossec-monitord
Rule: 502 fired (level 3) -> "Ossec server started."
Portion of the log(s):
ossec: Ossec started.
Create Alert Rules
After the service iteslf is configured, there are a few tweaks to make.
Without adding custom rules, OSSEC’s understanding of Network IDS alerts is fairly basic, only generating a level 8 alert the first time a ‘new’ Suricata/Snort alert is fired. Fortunately, we can add some rules to help make sense of the Suricata output. Remember, suricata alerts range from 1-3 with 1 being most severe, and ossec alerts range from 0-15 with 15 being most severe.
| Rule ID | OSSEC Level | Suricata Level | Alert Count |
|---|---|---|---|
| 3000001 | 7 | 2 | 1 |
| 3000002 | 8 | 2 | 5 |
| 3000003 | 9 | 2 | 10 |
| 3000004 | 10 | 2 | 20 |
| 3000005 | 11 | 2 | 50 |
| 3000011 | 10 | 1 | 1 |
| 3000012 | 11 | 1 | 5 |
| 3000013 | 12 | 1 | 10 |
| 3000014 | 13 | 1 | 20 |
| 3000015 | 14 | 1 | 50 |
These rules can be added to the /var/ossec/rules/local_rules.xml file.
Most important is to establish OSSEC alerts for the higher severity Suricata alerts:
<group name="snort-fast,">
<!-- Alert if a level 1 threat is identified -->
<rule id="300011" level="10">
<category>ids</category>
<match>[Priority: 1]</match>
<description>Suricata level 1 alert</description>
</rule>
<!-- Alert if multiple level 1 threats are identified -->
<rule id="300012" level="11" frequency="5" timeframe="120" ignore="90">
<if_matched_sid>300011</if_matched_sid>
<same_source_ip />
<description>Many high-severity Suricata alerts</description>
</rule>
<rule id="300013" level="12" frequency="10" timeframe="120" ignore="90">
<if_matched_sid>300011</if_matched_sid>
<same_source_ip />
<description>Several high-severity Suricata alerts</description>
</rule>
<rule id="300014" level="13" frequency="20" timeframe="120" ignore="90">
<if_matched_sid>300011</if_matched_sid>
<same_source_ip />
<description>Numerous high-severity Suricata alerts</description>
</rule>
<rule id="3000015" level="14" frequency="50" timeframe="120" ignore="90">
<if_matched_sid>300011</if_matched_sid>
<same_source_ip />
<description>Multiple high-severity Suricata alerts</description>
</rule>
</group>
Then additional rules can be created to deal with less-severe Suricata alerts:
<group name="snort-fast,">
<!-- Alert if a level 2 threat is identified -->
<rule id="300001" level="7">
<category>ids</category>
<match>[Priority: 2]</match>
<description>Suricata level 2 alert</description>
</rule>
<!-- Alert if multiple level 2 threats are identified -->
<rule id="300002" level="8" frequency="5" timeframe="120" ignore="90">
<if_matched_sid>300001</if_matched_sid>
<same_source_ip />
<description>Many medium-severity Suricata alerts</description>
</rule>
<rule id="300003" level="9" frequency="10" timeframe="120" ignore="90">
<if_matched_sid>300001</if_matched_sid>
<same_source_ip />
<description>Several medium-severity Suricata alerts</description>
</rule>
<rule id="300004" level="10" frequency="20" timeframe="120" ignore="90">
<if_matched_sid>300001</if_matched_sid>
<same_source_ip />
<description>Numerous medium-severity Suricata alerts</description>
</rule>
<rule id="300005" level="11" frequency="50" timeframe="120" ignore="90">
<if_matched_sid>300001</if_matched_sid>
<same_source_ip />
<description>Multiple medium-severity Suricata alerts</description>
</rule>
</group>
Finally, reload the service for the rules to update.
/var/ossec/bin/ossec_control reload
Check for errors in the log file - /var/ossec/logs/ossec.log
Test Alerts
Once set up, a few tests can be performed on the system. The most likely to create an alert is to simply nmap the system:
nmap -A 198.51.100.44
Within a second or two there will be many alerts generated in the suricata log file. Then, OSSEC will pick these up and add them to the alerts spool. Next these alerts will be aggregated and counted which should trigger the higher-severity events. And, ideally this will generate an email alert like this one:
OSSEC HIDS Notification.
2020 May 14 22:10:18
Received From: my-cool-server->/var/log/suricata/fast.log
Rule: 300012 fired (level 11) -> "Many high-severity Suricata alerts"
Src IP: 192.0.2.241
Dst IP: 198.51.100.44
Portion of the log(s):
05/14/2020-22:10:17.391373 [**] [1:2024364:3] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.0.2.241:35004 -> 198.51.100.44:80
....
--END OF NOTIFICATION
If you’re lucky, this will also kick in an active response. When this happens, OSSEC will add a firewall block to IPTables preventing any communication with the ‘offending’ endpoint.
Real Alerts
After a couple days of being exposed to the internet, it’s quite likely that one or two bots will try to hack your server. So, given some time there should be an email or two like this:
OSSEC HIDS Notification.
2020 May 17 20:16:34
Received From: my-cool-server->/var/log/suricata/fast.log
Rule: 300011 fired (level 10) -> "Suricata level 1 alert"
Src IP: 192.0.2.241
Dst IP: 198.51.100.44
Portion of the log(s):
05/17/2020-20:16:33.926136 [**] [1:2029790:3] ET SCAN ELF/Mirai Variant User-Agent (Inbound) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.0.2.241:47586 -> 198.51.100.44:80
--END OF NOTIFICATION
This means that a real live Marai botnet node tried to assimilate my box!
Since it generated a high severity network alert, the intrusion was immediately blocked and the offending IP banned. You can find this in the log file:
/var/ossec/logs/active-responses.log
Sun May 17 21:11:31 UTC 2020 /var/ossec/active-response/bin/firewall-drop.sh add - 192.0.2.241 1589749891.52882 300001
This can also be verified by checking IPtables rules:
sudo iptables -L -v
Conclusion
After all the pieces are set up, this becomes a fairly low maintenance system. Of course, there will be incidents where the IDS/IPS blocks some legitimate traffic. But that’s part of life in the modern security landscape.
With high profile hacks and cyberattacks more and more frequently, it’s all of our responsibility to do our best to secure our servers to the best of our abilities.
If you have any suggestions, feel free to reach out. Quarantine is killing me!