Snort Intrusion Detection / Prevention System on PFSense Firewall
- 1. Snort Intrusion Detection / Prevention System on PFSense Firewall Introduction Securing web applications is today's most common aspect of securing the enterprise. Web application hacking is on the rise with as many as 80% of cyber-attacks done at web application level or via the web. Most corporations have secured their data at the network level, but have overlooked the crucial step of checking whether their web applications are vulnerable to attack. Project idea This project is devoted to presenting a solution to protect web pages that acquire passwords and user names against HTML brute force. By performing a brute force password auditing against web servers that are using HTTP authentication with Nmap and detect this attack using snort IDS/IPS on PFSense Firewall. Project management methodology Waterfall model 1) Analysis & Design 2) Development 3) Testing 4) Documentation
- 2. Gant chart Task on every stage : Analysis & Design 1. Draft Environment 2. Install needed ISO
- 3. Development 1) Setup the environment 1. Setup virtual switches in VMware Workstation a. Vmnet2 -Host only with Subnet 192.168.40.0/24 b. Vmnet3 -Host only with Subnet 192.168.50.0/24 2. Setup victim webserver machine a. Setup Centos 7 virtual machine b. Setup web service with basic authentication i. Install httpd Command used : yum install -y httpd ii. Enable Basic Authentication to limit access on specific web pages which is http://192.168.40.200/auth-basic/ Command used : nano /etc/httpd/conf.d/auth_basic.conf <Directory /var/www/html/auth-basic> AuthType Basic AuthName "Basic Authentication" AuthUserFile /etc/httpd/conf/.htpasswd require valid-user </Directory> iii. use htpasswd command to create user account Command used : htpasswd -c /etc/httpd/conf/.htpasswd web c. Configure networking i. Static IP : 192.168. 40.200 ii. Netmask :255.255.255.0 iii. Gateway :192.168.40.250 3. Setup attacker machine a. Setup Kali Linux virtual machine b. Configure networking i. Static IP : 192.168. 50.11 ii. Netmask :255.255.255.0 iii. Gateway :192.168.50.250
- 4. 4. Setup normal user machine a. Setup Windows 8 machine b. Configure networking i. Static IP : 192.168. 50.100 ii. Netmask :255.255.255.0 iii. Gateway :192.168.50.250 5. Setup PFSense Firewall a. Setup PFSense machine b. Add network adapter i. DMZ interface for victim network (Vmnet2) ii. LAN interface for attacker network (Vmnet3) iii. WAN interface used to access internet (NAT) 2) Install Snort on PFSense as an Intrusion Prevention System 1. Install snort package form package manger on PFSense 2. Using your account to login on snort web site and generates Onikcode 3. From Global settings menu enter Oinkcode to download Snort VRT rules. 4. Click on the Update button to install rules on the snort We have installed snort community ,VRT ,emerging threats rules. 5. Ensuring a white listing of IP's a. create an Alias b. create a Pass list 3) Configure Snort to defend against the http-brute force attack 1. Configure snort on interfaces for port scan detection a. Add interface LAN b. edit the interface configuration LAN Categories c. Select desirable rules from this comprehensive list for LAN interface Check all Snort GPLv2 Community Rules
- 5. d. Add custom rules for detect http-brute force attack alert tcp !$HOME_NET any -> 192.168.40.200 80 (msg:"Login attempt to web server";content:"Authorization";sid:1000990) Testing 1. Perform http-brute force attack Use Nmap tool : Loading Nmap Script Engine and use http-brute script The http-brute script uses, by default, the database files usernames.lst and passwords.lst located at /nselib/data/ to try each password, for every user, to hopefully find a valid account. Command used : nmap -script http-brute -p 80 192.168.40.200 -d -- script-args http-brute.path=/auth-basic/ 1. Analyze Packets using Wireshark 2. Checked Alert 3. Checked blocked host the offending host will be blocked for 30-minute , non-offending will still be able to access the webserver during block period Software used : VMware Workstation 15 Pro Centos 7 Windows 8 Kali Linux Wireshark PFSense Snot package