Monday, September 14, 2009

Surfnet IDS installation - Tunnel server (simplified version)

Continued from the Log server installation guide (based on ubuntu server)

for my installation process, i installed the tunnel server after installing the log server.

oh i forgot to explain what does the tunnel server does and what the heck is the log server.

the tunnel server, as the name implies, is basically where the openvpn server is located. this server is also used to start the nepenthes service as the honeypot itself. any attack on the server will be recorded on the log server which also has a web interface to display all the logged information. below are the steps and notes to be considered while installing the tunnel server.

Step 1 : follow basic installation instructions here
Step 2 : install ARP module from instructions here
Step 3 : Configure server according to your system with this as a guide
Step 4 : Install Nepenthes according to your system by following instructions here

Note:

- key generation during arp module installation may take some time.
- tunnel server .deb package does not include nepenthes.
- edit apache2's ports.conf to specify ip and ports that the server listens for connections
- make sure nepenthes.conf listens to 0.0.0.0 so that the system's sensor will have same open ports as the tunnel server (nepenthes open port)
- restart apache after configurations

0 comments: