December 11, 2000, 4:29 PM — In our
last column, we talked about the dangers of distributed
denial-of-service attacks and the need to install intrusion detection hardware. This
week we'll start putting such a system together.
First, get your hands on a desktop system that isn't being used. You don't need
fancy video or sound cards -- a bare-bones unit will do just fine. We used a Dell
OptiPlex with a 300 MHz Pentium II CPU. But don't scrimp on the memory. 128 MB is the
minimum, though 256 MB is better. Disk space isn't critical for what we'll be asking
the system to do; as long as you have at least 4 GB, you'll be fine.
You'll need a good 10/100 network interface card to make this unit shine. Don't cut
corners; a dime-store NIC can really bog the system down. We used href="http://www.dlink.com/products/adapters/dfe530tx/">D-Link's DFE-530TX. Install
the NIC before you configure the OS -- that way, it will be autodetected.
We used Red Hat Linux
6.1 for the operating system. Follow the instructions for a basic installation. You
don't need X Window support, but it comes in handy for remote configuration, so we
recommend installing it.
Finish up by configuring the NIC. You don't want your intrusion detection system
changing IP addresses, so assign a static IP address. Don't forget to configure href="ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.BLURB">TCP Wrapper, a
utility that lets you restrict access to your system to a limited group of
workstations. A hacked intrusion detection system won't be of much use to you.
Once you've followed the instructions above, reboot the system. Power the box up,
put it on the network, and make sure all the software is functioning. If everything
checks out, download a copy of the href="http://www.clark.net/~roesch/security.html">Snort packet sniffer and logger
and install it. You'll need to have href="http://filewatcher.org/sec/libpcap/int_1month.html">libpcap in place in order
for Snort to work.
If you've gotten this far, you're almost ready to rock. Follow the examples in the
Snort documentation and get comfortable with the application. In our next installment,
we'll begin writing some Snort rules that help you detect the bad guys before they can
do you wrong.