Graylog Setup First Input

The last post showed how to install graylog server, but what good is a log server with no logs?!

Let’s get some data into our servers, we are going to start with a Ubuntu server version 16.04 which is using rsyslog. (Which is installed by default)

Throughout this post the graylog server will be referred to as “graylog”, the server which is being configured to forward it’s logs will be referred to as Ubuntu.

First we need to go to the Ubuntu server login and cd to where we configure rsyslog. For a full explanation, or if you are using syslog-ng look here

cd /etc/rsyslog.d/

using the “ls” command we can see two files in this directory.

We are going to create a new config file for graylog

sudo nano 60-graylog.conf

A blank file will open, as we are running the latest version of Ubuntu we will be running the newer version of rsyslog so we will enter the following into our file

*.* @yourGraylogServerIP:8514;RSYSLOG_SyslogProtocol23Format

If you are running an older version you will need the following.

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @yourGraylogServerIP:8514;GRAYLOGRFC5424

If you want to use the most modern approach you would use the following

action(type="omfwd" target="yourGraylogServerIP" port="8514" template="RSYSLOG_SyslogProtocol23Format")

I have not fully tested this latest approach, so if you have any issues with this revert back to the first example.

The eagle-eyed will notice that the port number used is 8514, whereas syslog typically runs over 514. This is due to permission issues when setting up ports in graylog which are below 1000. You can chose any port you wish as long as it starts above 1000.

Save and close the file, then restart rsyslog

sudo service rsyslog restart

We will also need to open the port on the firewall. If you are using Ubuntu and ufw the command will be.

sudo ufw allow 8514/udp

Now we go over to graylog and login, and go to the “Systems/Input” menu as shown.

Then we Select “Launch New Input”

And fill in as shown.  You only have one node, so select your server from the drop down menu.

If you get a green box saying “running” as below, that’s it.

If you think it’s not working then restart the Ubuntu Server (the forwarding server), and login as root, or create a new file so some logs are created, it’s common to think that the logging process is not working when in actual fact there  just hasn’t been any new logs created!

If you are still getting a failed message and are running a firewall on the graylog server you will need to open port 8514.

If using ufw you would type;

sudo ufw allow 8514/udp

Or if you have already done this then check it’s OK by checking the status.

sudo ufw status

Now go to the “Search” tab and select all logs and have a look through your logs. Happy threat hunting. In a later post will look at some further configuration, and setup a Windows Server to forward to graylog.

 

Graylog Ubuntu Install

Hello all, I know it been a while (and I am aware I am mainly talking to myself here!) what with life and work, it’s been over 2 months since I posted. I also had a server die on me which meant quite a lengthy process of server replacement and data retrieval, but enough about that!

I’ve been trying to find a good logging solution to run along side Security Onion to give as much visibility as possible, and the two I chose were Splunk and Graylog, with Graylog install and setup being covered here.

All the official documentation for Graylog can be found here: Graylog Docs

Ubuntu is still my favourite flavour of Linux so we will be starting with the base install of Server version 16.04.

Let’s get started, as always we start by updating the repository

sudo apt-get update

And if required upgrade your install. (If you are starting with a fresh install  but didn’t tick “download updates from the internet” you will need to do this)

sudo apt-get upgrade

Now we are running up to date let’s start with installing the dependencies. First up are these 4 packages, make sure you do all these steps in order or it will not work.

sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen

If you get no errors when installing we move on to installing mongodb from the official repository.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
sudo apt-get update
sudo apt-get install -y mongodb-org

If again you receive no errors, we move on to enabling it on start up.

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service

Graylog recommends using Elasticsearch version 5. You can find the installation guide here if you need to refer to it, but you can install using the following. (This is not the latest version)

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt-get update && sudo apt-get install elasticsearch

Before we can configure and start Elasticsearch we need to edit the configuration file which is located at “/etc/elasticsearch/elasticsearch.xml”

We cd to the correct directory

cd /etc/elasticsearch

Then open the file

sudo nano elasticsearch.xml

then find the following line, remove the ‘#’ to uncomment the line and set the cluster.name property to “graylog” as shown below.

cluster.name: graylog

Now start Elasticsearch, and enable it at startup.

sudo systemctl daemon-reload 
sudo systemctl enable elasticsearch.service 
sudo systemctl restart elasticsearch.service

Now we are ready to install Graylog. First we install the repository.

wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb

Then we unpack and install graylog

sudo dpkg -i graylog-2.4-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

Now don’t get carried away, because there is still a bit of work to do before graylog will start.

All the instructions we are contained in the following file “/etc/graylog/server/server.conf”

we can open it directly using the following;

sudo nano /etc/graylog/server/server.conf

Take the time to read through the instructions, it will help you to understand a little of what you are doing. With that in mind, let’s continue. Close the server.conf file and run the following from the command line, copy them into a text file and then paste them once you have generated both hashes.

Firstly to create our “password_secret”

secret pwgen -N 1 -s 96

then we create our “root_password_sha2” (Remember this as you will need it to login to graylog later on)

echo -n yourpasswordhere | shasum -a 256

Copy and paste these into the server.conf file after the “password_secret” , and “root_password_sha2” entries.

OK, so now we will be connecting to graylog over http, to be able to use https we need to configure a proxy server which wont be covered here, so always connect over a vpn if in production and you are not using https. Don’t make the web interface externally available. To configure https have a look at the docs here

Also you should enable the host firewall to only allow ports 22, 9000, and 8514, however don’t enable it yet. Get it setup and confirmed as working, then enable your firewall.

To configure the web interface we need to set two further options in the server.conf file. These options are; “rest_listen_uri” and “web_listen_uri”

Get the IP of your server with the ifconfig cmd, then paste it into the two options as previously mentioned, and make sure the two lines don’t have a ‘#’ at the start of the line meaning they are commented out. If the ‘#’ is there remove it.

rest_listen_uri = http://yourIPaddress:9000/api

(text removed.....)

web_listen_uri =  http://yourIPaddress:9000/

Save and close the file. If you want more information on configuring the web interface see the documentation here

All that’s left to do is start and configure graylog to enable at startup

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

That’s it, give your server a restart with the following

sudo shutdown now -r

Browse to “yourIPaddress:9000/” and you should be greeted with the following login box. If not, try manually restarting all the services (mongobd, graylog and elasticsearch) using the steps through this guide and see if that resolves it. If not, you’ve done something else wrong!

 

The next blog will show how to configure your first input into graylog.

IIS Crypto 2.0

If you have a Microsoft Web Server and you need to disable certain Crypto suites, for example ensure that you are not using SSL 2.0 or 3.0 or DES 56/56! Then IIS Crypto is a great tool for that.

Firstly go to ssllabs and run a scan on your site.

Once you have the results if there are any encryption warnings for your site you can use IIS Crypto to resolve them.

Go to the Nartac web site and download the tool.

There is nothing to install, you just run the exe and will be greeted by this screen.

From here it is a simple checkbox exercise to enable and disable what you need. It also means that rollback is easy if you find that something broke after making changes!

To make life even easier there is a “Best Practice” setting which will disable all “broken” encrytpion methods for you.

After you have made changes just hit apply and that’s it.

You can also scan your site from within this tool. Select “Site Scanner” from the left hand menu and enter your sites URL.

This time the scan should come back with no encrytpion issues.

Till next time.

WebKnight for IIS Web Servers

For a while I’ve been testing different Web Application Firewall Solutions (WAFs) and I stumbled across WebKnight. The latest version is a paid for product but you can download the previous versions and use them for free.

WebKnight has many customisable features allowing IP blocking, URL scanning and logging. It’s compatable with OWA, WebDav, Cold Fusion, and also helps protect from SQLi, XSS, and CSRF. It’s quick and easy to setup, and after using it for a while you should find it easy to customise so it gives you what you want.

You must have ISAPI filters enabled on the Web Server.

To install and start using it go to the Aqtronix website and download the latest free version which is currently 4.5.5.

Accept the terms and conditions, then select the complete version to install.

That’s it.

Next launch the configuration tool, as we need to create a log folder so WebKnight can create log files.

Create a folder somewhere then remember the path and folder name for the next steps.

Find the logging section and ensure the “Enabled” box is ticked, then in the next box below enter the name of the folder then the path in the following box.

Save and close the configuration tool.

Then test your site to make sure you can still access it.

You can test by adding <script>alert(1)</script> to the end of your websites’ address then reload the page to see if you get the block page (The default WebKnight page can also be replaced by your own custom page).

This will also show in your log file.

There are countless options to play around with and it would take forever to go through them all. Configuring these options is also a good way to learn about website defence. Change a few options and then tesat your website to see how it is effected. Use an online scanner and then check the logging file to see what WebKnight is defending against.

Have fun.

DDEAUTO Opens Webpage

We have already posted about DDEAUTO, but thought we’d show another one just as it’s slightly different.

If a document opens and you are greeted by a pop up of any kind, then I’d say 99 times out of a hundred, it’s going to be a malicious exploit and you should just close and delete the document immediately and run a full Anti-Virus scan with at least 3 different free scanners.

Then 2 weeks later re-run all the scans again.

The DDEAUTO Exploit in all Microsoft Office Documents

This is the new exploit which is everywhere at the moment.

It’s a little different to the typical Macro exploits which are normally used.

In general you will need to click on 2 pop ups to allow the exploit to run, however since writing this I have played around a bit more and managed to get it down to only one pop up.

The point here in this video however is to show that if you read what the pop up says, you should not be clicking on it in any circumstances.

It’s true that some documents are linked dynamically to keep all data in linked sheets up to date. However if you are using one of these you would normally know about it.

If you don’t normally use documents with linked data and you open one which asks you to allow linked data, don’t just click OK! If you know who sent it, ask them what it is, and if you don’t know where it came from you probably should even be opening the attachment in the first place!

Then after clicking yes to the first pop up, we receive a second one, this is generally where the exploit will run. Ours is very obviously named for the sake of this demonstration, but an attacker would be trying their best to disguise it.

We hope that by watching this video you will be a little bit more educated and perhaps won’t click on that pop up box if you receive one of these emails!

Enjoy the Video.

Excel Malicious Macro Attachment

Hello again.

It’s 2017 and we are still enabling Macros in documents we receive via email! (Come on people!)

Anyways, there are still people out there who don’t believe a macro can be used this way, so here is a quick video you can show them.

In this short clip a user receives an email from Jerry.random@uk-company.com, but you can clearly see it actually came from a gmail address, and it contains an Excel invoice attachment.

In this example we have Excel set to not allow Macros to run automatically, but we are aware that a lot of people don’t use this setting (you nut-cases!).

Notice that nothing happens until the Macro is enabled!

Don’t enable a macro unless you are 100% sure of what it is.

The Excel sheet contains a simple macro which opens IE and goes to a website. This demonstrates how easy it is for an attacker to use a macro to either install malware or ransomware.  We have used this method in our demo as it is very quick and visual and seems to get the point across better than a more complicated example.

Install OSSEC on Ubuntu 16.04 To Monitor Multiple Servers

We have previously posted on how to install and configure Security Onion (see here) with a minimal guide on OSSEC.

I wanted to install OSSEC on it’s own server and monitor other servers separately from Security Onion, so here is the guide.

This was all performed on a fresh install of ubuntu 16.04

Update our repository as always.

sudo apt get update

Then we need to get the prerequesites before installing OSSEC.

sudo apt-get install build-essential

Now download the latest version

wget https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz

You will want to verify the checksum hash if this is going into a production environment. (We’ll do tutorial on verifying hashes in the future)

Now we extract the tar file we just downloaded

sudo tar -zxvf 2.9.2.tar.gz

I then had a folder named ossec-hids, so we cd into it

cd ossec-hids

Then run the install script.

sudo ./install.sh

Now you will need to answer the questions:

  • Installation type – server
  • Where to install – use the default (just hit enter)
  • Email notification – y (then enter your email address and smtp details)
  • Run Integrity Check – y
  • Run rootkit detection – y
  • Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
  • Hit enter – If you get any errors then most likely your build-essential has not installed correctly)

Now were ready to fire up OSSEC

sudo /var/ossec/bin/ossec-control start

or check the status like this

sudo /var/ossec/bin/ossec-control status

Now we need to go over to our server which we want to monitor as an agent

Now on this server (also ubuntu) we run very similar commands as before:

sudo apt-get update
sudo apt-get install build-essential
wget https://github.com/ossec/ossec-hids/archive/2.9.2.tar.gz
sudo tar -zxvf 2.9.2.tar.gz
cd ossec-hids
sudo ./install.sh

Now you will need to answer the questions:

  • Installation type – agent
  • Where to install – use the default (just hit enter)
  • Server IP address (this is the IP address of your monitoring server)
  • Run Integrity Check – y
  • Run rootkit detection – y
  • Enable firewall drop – y (you can add your IP address to the whitelist, just in case)
  • Hit enter – If you get any errors then most likely your build-essential has not installed correctly)

Now back to the OSSEC Server so we can add the new agent allowing the two to communicate.

sudo /var/ossec/bin/manage_agents

Select ‘a’ from the options and complete the details for the agent.

Now the agent is added we need to extract the unique key and import it to the agent server.

Select option ‘e’ then make a note of the key or paste it into a file.

When finished select ‘q’ to quit.

Now we return the the agent Server and run

sudo /var/ossec/manage_agents

This time select ‘i’ to import, then copy or paste your key as instructed.

If the key is correct you should get a success message.

Now we need to restart our agent server, then log back in and check that OSSEC is running.

sudo /var/ossec/bin/ossec-control status

If it is not running then use

sudo /var/ossec/bin/ossec-control start

Back on the monitoring server we need to restart the services like so.

sudo /var/ossec/bin/ossec-control restart

That’s it. If you setup email alerts you will alreay have some notifying you of logins and agents being added.

In a future blog we will look at adding our own alerts.

 

 

Install Wireshark on Ubuntu

Wireshark is the best network capture tool out there, so start using it now!

Open up a Terminal and run

sudo apt-get update

Then

sudo apt-get install wireshark

Then once the install has completed we need to configure to allow non-sudo users to capture packets so Wireshark doesn’t have to run with root privileges.

sudo dpkg-reconfigure wireshark-common

Then when asked if you want to allow non-sudo users to capture packets, select “yes”.

Then we need to add our current user to the Wireshark Group like so.

sudo adduser $USER wireshark

Now open wireshark and you will be able to capture network traffic.

Have fun.

 

How To Harden HTTPS in nginx.

I was testing one of my sites using both securityheaders and ssllabs and found that I was being marked down due to weak Diffie-Hellman key exchange, and due to supporting certain weak cryptographic algorithms

I was determined to get an A+ for both sites, and with a bit of trial and error this is how to configure nginx to use strong Diffie-Hillman Parameters, and force the server to only use certain algorithms.

If you are using a proxy as per our other tutorials you will need to treat this new .pem file as you do the web certificate. You need to create it on the Web server then move a copy to the proxy server and point to it as you would with your .cer and.key files.  However the “ssl_ciphers” entry only needs to be on the web server. If this example our site is named ‘site1.com’

To create our new Diffie-Hellman parameters, on the webserver we run

sudo openssl dhparam -out dhsite1params.pem 2048

This will create our .pem file, which we then move to the same location as our .key and .cer files so they can be easily referenced.

The line we need to add is

"ssl_dhparam /etc/nginx/dh/dhsite1params.pem;"

To ensure we are only using strong encryption ciphers we also need to add a few more lines to our site file.

"ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

ssl_prefer_server_ciphers on;"

 We add them to our site file by opening them with

sudo nano /etc/nginx/sites-available/site1

Then add the previously shown lines to to our SSL configuration as shown below:

#SSL configuration server { access_log off; log_not_found off; 
error_log  logs/yoursite.com-error_log warn;         
listen 443 ssl;         
server_name  site1.com;  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  ssl_prefer_server_ciphers On;  
ssl_ciphers'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH: AES256+EDH';  
ssl_certificate /etc/nginx/cert/crt/yoursite.crt;  
ssl_certificate_key /etc/nginx/cert/key/yoursite.key;  
ssl_dhparam /etc/nginx/dh/dhsite1params.pem;

That’s it.

I ran the scan again and this time A+