Nautilus Installation Guide
This guide is here to help system administrators install Nautilus on their own hardware, if desired, and to document the basic process by which OSHEAN creates and hardens Nautilus servers. This document is currently a work-in-progress as we test the new Nautilus deployment system; it is not recommended to complete this guide on a production system until we have completed and reviewed the new Nautilus roll-out in the coming month.
- Definitions
- Hardware Prerequisites
- Configuring Your Server
- Installing Debian
- Setting up the Nautilus repository
- Installing and configuring the Nautilus components
Definitions
Networking
Interface
General UNIX term for a network device as seen by the operating system. Under Linux, the first physical network interface is usually named eth0, the second eth1, and so on.
Management interface
Interface used for shell access to the Nautilus machine.
Listening interface
Interface configured for promiscuous monitoring of a spanned network.
Emergency management interface
Interface designed for emergency maintenance to the server; on Hewlett-Packard hardware, this is called the "Integrated Lights Out" (iLO) interface.
Nautilus
Module
A discrete piece of software available as part of the Nautilus system. snort is an example of such a module, and includes both the snort main program and its associated IDS rules.
Nautilus Package
A Debian package provided by OSHEAN to its members for installation of a piece of software (in binary form), or related components associated with another piece of software. For more information on the Debian package system, please refer to The Debian GNU/Linux FAQ.
Nautilus Repository
A Debian repository hosted by OSHEAN that facilitates access to Nautilus packages. For more information on how to use our repository with APT or aptitude, please refer to NautilusPackaging.
Hardware Prerequisites
OSHEAN recommends the following minimum hardware requirements:
- Dual, quad core processors
- 2GB physical memory
- 2 x 72GB SATA or SAS drives
- Battery backed hardware RAID
- Two 10/100/1000Mb network interface connections
- IPMI, iLO or equivalent
- Redundant fan option
- Redundant power supply option
Nautilus requires two network connections for all hardware: if used with the recommended hardware configuration:
- Management interface. This interface must be assigned a static IP address and only accessible from networks you wish to manage the device from.
- Listening interface. This interface is not assigned an IP address; it should be connected to a span port on your switch. Configure your switch to span the networks you wish to monitor to this interface. Snort, Periscope and ntop will use this interface to monitor network traffic.
If you are using the OSHEAN-recommended hardware, we strongly recommend configuring the Emergency Management interface (iLO or IPMI). This interface must be assigned a static IP address and should only accessible from networks you wish to manage the device from.
Configuring Your Server
- Configure your server's IPMI or iLO interface with the static ip address you have assigned. Reference your server documentation to determine how to do this.
- Configure your server's hardware RAID for RAID1. Set up a single logical volume.
- If your server has advanced monitoring features such as SNMP integrated into IPMI or iLO, we recommend configuring it now.
Installing Debian
netinst CD
The base Debian install for Nautilus is the netinst CD for etch, the old stable Debian release, and can be found at http://www.debian.org/CD/netinst/.
Partitioning
OSHEAN recommends creating partitions for /, /usr, /tmp, /var, /home and /opt on Nautilus appliance. The bulk of the disk space should be allocated to /var. The Periscope and MySQL databases both reside on the /var partition by default.
Networking
Configure your network interfaces by editing the file /etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 1.2.3.4
broadcast 1.2.3.255
netmask 255.255.255.0
gateway 1.2.3.1
# listening interface
auto eth1
iface eth1 inet static
address 0.0.0.0
netmask 0.0.0.0
pre-up ifconfig eth1 promisc up && false
Debian Package Selection
At the end of the installation process, do not select any roles for your server. This will ensure a minimal install under Debian. Install the openssh-server package if you wish to have remote access to your Nautilus server.
Installing the Nautilus Distribution will install remaining required software.
Setting up the Nautilus repository
Please see NautilusPackaging for detailed instructions on how to set up the Nautilus repository and add our GPG key to the apt keyring.
Installing and configuring the Nautilus components
Installing the entire distribution
If you would like to install the entire distribution at once, you may use the following command:
aptitude update && aptitude install nautilus-distribution libpcap0.7
This will install all of the packages listed at NautilusPackaging, including ntop, snort, and Periscope.
NOTE: You must still configure each package. See individual package installation instructions below.
Base system configuration
Nautilus core packages depend on the nautilus-base-system package, which contains a default firewall configuration and centralized configuration files for your Nautilus machine. After installing the packages you should edit /etc/default/nautilus-base-system to ensure this configuration matches your hardware layout.
Nautilus is pre-configured to use eth1 as the default listening interface. If eth1 is not your listening interface then change the following variable in /etc/default/nautilus-base-system:
NAUTILUS_INTERFACE="eth1"
Web Interface
The post-installation routine will by default create a self-signed SSL certificate for you in /etc/opt/nautilus/nautilus.pem. You must complete the OpenSSL prompts before installation will complete. An example response is below; please modify it to suit your organization. The value between [ ] is the default and will be used if the prompt is left blank.
# aptitude install nautilus-web ... Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Rhode Island Locality Name (eg, city) []:North Kingstown Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSHEAN, Inc. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:nautilus-test.oshean.org Email Address []:
It is important to correctly specify the Common Name field. Use either the fully-qualified domain name of
your Nautilus box or its IP address, whichever will be used to access the web interface from a browser.
Note: If you would like to use your own SSL certificate (e.g., if you have an internal certificate authority),
you may copy or link to your pre-existing private key in PEM format to /etc/opt/nautilus/nautilus.pem.
The package manager will add a site configuration file in /etc/apache2/sites-available and enable it. You may disable the web interface by entering the following:
a2dissite nautilus /etc/init.d/apache2 force-reload
Edit /etc/apache2/ports.conf. Remove the line "Listen 80". Add the line "Listen 443". Restart apache.
- Listen 80 + Listen 443 /etc/init.d/apache2 restart
You will be able to access the web GUI from https://your-ip-or-FQDN/. Do not be alarmed if the module tabs are not visible. The web GUI only shows which modules are installed and will update when you install new modules. A customized error message is presented if a module is not running or is incorrectly configured. Ensure the correct daemons are started and that the module is completely configured according to these directions. Failing those steps please file a bug report.
snort
Install the nautilus-snort packages via apt if you have not installed nautilus-distribution:
aptitude install nautilus-snort nautilus-snort-rules libpcap0.7
You will be prompted during post-installation to configure snort to use a MySQL database. Run /opt/nautilus/bin/snort-configure-mysql.sh if you change this configuration.
It is strongly recommended to set a MySQL root password if you have not. Suggested values for database names and users are below.
Configuring MySQL access for nautilus-snort: Desired snort dbname: snort Desired snort username: snort Password: Password (again): MySQL root password (if any):
Edit /etc/opt/nautilus/snort/snort.conf to enable the default rules and correctly set the subnet to monitor or snort will not start. The HOME_NET and EXTERNAL_NET variables take an address space in CIDR notation; by default, the EXTERNAL_NET variable is set to everything not in HOME_NET.
Uncomment the "include" lines below, which are at the end of the configuration file, to enable the default rules:
var HOME_NET 10.2.0.0/24 var EXTERNAL_NET !$HOME_NET include $RULE_PATH/community.conf include $RULE_PATH/emerging.conf
Manually include your own set of rules in snort.conf.
Finally, edit /etc/default/nautilus-snort if you are not capturing on eth0:
SNORT_INTERFACE=eth1
Now you can start the snort daemon:
# /etc/init.d/nautilus-snort start Starting snort IDS (OSHEAN): snort.
BASE
To install the web front-end to snort, BASE, install the package nautilus-acidbase:
aptitude install nautilus-acidbase
The package manager will prompt you to let it configure the MySQL database for snort/BASE. This is normal, as nautilus-acidbase is just a wrapper around the standard Debian package acidbase. Enter whatever you want at the prompts. The values will be overwritten by the snort configuration script.
NOTE: If you already installed nautilus-snort you must re-run /opt/nautilus/bin/snort-configure-mysql.sh OR edit /etc/acidbase/database.php manually.
Your /etc/acidbase/database.php should resemble the below:
$alert_user='snort'; $alert_password='my-password'; $alert_dbname='snort'; $DBtype='mysql';
You may leave the variables $basepath, $alert_host, and $alert_port as empty strings.
Finally, you must make sure Apache knows about BASE. You can do this by symlinking /etc/acidbase/apache.conf to the Apache configuration directory:
ln -s /etc/acidbase/apache.conf /etc/apache2/conf.d/acidbase
Remove this symlink if you remove acidbase in the future. It will not be removed by the package manager.
NOTE: By default BASE is only accessible from the local machine. You must edit /etc/acidbase/apache.conf and change the line
deny from all
to
allow from all
Once you have completely configured acidbase, restart Apache:
/etc/init.d/apache2 restart
ntop
To install the OSHEAN package for ntop, run the following command:
# aptitude install nautilus-ntop
This will automatically set the administrator password for ntop to nautilus. Make sure that the value of NAUTILUS_INTERFACE in /etc/default/nautilus-base-system is correctly set to your intended capture interface, or ntop will not start correctly.
To bring up ntop, use the following command:
# /etc/init.d/nautilus-ntop
Our configuration has ntop's web interface running over SSL on port 3000. To access this without the Nautilus web interface, use the URL https://your-ip-or-FQDN:3000. Please note that this module does NOT run through Apache, so fine-grained access control is not quite possible yet.
Periscope
Dependencies
To run Periscope binary on a Nautilus appliance you must first install the following packages:
aptitude install libssl-dev libpcap0.8-dev dnsutils
WebGUI Integration
To integrate Periscope with the Nautilus web GUI it must be configured to run https.
Edit /etc/persicope.conf. Set web-ssl-enabled to true and set web-ssl-cert to the Nautilus self-signed SSL certificate, /etc/opt/nautilus/nautilus.pem.
web-ssl-enabled=true web-ssl-cert=/etc/opt/nautilus/nautilus.pem
Change the following line in /opt/nautilus/web/modules.php if you installed Periscope from source.
"package" => "nautilus-periscope",
"present" => @stat("/opt/nautilus/bin/periscope")
to
"package" => "nautilus-periscope",
"present" => @stat("/usr/local/bin/periscope")
