#IDS - Intrusion Detection System
This system allows users to block any intrusion by blocking the IP Addresses of the intruders. This also adds the IP Address to the blacklist which ensures that the IP address is never used again to access the system
###Device used in this project was a
- Raspberry PI 3
##Configuration and Linux Commands
-
The Pi was updated using the following Command:
sudo apt-get update -
The Pi's firmware was upgraded. Command:
sudo apt-get upgrade -
Installed arp-scan on the Pi.
Command:arp-scan sends ARP packets to the hosts on the local network and displays any response that has been received. The network interface can be selected by addingsudo apt-get install arp-scanto the arp-scan command. By default arp-scan searches the system interface list and displays the lowest numbered interface but excludes the loopback interface.--interface option -
Installed ufw firewall on the Pi. Command:
This is a default firewall configuration tool for linux. Command:sudo apt-get install ufwsudo ufw enable -
Installed original-awk on the Pi. Command:
sudo apt-get install original-awk -
Installed ccrypt on the Pi. Command:
ccrypt is a utility for encrypting and decrypting files and streams. It was designed to replace the standard unix crypt utility, which is notorious for using a very weak encryption algorithm. ccrypt is based on the Rijndael block cipher, which was also chosen by the U.S. government as the Advanced Encryption Standard. This cipher is believed to provide very strong cryptographic security.sudo apt-get install ccrypt -
Setting up the network interface to gain access to the internet. The interfaces file should be configured with the address, netmask, gateway, network, broadcast and the dns-nameserver details.
Command: <pre><code>sudo nano /etc/network/interfaces </code></pre>
-
To change the dns server, open resolv.conf file and add the nameserver. Command:
sudo nano /etc/resolv.conf -
To restart network services Command:
sudo service networking restart -
To ssh into Pi Command:
ssh pi@pi's IP Address -
To create a file. Command:
nano ids.sh -
The script will be as follows. Script:
"#!/bin/bash" #NOW is the variable, $ is used to start the variable & the rest is the function to get the current date registered on the PI” NOW=$(date +”%T”) -
This command is to give arp-can root privileges to scan the local network and save the scan results with the local date set on the PI. Command:
sudo arp-scan –interface=eth0 –localnet>test.$NOW.txt -
To save the script Command:
ctrl o -
To give the file executable rights. Command:
chmod 755 ids.sh or chmod +x ids.sh -
To run a scheduler on this job using CRON. Command:
crontab –e -
This is the file path along with the name to save the output from the scan.
* * * * * /home/pi/ids.sh -
To drop all established TCP connection using IPtables. Command:
sudo iptables –A INPUT –m conntrack –ctstate ESTABLISHED,RELATED –j DROP -
To show the line numbers within the IPtables. Command:
sudo iptables –L –line-numbers -
To delete a rule from within the IPtables. Command:
sudo iptables –D INPUT 1 -
To open the saved file that consists the arp-scan results and pull out the ip address and then have awk extract the connected IP and compare it to a whitelist that was created and then place in a file called CMP.txt. Command:
Command:cat test.txt | grep 192.168.137.* | awk ‘{print $1}’ >connectedipCMP connectedip whitelist > CMP.txt -
IF statement to check for the presence of any rogue IP Addresses in the CMP.txt file. Command:
if grep –q differ “CMP.txt”; then sudo iptables –A INPUT –m conntrack –ctstate ESTABLISHED,RELATED –j DROP else sleep 1 fi sleep 5 sudo iptables –flush sudo iptables –A INPUT –m conntrack –ctstate ESTABLISHED,RELATED –j ACCEPT -
This is to clean up the files the script creates. Command:
rm CMP.txt rm connectedip rm test.txt