Encryption Tidbits, and Snort
CS 493/693 Lecture,
Dr. Lawlor, 2006/02/27
Linux has builtin support for turning files into
encrypted "block devices", which can be used to mount
up encrypted filesystems, or use as encrypted swap space.
Even using real encryption algorithms like AES, they can
read and write over 10MB/s, which is fast enough not to
interfere with everyday use. The only downside of encrypted
filesystems is that they're only secure when they're closed--while
they're mounted, they're totally open to attackers that have
root access. They're hence better insurance against hardware
theft than network attacks.
# Turn off swap (for paranoia's sake)
swapoff -a
# 2.4 kernel optional install
modprobe cryptoapi
modprobe cipher-aes
# 2.6 kernel standard ciphers, in /lib/modules/*/kernel/crypto
modprobe cryptoloop
modprobe aes
# Make a file full of zeros. This file will store our encrypted data.
dd if=/dev/zero of=crypt.dat bs=1000k count=1
# Make an encrypted block device /dev/loop1 from the file.
losetup -e AES128 /dev/loop1 crypt.dat
# You've got to enter a 20+ digit "passphrase" here.
# Screwing up the passphrase just gives you garbage data!
# Make a filesystem on the block device (only needed the first time!)
mke2fs -m 0 /dev/loop1
# Mount the new encrypted block device
mkdir mnt
mount /dev/loop1 mnt/
# Unmount filesystem
umount mnt/
# Turn off encryption. The crypt.dat file is now closed.
losetup -d /dev/loop1
Snort!
A very cool program that we'll be using for quite a while is Snort,
a highly scriptable packet sniffer.
In increasing complexity, Snort can be used as:
- Just a plain old packet sniffer, like tcpdump: "snort -vde" (Verbose,
dump packet Data, dump Extended packet data like ethernet MAC addresses).
This mode scrolls piles of data to the screen in time order, which isn't
very useful.
- A packet logger: "snort -de -l ./log".
This spits out nicely organized directories for each
source IP address, with files arranged by protocol and port numbers,
like "log/10.0.0.10/TCP:1778-80" containing machine 10.0.0.10's TCP
conversation with port 80 of my machine.
- A packet logger that only logs packets described in a configuration
file:
"snort -de -l ./log -c snort.conf". This is actual
"Intrusion Detection System" mode--finally, the title of this class!
- A packet filter (firewall) that allows traffic in and out based on
rules listed in the configuration file.
Snort is undoubtably the most popular free Intrusion Detection System (IDS)
that exists today. LBNL's Bro is
also free and a bit more flexible.
You can also pay large quantities of money and
get cool hardware, nice GUIs, and big prebuilt rulesets from
Cisco,
Symantec,
and a variety of other companies.