Beholder

Mar 12, 2020

This document describes how to build Beholder, a multi-function server. Beholder runs on commodity router hardware and provides a number of features:

  • SSH access
  • a Snort network intrusion prevention system
  • a NetFlow exporter

We build Beholder on top of OpenWrt because of the distribution’s simplicity and small size. Beholder is made up of roughly 90 packages, and its programs and configurations take up less than 40 MB of storage space. Here we assume that Beholder will run within the confines of a Xen hypervisor.

Establish the Beholder VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Beholder:

  1. Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
  2. Uncompress the image and place it at /var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
  3. Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/beholder-data.qcow.
  4. Write the following at /etc/xen/vm-beholder.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):
name    = "beholder"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on Beholder:

  1. Set the root password: passwd.
  2. Remove unnecessary packages:
opkg remove \
dnsmasq \
kmod-ppp \
kmod-pppoe \
kmod-pppox \
kmod-r8169 \
logd \
luci \
luci-app-firewall \
luci-base \
luci-lib-ip \
luci-lib-nixio \
luci-proto-ipv6 \
luci-proto-ppp \
luci-theme-bootstrap \
mtd \
odhcpd-ipv6only \
ppp \
ppp-mod-pppoe \
r8169-firmware \
uhttpd-mod-ubus \
uhttpd
  1. Configure networking by writing /etc/config/network:
config interface loopback
      option ifname lo
      option proto static
      option ipaddr 127.0.0.1
      option netmask 255.0.0.0

config interface lan
      option ifname eth0
      option proto dhcp
  1. Install the necessary software:
opkg update
opkg install \
      freifunk-watchdog \     
      snort \
      softflowd \
      syslog-ng \
      zoneinfo-core \
      zoneinfo-northamerica
  1. Install a public SSH key at /etc/dropbear/authorized_keys.

Configure the firewall

  1. /etc/config/firewall:
config defaults
        option drop_invalid 1
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name lan
        option network lan
        option input ACCEPT
        option output ACCEPT
        option forward DROP

Configure basic system settings

  1. /etc/config/system:
config system
        option hostname beholder.EXAMPLE.COM
        option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0
  1. /etc/config/freifunk-watchdog:
config process
        option process dropbear
        option initscript /etc/init.d/dropbear

config process
        option process snort
        option initscript /etc/init.d/snort
  1. /etc/config/network:
config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname eth0
        option proto dhcp
  1. /etc/config/dropbear:
config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Port         '22'

Forwarding packets to Snort host

Once Snort is running, you will want to forward a copy of network packets to the Snort host. The tee feature of netfilter can perform this work. To configure an OpenWrt router to forward a copy of each packet to the Snort host at beholder.EXAMPLE.COM, add the following to /etc/firewall.user on the router (replace BEHOLDER-IP):

iptables -t mangle -A INPUT  ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A OUTPUT ! -d BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A FORWARD ! -d BEHOLDER-IP/32 ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP

Configuring Snort

  1. /etc/config/snort:
config snort snort
      option config_dir /etc/snort/etc/
      option alert_module alert_syslog
      option interface eth0
  1. Register with Snort, download the registered Snort rules from https://www.snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz, and install them at /etc/snort/.
  2. Uncomment the appropriate rules in each file found in /etc/snort/rules/.
  3. Restart Snort, and test its functionality. One way to do this is to uncomment the NessusTest rule in /etc/snort/rules/snort3-server-webapp.rules and run wget http://webserver/NessusTest. Snort should log something like this: “SERVER-WEBAPP nessus 2.x 404 probe.”

Configuring softflowd

  1. /etc/config/softflowd (replace example.com):
config softflowd
      option enabled        '1'
      option interface      'eth0'
      option pcap_file      ''
      option timeout        ''
      option max_flows      '8192'
      option host_port      'golem.example.com:9995'
      option pid_file       '/var/run/softflowd.pid'
      option control_socket '/var/run/softflowd.ctl'
      option export_version '5'
      option hoplimit       ''
      option tracking_level 'full'
      option track_ipv6     '0'
      option sampling_rate  '100'