Home
Download

Open Source

Projects
Patches

System Integration

Notes
SRPMs

The Beholder multi-function server

This document describes how to build Beholder, a multi-function server. Beholder runs on commodity router hardware and provides a number of features:

We build Beholder on top of OpenWrt because of the distribution's simplicity and small size. Beholder is made up of roughly 90 packages, and its programs and configurations take up less than 40 MB of storage space. Here we assume that Beholder will run within the confines of a Xen hypervisor.

Establish the Beholder VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Beholder:

  1. Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
  2. Uncompress the image and place it at /var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
  3. Create a disk image to serve as the server's large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/beholder-data.qcow.
  4. Write the following at /etc/xen/vm-beholder.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):
    name    = "beholder"
    memory  =  1024
    vcpus   =  1
    builder = "hvm"
    vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
    disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
    serial  = "pty"
    

Software installation

Perform the following steps on Beholder:

  1. Set the root password: passwd.
  2. Remove unnecessary packages:
    opkg remove \
            dnsmasq \
            kmod-ppp \
            kmod-pppoe \
            kmod-pppox \
            kmod-r8169 \
    	logd \
    	luci \
            luci-app-firewall \
            luci-base \
            luci-lib-ip \
            luci-lib-nixio \
            luci-proto-ipv6 \
            luci-proto-ppp \
            luci-theme-bootstrap \
            mtd \
            odhcpd-ipv6only \
            ppp \
            ppp-mod-pppoe \
            r8169-firmware \
            uhttpd-mod-ubus \
    	uhttpd
    
  3. Configure networking by writing /etc/config/network:
    config interface loopback
    	option ifname lo
    	option proto static
    	option ipaddr 127.0.0.1
    	option netmask 255.0.0.0
    
    config interface lan
    	option ifname eth0
    	option proto dhcp
    
  4. Install the necessary software:
    opkg update
    opkg install \
    	snort \
    	freifunk-watchdog \	
    	syslog-ng \
    	zoneinfo-core \
    	zoneinfo-northamerica
    
  5. Install a public SSH key at /etc/dropbear/authorized_keys.

Configure the firewall

  1. /etc/config/firewall:
    config defaults
            option drop_invalid 1
            option input ACCEPT
            option output ACCEPT
            option forward ACCEPT
    
    config zone
            option name lan
            option network lan
            option input ACCEPT
            option output ACCEPT
            option forward DROP
    

Configure basic system settings

  1. /etc/config/system:
    config system
            option hostname beholder.EXAMPLE.COM
            option timezone EST5EDT,M3.2.0,M11.1.0
    
    config timeserver ntp
            list server     0.openwrt.pool.ntp.org
            list server     1.openwrt.pool.ntp.org
            list server     2.openwrt.pool.ntp.org
            list server     3.openwrt.pool.ntp.org
            option enabled 1
            option enable_server 0
    
  2. /etc/config/freifunk-watchdog:
    config process
            option process dropbear
            option initscript /etc/init.d/dropbear
    
    config process
            option process snort
            option initscript /etc/init.d/snort
    
  3. /etc/config/network:
    config interface loopback
            option ifname lo
            option proto static
            option ipaddr 127.0.0.1
            option netmask 255.0.0.0
    
    config interface lan
            option ifname eth0
            option proto dhcp
    
  4. /etc/config/dropbear:
    config dropbear
            option PasswordAuth 'off'
            option RootPasswordAuth 'off'
            option Port         '22'
    

Forwarding packets to Snort host

Once Snort is running, you will want to forward a copy of network packets to the Snort host. The tee feature of netfilter can perform this work. To configure an OpenWrt router to forward a copy of each packet to the Snort host at beholder.EXAMPLE.COM, add the following to /etc/firewall.user on the router (replace BEHOLDER-IP):

iptables -t mangle -A INPUT  ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A OUTPUT ! -d BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A FORWARD ! -d BEHOLDER-IP/32 ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP

Configuring Snort

  1. /etc/config/snort:
    config snort snort
    	option config_dir /etc/snort/etc/
    	option alert_module alert_syslog
    	option interface eth0
    
  2. Register with Snort, download the registered Snort rules from https://www.snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz, and install them at /etc/snort/.
  3. Uncomment the appropriate rules in each file found in /etc/snort/rules/.
  4. Restart Snort, and test its functionality. One way to do this is to uncomment the NessusTest rule in /etc/snort/rules/snort3-server-webapp.rules and run wget http://webserver/NessusTest. Snort should log something like this: “SERVER-WEBAPP nessus 2.x 404 probe.”
Email: www@flyn.org — ✉ 6110 Campfire Court; Columbia, Maryland 21045; USA