Webserver install - Part 5 - Hardening IV. - Debian Lenny


This tutorial is part of The LAB project.


FWSNORT application layer intrusion detection

This section describes the installation and configuration of "fwsnort" a Snort rule based "application layer" intrusion detection. Fwsnort can be integrated with psad but rules hsould be carefully tested before installing them to a live environment. It downloads Snort rules and converts them to iptables rules. You can convert all rules, type of rules or one-by-one. You can just match traffic or do an active response at the same time.

To be on the safe side you should turn off active intrusion in psad to avoid trouble until you test the config. You can do this by setting "ENABLE_AUTO_IDS    N;" in the "/etc/psad/psad.conf" file (see the previous tutorial).


The first thing you should do is installing pre-requirements. The install script will need the package "make" from the debian repository. Don't forget to remove it when it is no further needed.

Change your user to root:

su -

Install "make" package:

aptitude install make

Install fwsnort

After this you can download and verify the fwsnort sources.

cd /usr/local/src
wget "http://www.cipherdyne.org/fwsnort/download/fwsnort-1.5.tar.gz"
wget "http://www.cipherdyne.org/fwsnort/download/fwsnort-1.5.tar.gz.md5"
md5sum -c fwsnort-1.5.tar.gz.md5

Unpack the sources:

tar xvzf fwsnort-1.5.tar.gz

Change directory to the source dir and install it:

cd /usr/local/src/fwsnort-1.5

The installer will ask to download the newest snort rules, say "Y" to this.

[+] Would you like to download the latest Snort rules from

The log file for fwsnort will be located here:


Tha main config file for fwsnort is located at /etc/fwsnort/fwsnort.conf. Edit it and change settings according to your needs.:

nano /etc/fwsnort/fwsnort.conf

I will only show here the settings I have changed for my environmnet but you should check all parameters before proceeding.

Set the HOME_NET parameter. In my case it will be the servers IP address. You can give it a full network if needed:


Some IP address should be ignored from checks. I put my desktop PC-s IP address here. You can leave this NONE:


You can BLACKLIST some IP addresses which will be blocked all the time.


Save the file and exit.


Enable the rules

Now we can convert the snort rules to iptables with the fwsnort program. There are several arguments that can be used here based on your needs:

Command line arguments:

  • --ipt-drop: drop malicious connections before they are forwarded to their target
  • --ipt-reject: reject malicious connections
  • --snort-conf path: read from a snort.conf file (snort can be installed on the same machine)
  • --snort-sids sid: translate only this sid - useful to deploy only one new rule
  • --include-type type: translate only from a single rule file
  • --ipt-list: display all active rules
  • --ipt-flush: remove all fwsnort rules from iptables
  • --no-ipt-sync: do not ignore rules that are already configured to be blocked by iptables
  • --restrict-intf intf: restrict rules to only this/these interface(s). example: eth0,eth1

Rules database can be manually updated with the following command:

fwsnort --update-rules

(An example command to convert only one rule which is identified by 2002763: "fwsnort --snort-sid 2002763 --ipt-reject")

Now I will convert all rules to iptables rules with the "fwsnort" command:


The rules can be imported into iptables with the "fwsnort.sh" command:


You can check the /var/log/messages for the activity of fwsnort. If it block something based on the snort signatures it will be displayed in it.

tail -f /var/log/messages

If everything is alright and you don't see any false blocks (blocked content which should not be blocked) you can enable the block in iptables and psad also. For this you have to remove the rules. Unfortunatelly it does not work with Lenny in my install, so I simply restore the basic iptables script we created in the previous tutorials and which is loaded at boot time.

iptables-restore < /etc/iptables.rules

Now we can finalize the fwsnort rules with active response (drop). Run the following command to convert the rules with drop:

fwsnort --ipt-drop

To apply the above rule to only one interface run the following command to convert the rules with drop:

fwsnort --ipt-drop --restrict-intf eth0

Update the iptables script with:


You can check the new rules with:

iptables -L

Enable boot time start

To automatically generate rules after reboot we have to create a script and enable it at boot time (it did not work perfectly when I inserted it the same way as the normal iptables rules so I have created a separate script). It will generate the iptables rules with the dropping way and appends it to the iptables. The "stop" part is not the default fwsnort mode because it did not work for me (fwsnort --Flush) so I restore the boot time iptables rules and restart psad (if you do not want to loose the rules you better enable IMPORT_OLD_SCANS).

Create a file for the script

 nano /etc/init.d/fwsnort

Copy the followings into the file

#! /bin/sh
# /etc/init.d/fwsnort
# Some things that run always
touch /var/lock/fwsnort
# Carry out specific functions when asked to by the system
case "$1" in
    echo "Starting script fwsnort"
    /usr/sbin/fwsnort --ipt-drop
    echo "Stopping script fwsnort and restore iptables with psad"
    #psad has to be installed and IMPORT_OLD_SCANS Y; has to be set to be effective.
    #could be better with just the follongs but did not work for me:
      #/usr/sbin/fwsnort --ipt-flush
    /etc/init.d/psad stop
    /sbin/iptables-restore /etc/iptables.rules
    /etc/init.d/psad start
    echo "Usage: /etc/init.d/fwsnort {start|stop}"
    exit 1
exit 0

Make the script executable

chmod 755 /etc/init.d/fwsnort

To make the rules effective after reboot add the rules to the startup scripts with the following command:

update-rc.d fwsnort defaults

Build a custom fwsnort rule

To build a custom snort-like rule create a file with the string we want to match. In this case it will be "Metasploit exploit DB update" and we want this from a remote server from the remote port 443 (update server). We will give the SID 900001 to this rule.

nano /etc/fwsnort/snort_rules/metasploit.rules

Insert the followings into the file:

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"Metasploit exploit DB update";
flow:established; content:"cacert@metasploit.com"; classtype:misc-activity;
sid:900001; rev:1;)

Run fwsnort to convert the rule to iptables rule:

fwsnort --snort-sid 900001 --ipt-reject

Update psad.conf to accept the rule:

cp /etc/fwsnort/snort_rules/metasploit.rules /etc/psad/snort_rules
echo "900001 4;" >> /etc/psad/snort_rule_dl

Restart psad service:

/etc/init.d/psad restart


Links: http://www.debian-administration.org/articles/28

Scripts: http://www.cipherdyne.org/LinuxFirewalls/

The BOOK: http://www.nostarch.com/firewalls_mr.htm


The next tutorial is: Webserver install - Part 6 - Hardening V. - Debian Lenny