NepenthesFE-Installation
From Emre´s Wiki
Contents |
Installation
The following instructions outline the installation steps neccessary on a Debian Linux system.
1. install the required system tools and software
Apache, PHP, Mysql, UPX, file and GeoIP
apt-get install build-essential apt-get install apache2 apt-get install libapache2-mod-php5 apt-get install php-pear apt-get install mysql-server-5.0 apt-get install php5-mysql apt-get install php5-mhash apt-get install upx-ucl (optional) apt-get install file (optional) apt-get install geoip-bin (optional)
2. Install PHP bindings for RRDTool to have graphing functionality
apt-get install php5-dev apt-get install rrdtool apt-get install librrd2 apt-get install librrd2-dev cd /usr/include/php5/ext wget http://oss.oetiker.ch/rrdtool/pub/contrib/php_rrdtool.tgz tar xfzvm php_rrdtool.tgz rm php_rrdtool.tgz cd rrdtool && phpize5 ./configure --with-rrdtool=/usr --with-php-config=/usr/bin/php-config5 make && make install echo "extension=rrdtool.so" >> /etc/php5/conf.d/rrdtool.ini
3. Install the required PEAR libraries
pear upgrade pear pear channel-update pear.php.net pear install MDB2 pear install MDB2#mysql pear install Auth pear install Log pear install HTML_Template_IT pear install Mail pear install Mail_Mime pear install Net_DNS # installed via channel due to Beta status pear install channel://pear.php.net/Net_GeoIP-1.0.0RC1 pear install Net_Socket pear install Net_POP3 pear install Pager pear install Net_SMTP
4. Adapt a couple of things
cp /usr/share/php/docs/Pager/examples/Pager_Wrapper.php /usr/share/php/Pager/ cd /usr/share/GeoIP && wget http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz gunzip GeoLiteCity.dat.gz
5. Configure the database and import the schema
mysqladmin -u root -p create nepenthesfe mysql -u root -p nepenthesfe < /path/to/NepenthesFE/schema.sql
Adapt /path/to/NepenthesFE/config.php to contain your database credentials
6. Activate required modules in /path/to/NepenthesFE/config.php
7. Adapt filesystem paths and server URL in /path/to/NepenthesFE/config.php
8. Configure modules in /path/to/NepenthesFE/modules/<module>.php (for details on the configuration of modules see below)
9. Add a cron job containing
*/5 * * * * wget -q -O /dev/null 'http://cron:cron@127.0.0.1/cron.php'
10. Make sure the folders
- /path/to/NepenthesFE/mw
- /path/to/NepenthesFE/images
- /path/to/NepenthesFE/rrd
have write permission for the webserver user
11. Login to NepenthesFE. Default username and password are admin/admin.
You must now add a sensor (i.e. a nepenthes daemon). Please note that for sensor authentication to work, the username, password and source-ip of the sensor must match!
Logging
The default loglevel ist "PEAR_LOG_WARNING" i.e. you will not see a lot of output in your logfile.
You might want to set this to "PEAR_LOG_DEBUG" if you need to do troubleshooting.
Modules
Most modules need some sort of configuration:
bitdefender
- adapt filesystem path to the "bdscan" file if neccessary (defaults to /opt/BitDefender-scanner/bin/bdscan)
- adapt options for execution of "bdscan" file if neccessary (defaults to --files --arc --log=/var/log/bitdefender.log --append)
file
- adapt filesystem path to the "file" executable if neccessary (defaults to /usr/bin/file)
geoip
- adapt path to your 'GeoLiteCity.dat' file if neccessary (defaults to /usr/share/GeoIP/GeoLiteCity.dat)
objdump
- adapt filesystem path to the "objdump" executable if neccessary (defaults to /usr/bin/objdump)
- adapt options for execution of "objdump" file if neccessary (defaults to -a -f -p -h)
strings
- adapt filesystem path to the "strings" executableif neccessary (defaults to /usr/bin/strings)
upx
- adapt filesystem path to the "upx" executable if neccessary (defaults to /usr/bin/upx),
- adapt options for execution of "upx" file if neccessary(defaults to -t)
virustotal
- adapt "virustotal_sender" to contain your email address
- adapt"pop3_server" to contain your pop3 server
- adapt the pop3 credentials
- adapt the SMTP server to be used for sending mail
You might also wish to change "virustotal_recipient" to contain your own email address, so you can check if the mail subsmissions work.
