Download Latest Version SSHCure_v2.4.1.tar.gz (424.8 kB)
Email in envelope

Get an email when there's a new version of SSHCure

Home / source
Name Modified Size InfoDownloads / Week
Parent folder
SSHCure_v2.4.1.tar.gz 2014-10-29 424.8 kB
SSHCure_v2.4.tar.gz 2014-06-27 422.7 kB
SSHCure_v2.4b4.tar.gz 2014-06-11 422.8 kB
SSHCure_v2.4b3.tar.gz 2014-06-06 422.7 kB
SSHCure_v2.4b2.tar.gz 2014-06-02 422.6 kB
SSHCure_v2.4b1.tar.gz 2014-05-19 422.0 kB
SSHCure_v2.3.4.tar.gz 2014-04-29 415.2 kB
SSHCure_v2.3.3.tar.gz 2014-04-09 416.7 kB
SSHCure_v2.3.2.tar.gz 2014-02-22 415.2 kB
SSHCure_v2.3.1.tar.gz 2014-01-22 415.8 kB
SSHCure_v2.3.tar.gz 2014-01-17 415.6 kB
SSHCure_v2.2.1.tar.gz 2013-11-01 391.0 kB
SSHCure_v2.2.tar.gz 2013-10-22 389.7 kB
SSHCure_v2.1.tar.gz 2013-06-09 385.0 kB
SSHCure_v2.0.tar.gz 2013-05-16 365.4 kB
SSHCure_v2.0b4.tar.gz 2013-05-07 363.7 kB
SSHCure_v2.0b3.tar.gz 2013-04-25 363.4 kB
SSHCure_v2.0b2.tar.gz 2013-04-23 363.2 kB
SSHCure_v2.0b1.tar.gz 2013-04-18 362.3 kB
SSHCure_v1.0.tar.gz 2012-05-30 303.0 kB
Totals: 20 Items   7.9 MB 0
SSHCure: A Flow-Based SSH Intrusion Detection System

Version:    2.4.1
Author:     Luuk Hendriks
            Rick Hofstede, University of Twente <r.j.hofstede@utwente.nl>

--

The purpose of this readme is to provide a quick start guide for installation and 
configuration of SSHCure for NfSen. More details and in-depth motivations of concepts 
etc., can be found in the SSHCure manual.

1) Introduction

SSHCure is a flow-based SSH intrusion detection system and is available as a plugin 
for NfSen. For more details, the following resources are available:
    - [Website] http://sshcure.sf.net
    - [Mailing list] sshcure-discuss@lists.sourceforge.net

2) Installation instructions

SSHCure can be installed in a variety of ways (for notes on a version upgrade, 
check 2.5; for installation verification, check 2.6):

2.1) Requirements & dependencies

- Default system, having the following installed:
    * NfSen
    * PHP 5.2.4 or newer
    * PHP modules:
        - mbstring
        - PDO SQLite v3
    * PHP modules:
        - DBI SQLite (Debian/Ubuntu: libdbd-sqlite3-perl; RHEL/CentOS: perl-DBD-SQLite)
        - JSON (Debian/Ubuntu: libdbd-sqlite3-perl; RHEL/CentOS: perl-DBD-SQLite)
        - LWP::UserAgent (Debian/Ubuntu: libdbd-sqlite3-perl, libjson-perl, libwww-perl; RHEL/CentOS: perl-DBD-SQLite, perl-JSON, perl-libwww-perl)
        - Net::IP (Debian/Ubuntu: libnet-ip-perl; RHEL/CentOS: perl-Net-IP)

- INVEA-TECH's FlowMon Probe (version >= 5.0) (http://www.invea-tech.com/products-and-services/flowmon/flowmon-probes)
- INVEA-TECH's FlowMon Collector (version >= 5.0) (http://www.invea-tech.com/products-and-services/flowmon/flowmon-collectors)

2.2) Automated tar ball installation (latest stable, recommended)

- Download installation script:
    $ wget http://downloads.sourceforge.net/project/sshcure/install.sh
    $ chmod +x install.sh

- Install plugin:
    $ ./install.sh
    $ sudo /data/nfsen/bin/nfsen reload (this path might differ, depending on your setup)

2.3) Manual tar ball installation (latest stable)

- Download tar ball from SourceForge repository:
    $ wget http://downloads.sourceforge.net/project/sshcure/source/SSHCure_v2.2.tar.gz

- Download MaxMind GeoLite City database:
    $ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
    
- Download MaxMind GeoLite City (IPv6) database:
    $ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz

- Unpack installation package:
    $ tar zxf SSHCure_v2.2 --directory=.

- Install plugin files:
    $ cp -r SSHCure/frontend/* /var/www/nfsen/plugins/
        (path might differ, depending on your setup)
    $ cp -r SSHCure/backend/* /data/nfsen/plugins/
        (path might differ, depending on your setup)
    $ gunzip -c GeoLiteCity.dat.gz > /var/www/nfsen/plugins/SSHCure/lib/MaxMind/GeoLiteCity.dat
        (path might differ, depending on your setup)
    $ gunzip -c GeoLiteCityv6.dat.gz > /var/www/nfsen/plugins/SSHCure/lib/MaxMind/GeoLiteCityv6.dat
        (path might differ, depending on your setup)

- Configure plugin (config/config.php):
    $ vi /var/www/nfsen/plugins/SSHCure/config/config.php (this path might differ, depending on your setup)
        $config['nfsen.config-file'] = '/data/nfsen/etc/nfsen.conf';
            (path might differ, depending on your setup)

        $config['backend.path'] = '/data/nfsen/plugins/SSHCure/';
            (path might differ, depending on your setup)

- Enable plugin:
    $ vi /data/nfsen/etc/nfsen.conf (path might differ, depending on your setup)
        [ 'live', 'SSHCure' ],

- Check file and directory permissions:
    - The backend directory (e.g. /data/nfsen/plugins/SSHCure) should (recursively) be owned by the user configured as $USER and group $WWWGROUP in nfsen.conf
    - The frontend directory (e.g. /var/www/nfsen/plugins/SSHCure) should (recursively) be owned by the group $WWWGROUP in nfsen.conf

- Start plugin:
    $ sudo /data/nfsen/bin/nfsen reload

2.4) SVN trunk installation (latest development version)
    $ wget http://svn.code.sf.net/p/sshcure/code/trunk/install-svn-trunk.sh
    $ chmod +x install-svn-trunk.sh
    $ ./install-svn-trunk.sh

2.5) Upgrading existing installation

When upgrading your SSHCure installation to a newer version, keep in mind that the 
configuration file (config/config.php) is not always compatible between the 
versions. It's therefore very important to update the settings in the configuration 
file of the version you're upgrading to. Regarding the upgrade, you could use either 
of the installation methods discussed above. In case you're using a method that's based 
on an installation script (i.e. 'automated tar ball installation' (2.2) or 'SVN trunk 
installation' (2.4)) the scripts will automatically archive your existing SSHCure 
installation, including the configuration file. If you're doing a manual 
installation/upgrade, keep in mind to archive your old installation yourself.

Besides backing up the configuration file, you can save the contents of the data folder
of SSHCure's backend (e.g. /data/nfsen/plugins/SSHCure/data/*), in order to save the
previous detections after upgrading.

2.6) Installation verification

In case you installed SSHCure using an installation script, the script will have told
you whether all the required Perl modules are present on your system. When you start/reload
NfSen after the installation of SSHCure, the following line will be logged to syslog if
the backend is working fine:

SSHCure: Init done

To find out whether the frontend is working properly, you can load the frontend by
loading NfSen, navigating to the 'Plugins' tab and clicking 'SSHCure'. If you see some
(potentially) empty tables, communication with the database is working fine. However,
if you still see the processing messages after waiting for a couple of seconds, your
system is missing the PHP PDO SQLite module.

3) Using SSHCure

When it's the first time you run SSHCure after installation/upgrade, please restart 
your Web browser and clear its cache (cookies, recent history, cache files, …).
After that, you can open NfSen, navigate to the 'Plugins' tab and choose 'SSHCure'. 
You should never call SSHCure directly by its URL, since it will not be able to 
communicate properly with NfSen.

4) Support

For any questions or general technical support issues, please feel free to send an 
e-mail to <r.j.hofstede@utwente.nl> or to join the SSHCure mailing list:
sshcure-discuss@lists.sourceforge.net
Source: readme.txt, updated 2014-10-29