Rock64 SIEM using Graylog, Pi-Hole, and Wireless AP

Rock64 SIEM using Graylog, Pi-Hole, and Wireless AP

Follow on twitter: https://twitter.com/initroott

Pi-Hole DNS Ad-Blocker

In this article I’ll be providing a basic walkthrough of how to setup an Arm64/Aarch64 device such as the Rock64 as a secure Wifi AP with Pi-Hole DNS and an IDS. I’ve also added a SIEM solution by using Graylog.

The purpose of the setup is to provide a secure and monitored wireless access point for devices in your home network. Unfortunately, Pfsense is not wholly compatible with the Arm64 architecture yet.

The endgoal

Once you’ve completed the setup, you’ll have a secure wireless access point with an ad-blocking DNS and intrusion detection system for connected devices.

Pi-Hole DNS Ad-Blocker
Pi-Hole DNS Ad-Blocker
Pi-Hole DNS Ad-Blocker

Requirements

In order to proceed you’ll need a few things.

  • Rock64
  • SD Card, at least 32gb Class 10
  • At least 300mb usb Wifi AP

I’ve chosen the Rock64 purely based on its specifications. It’s a rather beefy device for its small factor size and perfectly able to manage the AP and IDS.

Pi-Hole DNS Ad-Blocker

My Rock64 runs:

  • Rockchip RK3328 Quad-Core ARM Cortex A53 64-Bit Processor
  • 4GB 1600MHz LPDDR3 memory
  • Gigabit ethernet, USB3
  • 64GB Class 10 SD Card

At $45 it’s a steal compared to the new Raspberry Pi, which in my country is limited.

Setup OS

I’ve elected to use the latest Armbian Debian Stretch OS version for my setup.

ARMBIAN 5.65 stable Debian GNU/Linux 9 (stretch) 4.4.162-rockchip64

Downloadable from https://www.armbian.com/rock64/.

Since I’m running Windows the Etcher tool (https://www.balena.io/etcher) is my go to image burner. You can proceed to burn the Amrbian OS onto your SD card and then input the card to your device.

Connect the device to your network using an Ethernet cable and SSH to the assigned IP address. Default credentials for Armbian is root:12345. Follow the user setup and password change. I’ve chosen to keep my default login as root and not create a new user account.

Setup network

Depending on your usb wifi, setting up the AP is easy using the Armbian config. To keep the tutorial short, make use of the config tool to setup your AP.

Refer to https://docs.armbian.com/User-Guide_Armbian-Config/#network.

$ armbian-config

Follow the on-screen tutorial and you’ll have a Wifi AP setup in no-time. Alternatively refer to https://forum.pine64.org/showthread.php?tid=4383 for a great tutorial on how to do this manually. It’s important to note that on newer version of debian usb wifi will not receive the wlan0 device name and rather from the wlx* nature e.g. wlx801f02702d8f. Be sure to check this on your device during setup.

Setup DNS and DHCP

I’ve let Pi-Hole take care of my DNS and DHCP, this will also overwrite the settings previously setup during the AP. Before you proceed take note of your current network configuration for the wifi. Note the IP address and gateway.

$ ifconfig

You can setup Pi-Hole using the following commands:

$ git clone — depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
$ cd “Pi-hole/automated install/”
$ sudo bash basic-install.sh

During the setup, ensure you select the Wifi device as your primary networking device.

Pi-Hole DNS Ad-Blocker

When asked to setup your DNS, I’ve elected for a custom setup and chosen 1.1.1.1 and 8.8.8.8 as my providers. I’ve also only selected IPv4 and deselected the IPv6 address space.

Next select the IP range in line with your network setup. When prompted for the IP address setup, select NO and proceed to enter the IP address assigned to your wifi device.

Pi-Hole DNS Ad-Blocker

Complete the setup process and write down your password. Next we need to disable the DHCP setup by the AP setup.

$ sudo nano /etc/dhcpcd.conf

Remove the DHCP setup for the wifi networking device. This should be near the last few lines in the configuration file.

Login to your Pi-Hole Administrator interface by browsing to the IP. Proceed to the settings and then DHCP. Enable the DHCP server and save the settings. Customise to your liking.

Pi-Hole DNS Ad-Blocker

Now is a perfect time to restart the server to ensure all settings have been enabled. Once completed, you’ll have Pi-Hole managing your DNS for any devices connected to the AP. If you run into any issues this blog also provides a great tutorial https://qiita.com/mt08/items/ea3a5357c0c9c4ae121b.

Snort Setup

If you can connect to your AP and the administrative portal is blocking DNS requests, you can proceed.

Snort is a brilliant IDS which have been operational since 1998. Its lightweight and free, perfect for our current setup. To start the setup process install the following dependencies and then Snort itself.

$ sudo apt-get install libpcre3 libpcre3-dev libpcap-dev libdumbnet-dev bison flex
$ sudo apt-get install snort

We then install the latest Snort rules.

$ wget https://www.snort.org/downloads/community/community-rules.tar.gz
$ tar -xvf community-rules.tar.gz
$ cd community-rules
$ sudo cp community.rules /etc/snort/rules/

Test your Snort setup using the below command. You want to see that the configuration files have been validated successfully.

$ sudo snort -T -c /etc/snort/snort.conf

If the setup proceeds, we need to modify the Snort service to run on our wireless interface. The below command will start the capturing, however, we need to ensure this is run on startup as well as default.

snort -D -i wlx801f02702d8f -c /etc/snort/snort.conf

Modify the default Snort service file’s execstart to correspond with the required runtime variables. Ensure you change the -i wireless device to your wifi name.

$ sudo nano /lib/systemd/system/snort.service

[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/sbin/snort -D -i wlx801f02702d8f -c /etc/snort/snort.conf
[Install]
WantedBy=multi-user.target

This will ensure that your Snort instance always starts capturing for the wireless network. The log file would confirm that Snort is working.

$ tail /var/log/snort/snort.log

$ ps -ef | grep snort

Monitoring

To monitor the Snort activity we make use of Graylog centralized log management solution. Graylog utilise rsyslog, mongodb and elasticsearch.

Elasticsearch

We start with the elasticsearch setup. Ensure you have java 1.8 installed.

$ sudo apt-get install oracle-java8-jdk
$ sudo apt-get update

Luckily elastic supports aarch64/arm64 architectures and we can use the .deb file to install.

$ sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.2.deb
$ sudo dpkg -i elasticsearch-5.5.2.deb

You can opt for a later version, however, note that if you’re trying Graylog version 3, which I am running, elastic < 6.0 is not supported yet. Setup the elastic instance by modifying the configuration file as follow:

$ sudo nano /etc/elasticsearch/elasticsearch.yml

cluster.name: Graylog
network.host: 127.0.0.1
http.port: 9200

Modifying only the three parameters is sufficient for the setup and proceed to start Elasticsearch.

$ sudo service elasticsearch start

$ sudo service elasticsearch status

$ curl -XGET http://127.0.0.1:9200

root@rock64:~# curl -XGET http://127.0.0.1:9200
{
"name" : "tT0GXgI",
"cluster_name" : "graylog",
"cluster_uuid" : "N32_bi6DTDSmrntdsDGWBg",
"version" : {
"number" : "5.5.2",
"build_hash" : "b2f0c09",
"build_date" : "2017-08-14T12:33:14.154Z",
"build_snapshot" : false,
"lucene_version" : "6.6.0"
},
"tagline" : "You Know, for Search"
}

You should see the Elasticsearch return similar response as mine when performing a curl to the web-address.

MongoDB

Mongo can be installed from the default Armbian repositiory.

$ apt-get install mongodb

Confirm installation by running mongo version.

root@rock64:~# mongo -version
MongoDB shell version: 3.2.11

Graylog

Unfortunately the Graylog instillation packages does not support the aarch64/arm64 architecture. Therefore, we utilise the sources.

If you run into any trouble following my steps you can also refer to:

http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html#configuring-es
http://www.iasptk.com/installing-graylog2-ubuntu-12-04-source/

Download the latest Graylog source and then copy to the /opt/ folder. We then modify the configuration file to read elastic and mongodb.

$ cd opt 
$ wget https://downloads.graylog.org/releases/graylog/graylog-3.0.0-beta.2.tgz -O graylog-server.tar.gz
$ sudo tar -xf graylog-server.tar.gz
$ sudo mv /opt/graylog-3.0.0-beta.2 /opt/graylog-server
$ sudo rm graylog-server.tar.gz

Copy the example configuration file and make the outlined changes. You can follow the Graylog guide to generate the passwords. Set the bind address to your elasticsearch IP e.g. Wifi IP address.

http://docs.graylog.org/en/3.0/pages/installation/manual_setup.html.

$ sudo cp /opt/graylog-server/graylog.conf.example /etc/graylog/server/server.conf

is_master = true
password_secret = XXXXXX
root_password_sha2 = XXXXXXXX
root_timezone = Africa/Johannesburg #set accordingly
http_bind_address = 10.0.0.1:9000
http_external_uri = http://10.0.0.1:9000/
elasticsearch_index_prefix = graylog
plugin=/opt/graylog-server/plugin

With the setup completed you can run Graylog using the .jar file.

$ /opt/graylog-server# sudo java -jar graylog.jar server

You should see your Graylog instance starting, this may take up to 5 minutes. If you’re connected to the Wireless AP you can browse to the administrative console. http://10.0.0.1:9000

You login using the credentials as setup and should have a running Graylog instance after a few minutes. Take note of the console to see if you have any errors and debug from there, the instance should detect Mongodb and Elasticsearch without any hassles.

If everything is running perfectly, we need to create a Systemd launcher for Graylog. Cancel the java instance with ctrl + c and this would gracefully quit the running instance.

$ sudo nano /usr/lib/systemd/system/graylog.service

Paste the following into the file.

[Unit]
Description=Graylog Service Daemon
[Service]
ExecStart=/usr/bin/java -jar /opt/graylog-server/graylog.jar server
User=root
[Install]
WantedBy=multi-user.target

Save the file and run the Graylog instance using Systemd.

$ sudo systemctl enable graylog

$ sudo systemctl start graylog

$ sudo systemctl status graylog

By now you will have the Graylog running perfectly. We need to add our Snort output to the Graylog.

Graylog and Snort

With the below setup I utilise rsyslog to forward snort logs to Graylog.

Graylog provides an adequate guide on their blog https://www.graylog.org/post/visualize-and-correlate-ids-alerts-with-open-source-tools.

For a total beginner, this might be daunting at first. I’ll therefore summarise the changes with specific note to what assisted me.

Modify the Snort config to send logs using rsyslog.

$ sudo nano /etc/graylog/server/server.conf

Add the following line:

output alert_syslog: LOG_LOCAL5 LOG_ALERT

This is sufficient to ensure that Snort sends logs. You can verify by using tail. You should see entries from Snort showing.

$ sudo tail /var/log/syslog

Pi-Hole DNS Ad-Blocker

The next step is to send the logs from Syslog to Graylog. Modify the rsyslog configuration and add the forwarder as shown below. This will forward the logs to port 5140.

$ sudo nano /etc/rsyslog.conf

*.* @127.0.0.1:5140;RSYSLOG_SyslogProtocol23Format

Restart rsyslog and check that the service is running.

$ sudo service rsyslog restart
$ netstat -alnp | grep 5140

If the service is running, you need to add it as an input in Graylog. Login to the Graylog web interface and add the input e.g. Syslog UDP. Take note that i’ve ensured to use the port 5140 and not 514.

Pi-Hole DNS Ad-Blocker

In a few minutes you’ll see the messages arrive. Next is to parse the messages. I’ve elected to use the extractor provided here: https://github.com/jhaar/mygraylog-patches-extractor-snort

You can click on Manage Extractors, Actions, Import.

Paste the extractor code as provided in the Git, Graylog will parse the results. Your extractor page should end up looking like mine:

Pi-Hole DNS Ad-Blocker

And that is the complete setup.

Improvements

The solution isn’t perfect, I still need to manage the log retention and complete the dashboard. Another functionality would be to send the DNS logs to Graylog as well. I’m open to any further suggestions. If your using a later version of Graylog I’ve created a content pack for version 3 for DNS. This includes all the rules and GROKS, download here: https://github.com/FransHBotes/Graylog-DNS.

Pi-Hole DNS Ad-Blocker

The below tutorial outlines a great way to implement threat intelligence with DNS logs and my implementation is based on this. https://jalogisch.de/2017/der-eigene-dns-resolver-zuhause/

Pi-Hole DNS Ad-Blocker

Leave a Reply

Your email address will not be published. Required fields are marked *