AlienVault Server Hosting

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Looking to setup your first AlienVault server? Look no further.

Sometimes people prefer hosting on their own prem (premise or plural premises).. if you want to do that then go ahead and just mount the ISO and install as normal.

If you are simply looking for a hosting provider to install your AlienVault OSSIM (or other appliance) to a remote server hosting provider I have some solid recommendations for you!

You can use Kimsufi for cheap servers that just work: https://www.kimsufi.com/us/en/servers.xml

So you Start has affordable deals and sometimes sales on their servers: https://www.soyoustart.com/us/essential-servers/
1582017568823.png

When selecting between hard and solid-state drives, you have to consider whether you want longer term storage of logs or the ability to quickly search logs. If you want longer term storage and overall more storage space, of course select the SATA storage plan. If you just want to get logs going and to be able to search through them quickly, I would opt for SSD. You can always consider adding more storage later.

Lastly, if you want to get a beefier server then I would strongly urge you to consider OVH as a hosting provider, their server pricing may be found here: https://www.ovh.com/world/dedicated-servers/prices/

If you are considering running inside Proxmox, consider reading up here https://success.alienvault.com/s/question/0D50Z00008oGt5E/not-finish-installation-ossim-543

Otherwise, on the above hosting providers you may be able to mount your AlienVault ISO and install: https://docs.ovh.com/gb/en/dedicated/use-ipmi-dedicated-servers/

OVH has a budget offering called So you start. If you want to install an operating system, that is not covered by the automatic installation, or want to encrypt your server, or install Linux with ZFS on root, you can't use the provided installation mechanism. You can order a KVM over IP for additional costs to do the installation, or you can follow the following steps, to run the installation under Qemu/KVM. I took them from this forum entry, if you want to know more about it then click to read more:

Code:
#to see if Raid devices are present and stop them
cat /proc/mdstat
mdadm --stop /dev/md0
mdadm --stop /dev/md1
 
#Second step is to get rid of the network drives, because they are read-only
mount -t tmpfs -o size=6000m tmpfs /mnt # use 6GB of memory as temp - adjust as needed
mkdir /mnt/var
mkdir /mnt/var/cache
mkdir /mnt/var/lib
mkdir /mnt/var/run
mkdir /mnt/usr
mkdir /mnt/lib
rsync -a /var/cache/ /mnt/var/cache/
rsync -a /var/lib/ /mnt/var/lib/
rsync -a /var/run/ /mnt/var/run/
rsync -a /usr/ /mnt/usr/
rsync -a /lib/ /mnt/lib/
mount -B /mnt/var/cache /var/cache
mount -B /mnt/var/lib /var/lib
mount -B /mnt/var/run /var/run
mount -B /mnt/usr /usr
 
#Update your system
apt-get -y update
apt-get -y --force-yes upgrade
 
#Install qemu + kvm
apt-get -y install qemu kvm

Now that we have kvm installed, we can get for example an Ubuntu 14.04 Image and do the installation from there.
Code:
wget http://releases.ubuntu.com/14.04.1/ubuntu-14.04.1-desktop-amd64.iso

Now we start kvm with vnc support and do the installation from there:
Code:
qemu-system-x86_64 -net nic -net user,hostfwd=tcp::80-:80 -m 2047M -alt-grab -localtime -enable-kvm -cpu kvm64,+nx -smp 2 -usbdevice tablet -k en-us -cdrom ubuntu-14.04.1-desktop-amd64.iso -hda /dev/sda -hdb /dev/sdb -vnc 127.0.0.1:0

The VNC Server will listen on localhost only, so that no one else can access it. You need to tunnel yourself with SSH through.

This is also helpful to start your server under KVM, to fix any boot issues you might have.

Code:
vncviewer -geometry 1024×768 -via root@myIPaddress localhost:0

Some folks claim TigerVNC works, while RealVNC may not..

If anyone needs help getting any of this to work, let me know ;)
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Once AlienVault is installed, you will be prompted as follows:

1582115695386.png

1582115739020.png

1582115793018.png

If you click scan networks, you may want to remove the default setup as this will scan 1,024 (I think) IP addresses around your current one.

Instead, you can specify your own IP addresses, assets, or import from a list (CSV).

1582117472214.png

Deploying the HIDS agent will push OSSEC to remote systems.

1582117660867.png

If you have systems scanned then added you will notice the log management should work - I did not scan systems in on step 2 (asset discovery).

1582118434077.png

You can gain access to several threat indicators via OTX, definitely check into this if you want to see threats identified throughout your traffic.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Comparing two different AlienVault builds:
1582119389276.png
This one has many tens of servers being monitored.


1582119865936.png
This one is literally only monitoring itself.


Notice the CPU/RAM/SWAP difference!!

1582120128566.png

And for a fully configured server, this is traffic flow and you can see gateway/DNS are both set.

DNS could be your own local name server resolving, like 0.0.0.240 or whatever IP you are using for resolving names. ;)

Inverting the colors looks very damn cool btw.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
You can immediately notice the SSH failures:
1582121056292.png

This is rather typical, botting of port 22 attacks crawl through IPv4 daily heh. This is why honeypots are likely so fun!! :D
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
How a hosting provider seems to have deployed AlienVault and uses VMware:
Code:
wtmp begins Tue Feb 18 23:06:15 2020
alienvault:~# history
    1  2020-02-18 23:44:18 ls
    2  2020-02-18 23:44:19 htop
    3  2020-02-18 23:44:32 ifconfig
    4  2020-02-18 23:44:39 ping 1.1.1.1
    5  2020-02-18 23:46:14 ping .52.144.47.254
    6  2020-02-18 23:46:57 service network status
    7  2020-02-18 23:47:28 cat /etc/*rel*
    8  2020-02-18 23:48:13 nano /etc/network/interfaces
    9  2020-02-18 23:49:37 nano /etc/network/interfaces
   10  2020-02-18 23:50:04 service networking restart
   11  2020-02-18 23:50:07 ifconfig
   12  2020-02-18 23:50:13 ip address
   13  2020-02-18 23:50:16 ping 1.1.1.1
   14  2020-02-18 23:50:58 exit
   15  2020-02-18 23:55:57 cd /media
   16  2020-02-18 23:55:58 ls
   17  2020-02-18 23:56:01 cd cdrom
   18  2020-02-18 23:56:01 ls
   19  2020-02-18 23:56:03 cd ..
   20  2020-02-18 23:56:03 ls
   21  2020-02-18 23:56:07 ls /dev
   22  2020-02-18 23:56:23 mount /dev/cdrom cdrom
   23  2020-02-18 23:56:26 ls
   24  2020-02-18 23:56:28 cd cdrom
   25  2020-02-18 23:56:29 ls
   26  2020-02-18 23:56:50 cp VMwareTools-10.3.5-10430147.tar.gz /tmp
   27  2020-02-18 23:56:55 cd ..
   28  2020-02-18 23:56:56 ls
   29  2020-02-18 23:57:01 umount /dev/cdrom
   30  2020-02-18 23:57:03 cd /tmp
   31  2020-02-18 23:57:03 ls
   32  2020-02-18 23:57:08 tar -xvf VMwareTools-10.3.5-10430147.tar.gz
   33  2020-02-18 23:57:13 ls
   34  2020-02-18 23:57:16 cd vmware-tools-distrib/
   35  2020-02-18 23:57:17 ls
   36  2020-02-18 23:57:21 ./vmware-install.pl
   37  2020-02-19 04:58:34 reboot

Code:
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
cat: /etc/prelude: Is a directory

Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
   address 52.144.47.143
   netmask 255.255.252.0
   network 52.144.44.0
   gateway 52.144.47.254
   broadcast 52.144.47.255
   up ip link set $IFACE promisc on
   down ip link set $IFACE promisc off

And that is that..
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Attached is a SIEM report courtesy of the free OSSIM solution, you can see the attacks targeting SSH primarily originate from China.
1582136438199.png

Top 10 attackers:
  • 222.186.15.91
  • 221.228.72.222
  • 222.186.175.23
  • 222.186.180.142
  • 222.186.31.166
  • 222.186.42.75
  • 222.186.30.76
  • 222.186.42.7
  • 222.186.30.57
  • 222.186.42.155
It would appear the largest attacker is CHINANET jiangsu province network (cn.net).

Also keep in mind AlienVault hopes to sell to you by making features richer in their premium product.

1582137616279.png

USM Appliance is where you can spend your money for functionality like generating custom reports. Although OSSIM just gets the job done if you simply need a server up and running to monitor!
 

Attachments

  • 20204918172-siem_report.pdf
    42.9 KB · Views: 3
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Let's say your DNS is broken because these clowns did not properly setup the server:
Code:
Starting Nmap 7.30 ( https://nmap.org ) at 2020-02-19 14:06 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.24 seconds

How about we go with:
Code:
nano /etc/resolv.conf

We see nothing at all, well no shit sherlock we have no DNS.

Let's proceed to use Google's I guess:
Code:
nano /etc/resolvconf/resolv.conf.d/base

Time to input the entries:
Code:
nameserver 8.8.8.8
nameserver 8.8.4.4

Save this file and close!

Code:
sudo resolvconf -u

Pinging and nmapping stuff should now work.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Also, the above applies if:
alienvault:/media/cdrom# echo just testing! | nc termbin.com 9999
termbin.com: forward host lookup failed: Host name lookup failure : Resource temporarily unavailable
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
IP ADDRESSOTXSENSOR
order_sign_d.png
EVENTS SRC. # (*)
order_sign_a.png
UNIQUE EVENTS SRCUNIQUE SRC. CONTACTEDEVENTS DST. # (*)UNIQUE EVENTS DSTUNIQUE DEST. CONTACTED

0.0.0.0​
N/A​
alienvault - 52.144.47.143​
18
20​
26
1​
N/A​
alienvault - 52.144.47.143​
385
11
0​
0
0
1​
1582140535729.png 177.38.46.16​
N/A​
alienvault - 52.144.47.143​
312
11
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
33
7
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
33
7
0​
0
0
1​
1582140535987.png 222.186.180.130​
N/A​
alienvault - 52.144.47.143​
33
7
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
22
7
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
22
7
0​
0
0
1​
1582140535987.png 222.186.31.135​
N/A​
alienvault - 52.144.47.143​
22
7
0​
0
0
1​
1582140535987.png 222.186.31.83​
N/A​
alienvault - 52.144.47.143​
22
7
0​
0
0
1​
1582140535987.png 222.186.30.167​
N/A​
alienvault - 52.144.47.143​
22
7
0​
0
0
1​
1582140745826.png 14.160.70.118​
N/A​
alienvault - 52.144.47.143​
12
5
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
11
7
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
11
7
0​
0
0
1​
1582140535987.png 222.186.30.248​
N/A​
alienvault - 52.144.47.143​
11
7
0​
0
0
1​
1582140535987.png 222.186.30.218​
N/A​
alienvault - 52.144.47.143​
11
7
0​
0
0
1​
1582140535987.png 222.186.30.187​
N/A​
alienvault - 52.144.47.143​
11
7
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
11
7
0​
0
0
1​
1582140536602.png 170.80.227.125​
N/A​
N/A​
6
3
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
5
4
0​
0
0
1​
N/A​
N/A​
5
2
0​
0
0
1​
N/A​
alienvault - 52.144.47.143​
2
2
0​
0
0
1​
0.0.0.0​
N/A​
N/A​
1
1
3​
12
3
1​

Here we can see anomalous IP activity, these are scanning the public IPv4 within 24 hours.

These are highly likely to be bots.
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
1582142467213.png

These two Brazil-based IP addresses are engaged in SSH bruteforce attacks.

Threat source:
Code:
170.80.227.125
177.38.46.16
 
Top