SELKS is a free and open source Debian (with LXDE X-window manager) based IDS/IPS platform released under GPLv3 from Stamus Networks (https://www.stamus-networks.com).
Their GITHUB is: https://github.com/StamusNetworks
Their SELKS WIKI: https://github.com/StamusNetworks/SELKS
You can download ready to use images from the SELKS download page https://www.stamus-networks.com/open-source/selks
- Debian 9.5+ Stretch
- 2CPU / 8+ GB RAM (More RAM the better 16+)
- Two NIC cards: One for management access and the other one for monitoring
- Coffee.... lots of coffee
- usermod -aG sudo username
sudo apt update
sudo apt upgrade
sudo apt-get install -y git net-tools
cd /opt/
sudo git clone https://github.com/Nimdy/SELKS-Install-from-source.git
The install script copies the SELKS staging files for later use. After the install is complete, do a system reboot.
sudo git clone https://github.com/StamusNetworks/SELKS.git SELKS_CONFIGS
cd SELKS-Install-from-source
sudo chmod +x install_SELKS.sh
sudo ./install_SELKS.sh
Select "Yes" for Scirius database configuration
-
Reboot and login to the system
-
Change root password, if required. Default password is StamusNetworks.
cd /usr/bin
./selks-first-time-setup
Select interface - ie: eth1
Select PCAP setting - ie: option 1
cd /usr/bin
./selks-upgrade_stamus
=
systemctl status kibana logstash elasticsearch suricata
If there are any errors with kibana or any other service restart the service and review the logs, if issues continue
=
systemctl restart kibana
systemctl status kibana
vi /etc/suricata/suricata.yaml
Edit to reflect network range monitored: HOME_NET: '[192.168.0.0/16,10.0.0.0/8,172.16.0.0./12]"
systemctl restart suricata
-
Click Dashboards
-
Click logstash-*
-
Set as default index by clicking the star icon
-
Click Dashboards
-
Click SN-ALL
curl testmyids.com
- Visit Scirius dashboard and review alert.
ifconfig
if interface does not say promisc, then set it manually.
vi /etc/network/interface
Replace or add the following
auto eth1
iface eth1 inet manual
up ifconfig eth1 0.0.0.0 up
up link set eth1 promisc on
down ip link set eth1 promisc off
down ifconfig eth1 down
Save File
:wq!
systemctl restart networking
Upgrade Kernel for CIFS SMB3 because Debian 9 with Linux Kernel 4.9 does not support SMB3 connections. This upgrade will push you over the 4.11 requirement and upgrade you to 4.19.
apt -t stretch-backports upgrade
Say yes to all
Reboot
SCAP Security Guide implements security guidances recommended by respected authorities, namely PCI DSS, STIG, and USGCB. SCAP Security Guide transforms these security guidances into a machine readable format which then can be used by OpenSCAP to audit your system.
https://www.open-scap.org/security-policies/scap-security-guide/
Visit: https://github.com/StamusNetworks/SELKS/wiki for more tips.
Visit: https://github.com/StamusNetworks/SELKS/wiki/Tuning-SELKS for fine tuning SELKS