LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-23-2003, 11:08 AM   #1
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Wheezy, FreeBSD 10.0 anything *nix to get my fix
Posts: 328

Rep: Reputation: Disabled
Linux Intrusion Detection


I was thinking about getting a Intrusion Detection system set up. Im running Mandrake & it has a system called 'Prelude' that is installed. The only problem is that although it probably can do the job, it is not very user friendly. As a newbie i would have problems interpreting the data from it.

Can anyone suggest a good IDS for Linux that is relatively easy to install, operate and maintain?? (By 'relatively easy' i mean something that would take me a day or so to understand how to operate it)

Also has anyone had experience of using a program called 'The Deception Toolkit' - if so what did you think of it?

Thanks

 
Old 10-23-2003, 01:07 PM   #2
misophist
Member
 
Registered: Aug 2003
Location: here
Distribution: suse 8.2
Posts: 169

Rep: Reputation: 30
Intrusion Detection is the sysadmin's job and I'v never seen many simple sysadmin tools. Sorry. A firewall and careful use of the root account should make it unnecessary in non-commerical cases.

I never heard of the Deception Toolkit before so I looked it up. New to me....but, I saw in the news the other day that Yahoo is offering something similar to paid subscribers. More research may tell you what you want to know.
 
Old 10-23-2003, 07:03 PM   #3
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
My Intrusion Detection System:

%cat /var/log/secure | more
%cat /var/log/syslog | less
%cat /var/log/firewall.log | most

 
Old 10-23-2003, 08:09 PM   #4
misophist
Member
 
Registered: Aug 2003
Location: here
Distribution: suse 8.2
Posts: 169

Rep: Reputation: 30
Then you do have a firewall.
 
Old 10-24-2003, 02:05 PM   #5
Mossie
Member
 
Registered: Oct 2003
Location: Ottawa
Distribution: SUSE 8.2
Posts: 55

Rep: Reputation: 15
Tripwire
 
Old 10-24-2003, 02:25 PM   #6
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
AIDE is also good for the things tripwire does and its free.

http://www.cs.tut.fi/~rammer/aide.html

(caveat: I haven't tried it yet, but am planning to set it up this weekend)
 
Old 10-24-2003, 02:29 PM   #7
Mossie
Member
 
Registered: Oct 2003
Location: Ottawa
Distribution: SUSE 8.2
Posts: 55

Rep: Reputation: 15
Quote:
Originally posted by tcaptain
AIDE is also good for the things tripwire does and its free.

http://www.cs.tut.fi/~rammer/aide.html

(caveat: I haven't tried it yet, but am planning to set it up this weekend)
Sounds interesting, please post your findings once installed.
I like the price of free
 
Old 10-24-2003, 02:33 PM   #8
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
Quote:
Originally posted by Mossie
I like the price of free
Most people do

But don't miss out on the smell of freedom along with your free as in beer.
 
Old 10-24-2003, 03:39 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,171
Blog Entries: 54

Rep: Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808Reputation: 2808
neilcpp: Can anyone suggest a good IDS for Linux that is relatively easy to install, operate and maintain?? (By 'relatively easy' i mean something that would take me a day or so to understand how to operate it)
It's a hybrid IDS, it's got centralized logging and reporting, GTK GUI control. Shouldn't be hard. Or do you mean you lack the basic knowledge to *run* and IDS?

Also has anyone had experience of using a program called 'The Deception Toolkit' - if so what did you think of it?
I think nothing of it. I haven't tried it and I see no reason to. What you're doing is trying to lure crackers in by faking networked services. If I would want to do that I'd choose to build a proper honeypot system.


jayjwa: My Intrusion Detection System:(etc)
...IMHO isn't good enough, cuz you can't track changes in the filesystem.
A host-based network-scrubbing IDS should really be accompanied by a


Mossie: AIDE is also good for the things tripwire does and its free.
AFAIK the academic version of Tripwire is still free, innit?


Anyway, I think this is a good thread because the subject isn't much talked about while it IMHO is a crucial part of being capable to audit a host... Aide was set up to counter tripwire going commercial, and I've been nothing but pleased using it. Aide is easy to set up using different config files and databases which I think is good for spreading coverage and system load. One thing it doesn't do compared to tripwire is sign it's own databases, so it's essential you don't forget to save a copy of your initial* databases and the binary to read-only media.

*Filesystem integrity databases are best set up after installing the OS, this is the only way to achieve max surety whatever you're logging is sane.

What Aide has in favour over Integrit and Osiris (there's many more players in the field) is the fact it can make use of compressed databases. Tagging a system with Aide would give you aprox 2.5MB in gzipped db's, Integrit nearly 10, and Osiris over 12. On "modern" systems space isn't an issue, but if you count in the fact you gotta generate output db's as well and back 'em up to ro media then it does matter.
What Samhain has in favour over the rest is it can sign and encrypt databases and remain a continuously running process (AFAIK). One thing tripwire, Aide and Samhain have in common is you can set up a centralized server and host the client db's there, of the three only Samhain has that function incorporated in it's design tho.
 
Old 10-26-2003, 05:58 AM   #10
MsMittens
Member
 
Registered: Oct 2003
Location: Canada
Distribution: depends on the mood -- these days.. Slack!
Posts: 44

Rep: Reputation: 15
Personally, I'd go with the traditional Snort and ACID. Snort is relatively straightforward to setup and you can add ACID (along with PHP, MySQL and Apache) for detection. IMHO, Snort's probably got to have the largest audience out there for IDS. Prelude is a relatively new product.

Tripwire (still free under sourceforge) is good to know what changes have happened locally versus intrusion via network (which is what Snort detects).

That said, these are merely tools for helping someone detect an attack. They will not replace knowledge or understanding. Newer attacks are not detected by many of these products (think along the lines of AV software which requires daily updates and new signatures to detect attacks). Security is often a layered system (like an onion.. ). No one tool will solve your answer but being deligent and aware will help you mitigate attacks.

If you want to setup a honeypot it's better to do it on a seperate system. Honeypots are meant to draw attackers away from good stuff. The Honeynet Project is a good place to get information about honeypots, honeynets and honeytokens. I haven't played with TDK but have been mucking about with honeyd and bait'n'switch.

Hope this helps.

Last edited by MsMittens; 10-26-2003 at 06:02 AM.
 
Old 10-27-2003, 03:46 AM   #11
yapp
Member
 
Registered: Apr 2003
Location: Netherlands
Distribution: SuSE (before: Gentoo, Slackware)
Posts: 613

Rep: Reputation: 30
Quote:
Originally posted by jayjwa
My Intrusion Detection System:

%cat /var/log/secure | more
%cat /var/log/syslog | less
%cat /var/log/firewall.log | most

don't expect your logs to provide accurate information after you've been hacked. rootkits are made to hide the appearance of the hacker, that includes altering log files, and replacing "netstat", "ps", etc...
 
Old 10-27-2003, 08:17 AM   #12
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Wheezy, FreeBSD 10.0 anything *nix to get my fix
Posts: 328

Original Poster
Rep: Reputation: Disabled
Thanks for this infomation - im going to try to install AIDE behind my firewall. Im not going to waste time with the 'deception toolkit' - I misunderstood what this suite of programs / scripts is designed to do!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
intrusion detection fakie_flip Linux - Security 4 08-19-2005 05:24 PM
LIDS (Linux Intrusion Detection System) Israfel2000 Linux - Networking 1 03-05-2005 05:39 PM
Intrusion Detection System On Linux AmitC Linux - Networking 1 10-19-2004 03:34 AM
Intrusion Detection!!! egyptian Linux - Security 2 04-02-2004 11:37 AM
Intrusion Detection? matador Linux - Security 5 09-03-2003 04:44 AM


All times are GMT -5. The time now is 04:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration