Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Rep:
Linux Intrusion Detection
I was thinking about getting a Intrusion Detection system set up. Im running Mandrake & it has a system called 'Prelude' that is installed. The only problem is that although it probably can do the job, it is not very user friendly. As a newbie i would have problems interpreting the data from it.
Can anyone suggest a good IDS for Linux that is relatively easy to install, operate and maintain?? (By 'relatively easy' i mean something that would take me a day or so to understand how to operate it)
Also has anyone had experience of using a program called 'The Deception Toolkit' - if so what did you think of it?
Intrusion Detection is the sysadmin's job and I'v never seen many simple sysadmin tools. Sorry. A firewall and careful use of the root account should make it unnecessary in non-commerical cases.
I never heard of the Deception Toolkit before so I looked it up. New to me....but, I saw in the news the other day that Yahoo is offering something similar to paid subscribers. More research may tell you what you want to know.
neilcpp: Can anyone suggest a good IDS for Linux that is relatively easy to install, operate and maintain?? (By 'relatively easy' i mean something that would take me a day or so to understand how to operate it)
It's a hybrid IDS, it's got centralized logging and reporting, GTK GUI control. Shouldn't be hard. Or do you mean you lack the basic knowledge to *run* and IDS?
Also has anyone had experience of using a program called 'The Deception Toolkit' - if so what did you think of it?
I think nothing of it. I haven't tried it and I see no reason to. What you're doing is trying to lure crackers in by faking networked services. If I would want to do that I'd choose to build a proper honeypot system.
jayjwa: My Intrusion Detection System:(etc)
...IMHO isn't good enough, cuz you can't track changes in the filesystem.
A host-based network-scrubbing IDS should really be accompanied by a
Mossie: AIDE is also good for the things tripwire does and its free.
AFAIK the academic version of Tripwire is still free, innit?
Anyway, I think this is a good thread because the subject isn't much talked about while it IMHO is a crucial part of being capable to audit a host... Aide was set up to counter tripwire going commercial, and I've been nothing but pleased using it. Aide is easy to set up using different config files and databases which I think is good for spreading coverage and system load. One thing it doesn't do compared to tripwire is sign it's own databases, so it's essential you don't forget to save a copy of your initial* databases and the binary to read-only media.
*Filesystem integrity databases are best set up after installing the OS, this is the only way to achieve max surety whatever you're logging is sane.
What Aide has in favour over Integrit and Osiris (there's many more players in the field) is the fact it can make use of compressed databases. Tagging a system with Aide would give you aprox 2.5MB in gzipped db's, Integrit nearly 10, and Osiris over 12. On "modern" systems space isn't an issue, but if you count in the fact you gotta generate output db's as well and back 'em up to ro media then it does matter.
What Samhain has in favour over the rest is it can sign and encrypt databases and remain a continuously running process (AFAIK). One thing tripwire, Aide and Samhain have in common is you can set up a centralized server and host the client db's there, of the three only Samhain has that function incorporated in it's design tho.
Distribution: depends on the mood -- these days.. Slack!
Posts: 44
Rep:
Personally, I'd go with the traditional Snort and ACID. Snort is relatively straightforward to setup and you can add ACID (along with PHP, MySQL and Apache) for detection. IMHO, Snort's probably got to have the largest audience out there for IDS. Prelude is a relatively new product.
Tripwire (still free under sourceforge) is good to know what changes have happened locally versus intrusion via network (which is what Snort detects).
That said, these are merely tools for helping someone detect an attack. They will not replace knowledge or understanding. Newer attacks are not detected by many of these products (think along the lines of AV software which requires daily updates and new signatures to detect attacks). Security is often a layered system (like an onion.. ). No one tool will solve your answer but being deligent and aware will help you mitigate attacks.
If you want to setup a honeypot it's better to do it on a seperate system. Honeypots are meant to draw attackers away from good stuff. The Honeynet Project is a good place to get information about honeypots, honeynets and honeytokens. I haven't played with TDK but have been mucking about with honeyd and bait'n'switch.
Originally posted by jayjwa My Intrusion Detection System:
%cat /var/log/secure | more
%cat /var/log/syslog | less
%cat /var/log/firewall.log | most
don't expect your logs to provide accurate information after you've been hacked. rootkits are made to hide the appearance of the hacker, that includes altering log files, and replacing "netstat", "ps", etc...
Distribution: Debian Jessie, FreeBSD 10.1 anything *nix to get my fix
Posts: 329
Original Poster
Rep:
Thanks for this infomation - im going to try to install AIDE behind my firewall. Im not going to waste time with the 'deception toolkit' - I misunderstood what this suite of programs / scripts is designed to do!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.