LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-08-2005, 10:49 AM   #1
nasty_daemon
LQ Newbie
 
Registered: Sep 2005
Posts: 29

Rep: Reputation: 15
Questions regarding the use of Snort (IDS) and security


I've read some of the docs @ snort.org.
But I have some questions since it will be the first time i run snort and I need help from some more experienced users.

Should i create a user snort to run Snort or should i run it as root ?

Do you guys user a frontend to snort ??

I would like to use ACID or BASE to analyze the result but these tools require web servers etc.. things that i don't need and a misconfiguration of them should be risky for my computer.

The only alternative I have found is RazorBack


I have also iptables intalled on the same machine.
It's my desktop but I'm under the impression that I have been compromised.
I run SlackWare and use all the latest security updates plus that I run my custom 2.6.13 kernel.

I remember that one day at a console in KDE i got a message:
"Possible Intrusion Detection"
Yesterday using WindowMaker, Firefox 1.0.6 just closed while i was reading something.
Since there is nothing in /var/log/debug or /var/log/messages that indicates that there was a crash of Firefox i suspect something is going on.
I don't run sshd nor Apanche.

I've checked with rkhunter and i am clean.


PS:how to you remove remote root logins from the sshd config file ?
I don't run sshd but this option is enabled and i get a warning from rkhunter.
 
Old 09-08-2005, 11:45 AM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
In /etc/ssh/sshd_config, add/edit a line to read "PermitRootLogin no".
 
Old 09-08-2005, 11:45 AM   #3
nasty_daemon
LQ Newbie
 
Registered: Sep 2005
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Matir
In /etc/ssh/sshd_config, add/edit a line to read "PermitRootLogin no".
thnx

Last edited by nasty_daemon; 09-08-2005 at 11:47 AM.
 
Old 09-09-2005, 10:38 AM   #4
nasty_daemon
LQ Newbie
 
Registered: Sep 2005
Posts: 29

Original Poster
Rep: Reputation: 15
these are files that get executed as root (+s)

~# find / -type f \( -perm -04000 -o -perm -02000 \)
/bin/su
/bin/mount
/bin/umount
/bin/ping
/bin/ping6
/usr/bin/lppasswd
/usr/bin/crontab
/usr/bin/fdmount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/chage
/usr/bin/expiry
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/slocate
/usr/bin/wall
/usr/bin/write
/usr/bin/rcp
/usr/bin/lockfile
/usr/bin/procmail
/usr/bin/rsh
/usr/bin/traceroute6
/usr/bin/rlogin
/usr/bin/traceroute
/usr/bin/sudo
/usr/sbin/utempter
/usr/sbin/pppd
/usr/X11R6/bin/Xorg
/usr/X11R6/bin/xscreensaver
/usr/local/bin/bubblemon (a dockapp in WindowMaker)
/usr/libexec/pt_chown
/usr/libexec/ssh-keysign
/usr/libexec/gnome-pty-helper
find: /proc/1868/task: No such file or directory
find: /proc/1868/fd: No such file or directory
find: /proc/4368/task/4368/fd/4: No such file or directory
find: /proc/4368/fd/4: No such file or directory
/opt/kde/bin/kdesud
/opt/kde/bin/kcheckpass
/opt/kde/bin/fileshareset
/opt/kde/bin/kgrantpty
/opt/kde/bin/kpac_dhcp_helper
/opt/kde/bin/kppp



Anything suspicious ?

Last edited by nasty_daemon; 09-09-2005 at 10:39 AM.
 
Old 09-09-2005, 11:01 AM   #5
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Nothing that strikes me as odd.
 
Old 09-09-2005, 11:18 AM   #6
nasty_daemon
LQ Newbie
 
Registered: Sep 2005
Posts: 29

Original Poster
Rep: Reputation: 15
thnx for the info Matir.
You have been very helpful

The only thing i run as root and it may was harmful is Cable-TV:

http://sector17.tvand.net/cabletv/
 
Old 09-09-2005, 11:20 AM   #7
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
No problem. You should also check out 'chkrootkit' to see if it finds anything on your system.
 
Old 09-09-2005, 11:41 AM   #8
nasty_daemon
LQ Newbie
 
Registered: Sep 2005
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Matir
No problem. You should also check out 'chkrootkit' to see if it finds anything on your system.
I've checked also with it and it does not find anything.

I use my own custom latest kernel.

Maybe i got hacked or not.
I don't use binaries , only source.
When i scan my pc with nmap no port is open since i am also using: --no-listen or somethin like that when i start my X server.

I also used diff to compare the files that are in my system with the ones in packages i use.
Files included netstat, ifonfig etc. .. and all were normal..

But that doupt is driving me crazy and i will format and be more careful next time.
Also i am thinkin of using something of the above:

Snort
AIDE
samhain

among with iptables on the same machine.
 
Old 09-09-2005, 10:48 PM   #9
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
I don't think you got hacked. I'd strongly suggest you look into tripwire... snort is more effective for a whole network.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort fails ids mode in sarge mofungo Debian 1 05-25-2005 12:35 PM
wireless ids with snort and kismet evilchild Linux - Security 1 01-26-2005 04:03 PM
Snort/ACID as an IDS WeNdeL Linux - Security 4 09-10-2004 12:14 PM
snort ids implementation queries nms Linux - Security 3 05-27-2003 07:53 AM
snort (ids) not working please help!!! crealkillerI75 Slackware 5 07-18-2002 03:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration