Basic intrustion detection/prevention
 

Hi All,
I'm getting to grips with administering my new Redhat 7.3 system, and I'd like some advice on securing it.

I'd like to get something up and running quickly (and hopefully without too much initial configuration) and then learn more about it and refine it for my needs as I go on.

The box will be a web server, for low bandwidth small websites, and no services other than basic http, ftp, ssh (for me only) and mail (and anything other required for a v. basic web serving box) will be required to be accessible from outside.

So far, I've found portsentry as a reasonably option, but this doesn't appear to be maintained any more.

Thanks for any advice/info.

J

Please see the security forum, first thread for an overview of security aspects.

I've been using portsentry and tripwire for the past 18 months or so and haven't found any need for maintenance of either. Portsentry has blocked several hundred would-be invaders in that time, and the tripwire reports I check daily indicate that nothing has gotten through...

It is crucial to learn that, and understand why, security cannot be measured by the result of one application, will not be covered by solely using a firewall or one application and is not a task automatically performed once a month. Security is an attitude towards the systems you manage and networks in general.

Security is not focussing on the opinion on, rating of or usage of any specific applications: that is just the product of knowing which measures to take based on an assessment of what needs securing.

I would like to invite anyone who still thinks security equals a firewall or one application or updating to read the thread I mentioned.

I agree fully; my post was intended to indicate that perceived lack of maintenance is NOT a valid reason to dismiss the use of a potentially valuable tool.

To maintain security it's also essential to keep a low public profile (consistent, of course, with one's reason for being on the Internet at all) and to stay up to date on the nature of current threats.

I strongly recommend participation in the "Internet Neighborhood Watch" volunteer effort, which is a worldwide network that automatically collects reports of intrusion attempts, probes, and the like, and when correlation of these reports from multiple sites indicates a serious attack, notifies the source ISP of what is happening. More information about it can be found at http://www.mynetwatchman.com/ (but as I post this, I'm getting a 404 from the URL)...

I entirely agree with that point of view. I do understand the thought process behind a secure system, and at the moment am developing policies for the main administrators of this system. In my case, it's only me who will be directly logging on to my system, and the box will be very basic in terms of uses (limited to simple web hosting). I've already explored firewalls from my ISP, and they're out of the price range of this application, so outside of the bounds of 'policy', which I think is an extremely valid, but separate issue, I'm now looking for applications and ways to configure my system inside my specific time, skill, and budget limitations.

I don't want to do a lot of reading, but while I know this isn't a great thing, it's a fact, and I want to get the maximum security from the time I do have to invest.

It's worth bearing in mind that many people have 'real life' applications like me, and just want to get a result that while it is not perfect, is a result that will work, protect against common vulnerabilities, and make an out-of-the-box system more secure than it was before.