intrusion detection
2008/10/28 David Bernier <david250@videotron.ca>
I'd like to know about ideas for security, including for example intrusion-detection systems. I recently read Linux Firewalls*, and can recommend it. I'm sure there are lots of other good books on the topic too. Sam |
intrusion detection
David Bernier wrote:
[ .. ] I'd like to know about ideas for security, including for example intrusion-detection systems. Usually a properly configured iptables should do but if you want maybe extra protection I guess you should start with snort. -- en0f -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
On Tuesday 28 October 2008 11:25, David Bernier wrote:
> Dear Debian users, > > Now, I'm using Ubuntu and the firestarter firewall. > > I'd like to know about ideas for security, including for example > intrusion-detection systems. There are (at least) two kinds of these, the "network based" intrusion detection, like firewalls and "snort", and "host-based", which maintain a database of the sizes, ownership, location, inode number, and so forth, of files on the system, and report on changes to these systems. In the host-based category, I'm aware of two -- there's the samhain/yule/beltane family, which are really one intrustion detection apparatus. Samhain is the daemon that runs on the clients being monitored, yule is the server that maintains the (remote from the client) database, and beltane is the web app you can use to monitor changes. Beltane costs a small amount of money, and the others are free (as in beer). The other one I know of is "tripwire", which is packaged for Debian, and which is a single stand-alone application, but can report to a remote monitoring host. Both of these require a fair amount of configuration, and it can be a challenge to tune them so that routine file changes don't set off the alarms, but anomalous ones do. They can potentially be spoofed by sophisticated rootkits, as well, but samhain at least has ways of dealing with that. I recommend checking out the docs on these (googling the names will get you there), as I'm not really an expert, just a user and sometime-tuner of these. -- A. -- Andrew Reid / reidac@bellatlantic.net -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
Andrew Reid wrote:
On Tuesday 28 October 2008 11:25, David Bernier wrote: Dear Debian users, Now, I'm using Ubuntu and the firestarter firewall. I'd like to know about ideas for security, including for example intrusion-detection systems. There are (at least) two kinds of these, the "network based" intrusion detection, like firewalls and "snort", and "host-based", which maintain a database of the sizes, ownership, location, inode number, and so forth, of files on the system, and report on changes to these systems. In the host-based category, I'm aware of two -- there's the samhain/yule/beltane family, which are really one intrustion detection apparatus. Samhain is the daemon that runs on the clients being monitored, yule is the server that maintains the (remote from the client) database, and beltane is the web app you can use to monitor changes. Beltane costs a small amount of money, and the others are free (as in beer). The other one I know of is "tripwire", which is packaged for Debian, and which is a single stand-alone application, but can report to a remote monitoring host. Both of these require a fair amount of configuration, and it can be a challenge to tune them so that routine file changes don't set off the alarms, but anomalous ones do. They can potentially be spoofed by sophisticated rootkits, as well, but samhain at least has ways of dealing with that. I recommend checking out the docs on these (googling the names will get you there), as I'm not really an expert, just a user and sometime-tuner of these. Yes, thanks. I'm using the Ubuntu Hardy gnome-system-monitor, which is quite impressive. It has a graphical user interface. I'd like to copy to the clip-board the information about all running processes. I haven't succeeded with that. But come to think of it, ps -aux > data_file or something like that should write info. on processes to a file. Also, my setup is simple, with no web servers, mail servers: just me. David Bernier -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 <snip> > In the host-based category, I'm aware of two -- there's the > samhain/yule/beltane family, which are really one intrustion > detection apparatus. Samhain is the daemon that runs on the > clients being monitored, yule is the server that maintains > the (remote from the client) database, and beltane is the > web app you can use to monitor changes. Beltane costs > a small amount of money, and the others are free (as in beer). <snip> I can recommend ossec[0]. It is a great little host IDs, which works great out of the box. :) - -- Cheers, Julian De Marchi - -- OpenNIC user - http://www.opennicproject.org/ | http://www.opennic.glue Support OpenNIC, become a member today! - -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html 0 - http://www.ossec.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFJB8w1fM8nSo1lmBQRAl2QAJ9Cqw8OIfuSMjGVW5N50o EdIrCGAQCY+W46 hQ1QecZiNbjGKCZ3+Nfh1Q== =3Z5B -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
On Tue, Oct 28, 2008 at 03:37:05PM +0000, Sam Kuper wrote:
> 2008/10/28 David Bernier <david250@videotron.ca> > > > > I'd like to know about ideas for security, including for example > > intrusion-detection systems. > > > > I recently read Linux Firewalls <http://www.nostarch.com/firewalls_mr.htm> , > and can recommend it. I'm sure there are lots of other good books on the > topic too. > Read the document provided by the harden-doc package. Read the document provided by the shorewall-doc package. Your own box cannot monitor itself (there was just a thread on this). If you want intrusion-detection, get an old box as a detector/monitor. Doug. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
Douglas A. Tutty wrote:
On Tue, Oct 28, 2008 at 03:37:05PM +0000, Sam Kuper wrote: 2008/10/28 David Bernier <david250@videotron.ca> I'd like to know about ideas for security, including for example intrusion-detection systems. I recently read Linux Firewalls <http://www.nostarch.com/firewalls_mr.htm> , and can recommend it. I'm sure there are lots of other good books on the topic too. Read the document provided by the harden-doc package. Read the document provided by the shorewall-doc package. Your own box cannot monitor itself (there was just a thread on this). If you want intrusion-detection, get an old box as a detector/monitor. Doug. Thanks for all the replies. I've installed the latest version of OSSEC. That was easy. I used a "local" type. I'll have to learn a bit about hardening the system. David -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
Hi,
On Tue, Oct 28, 2008 at 09:55:32PM +0630, David Bernier wrote: > Dear Debian users, > > I think my computer was hacked. A music CD that I bought in a store > (Redbook audio > standard) was left in the CD/DVD bay. Then, mysteriously, a song > by Destiny's Child ("Jumpin' Jumpin' ") got transformed into the *.ogg > format, but > I didn't ask for that. Same sound from stereo playing Redbook format > audio CD > and the *.ogg file on the hard drive ... I do not have hard facts but tis seems to be just clicking wrong key/mouse which caused to creaye such thing. ... > So I took a test-drive of Ubuntu 8.04 Live CD, and then did a complete > reinstall. Now, I'm using Ubuntu and the firestarter firewall. > > I'd like to know about ideas for security, including for example > intrusion-detection systems. If you are playing with Ubuntu, please ask their mailing list. Then you get better support. Osamu -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
Osamu Aoki wrote:
Hi, On Tue, Oct 28, 2008 at 09:55:32PM +0630, David Bernier wrote: Dear Debian users, I think my computer was hacked. A music CD that I bought in a store (Redbook audio standard) was left in the CD/DVD bay. Then, mysteriously, a song by Destiny's Child ("Jumpin' Jumpin' ") got transformed into the *.ogg format, but I didn't ask for that. Same sound from stereo playing Redbook format audio CD and the *.ogg file on the hard drive ... I do not have hard facts but tis seems to be just clicking wrong key/mouse which caused to creaye such thing. ... So I took a test-drive of Ubuntu 8.04 Live CD, and then did a complete reinstall. Now, I'm using Ubuntu and the firestarter firewall. I'd like to know about ideas for security, including for example intrusion-detection systems. If you are playing with Ubuntu, please ask their mailing list. Then you get better support. Yes. Truth is I left the music CD in the bay and the BIOS settings had the CD/DVD drive as the first boot device. It may have contributed to my Debian installation crashing. --- The Gnome system monitor now shows incoming traffic at 4 kB/sec every 20 seconds. Maybe this is when my computer contacts an SNTP server ( simple network time protocol). Would a package such as ethereal tell me what this traffic is? Thanks, David -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
intrusion detection
David Bernier escreveu:
> Would a package such as ethereal tell me what this traffic is? > Yes (and all other traffic happening in the machine). There's also the netstat command, but if the connection is opened and closed quickly it may be hard to catch it. -- Eduardo M Kalinowski eduardo@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
| All times are GMT. The time now is 12:35 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.