Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   intrusion detection (http://www.linux-archive.org/debian-user/183476-intrusion-detection.html)

"Sam Kuper" 10-28-2008 02:37 PM

intrusion detection
 
2008/10/28 David Bernier <david250@videotron.ca>

I'd like to know about ideas for security, including for example intrusion-detection systems.

I recently read Linux Firewalls*, and can recommend it. I'm sure there are lots of other good books on the topic too.

Sam

en0f 10-28-2008 02:55 PM

intrusion detection
 
David Bernier wrote:

[ .. ]

I'd like to know about ideas for security, including for example
intrusion-detection systems.


Usually a properly configured iptables should do but if you want maybe
extra protection I guess you should start with snort.


--
en0f


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Andrew Reid 10-28-2008 11:12 PM

intrusion detection
 
On Tuesday 28 October 2008 11:25, David Bernier wrote:
> Dear Debian users,
>
> Now, I'm using Ubuntu and the firestarter firewall.
>
> I'd like to know about ideas for security, including for example
> intrusion-detection systems.

There are (at least) two kinds of these, the "network based"
intrusion detection, like firewalls and "snort", and "host-based",
which maintain a database of the sizes, ownership, location,
inode number, and so forth, of files on the system, and report
on changes to these systems.

In the host-based category, I'm aware of two -- there's the
samhain/yule/beltane family, which are really one intrustion
detection apparatus. Samhain is the daemon that runs on the
clients being monitored, yule is the server that maintains
the (remote from the client) database, and beltane is the
web app you can use to monitor changes. Beltane costs
a small amount of money, and the others are free (as in beer).

The other one I know of is "tripwire", which is packaged
for Debian, and which is a single stand-alone application, but
can report to a remote monitoring host.

Both of these require a fair amount of configuration, and
it can be a challenge to tune them so that routine file
changes don't set off the alarms, but anomalous ones do.
They can potentially be spoofed by sophisticated rootkits,
as well, but samhain at least has ways of dealing with that.

I recommend checking out the docs on these (googling
the names will get you there), as I'm not really an expert,
just a user and sometime-tuner of these.

-- A.
--
Andrew Reid / reidac@bellatlantic.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

David Bernier 10-29-2008 12:22 AM

intrusion detection
 
Andrew Reid wrote:

On Tuesday 28 October 2008 11:25, David Bernier wrote:


Dear Debian users,

Now, I'm using Ubuntu and the firestarter firewall.

I'd like to know about ideas for security, including for example
intrusion-detection systems.



There are (at least) two kinds of these, the "network based"
intrusion detection, like firewalls and "snort", and "host-based",
which maintain a database of the sizes, ownership, location,
inode number, and so forth, of files on the system, and report
on changes to these systems.

In the host-based category, I'm aware of two -- there's the
samhain/yule/beltane family, which are really one intrustion
detection apparatus. Samhain is the daemon that runs on the
clients being monitored, yule is the server that maintains

the (remote from the client) database, and beltane is the
web app you can use to monitor changes. Beltane costs
a small amount of money, and the others are free (as in beer).

The other one I know of is "tripwire", which is packaged
for Debian, and which is a single stand-alone application, but
can report to a remote monitoring host.

Both of these require a fair amount of configuration, and
it can be a challenge to tune them so that routine file
changes don't set off the alarms, but anomalous ones do.
They can potentially be spoofed by sophisticated rootkits,

as well, but samhain at least has ways of dealing with that.

I recommend checking out the docs on these (googling
the names will get you there), as I'm not really an expert,
just a user and sometime-tuner of these.


Yes, thanks. I'm using the Ubuntu Hardy gnome-system-monitor, which is
quite impressive. It has a graphical user interface. I'd like to copy to
the clip-board the information about all running processes. I haven't
succeeded with that. But come to think of it,
ps -aux > data_file or something like that
should write info. on processes to a file.
Also, my setup is simple, with no web servers, mail servers: just me.


David Bernier





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Julian De Marchi 10-29-2008 01:36 AM

intrusion detection
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>

> In the host-based category, I'm aware of two -- there's the
> samhain/yule/beltane family, which are really one intrustion
> detection apparatus. Samhain is the daemon that runs on the
> clients being monitored, yule is the server that maintains
> the (remote from the client) database, and beltane is the
> web app you can use to monitor changes. Beltane costs
> a small amount of money, and the others are free (as in beer).

<snip>

I can recommend ossec[0]. It is a great little host IDs, which works
great out of the box. :)

- --
Cheers,
Julian De Marchi
- --
OpenNIC user - http://www.opennicproject.org/ | http://www.opennic.glue
Support OpenNIC, become a member today!
- --
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

0 - http://www.ossec.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFJB8w1fM8nSo1lmBQRAl2QAJ9Cqw8OIfuSMjGVW5N50o EdIrCGAQCY+W46
hQ1QecZiNbjGKCZ3+Nfh1Q==
=3Z5B
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Douglas A. Tutty" 10-29-2008 04:51 AM

intrusion detection
 
On Tue, Oct 28, 2008 at 03:37:05PM +0000, Sam Kuper wrote:
> 2008/10/28 David Bernier <david250@videotron.ca>
> >
> > I'd like to know about ideas for security, including for example
> > intrusion-detection systems.
> >
>
> I recently read Linux Firewalls <http://www.nostarch.com/firewalls_mr.htm> ,
> and can recommend it. I'm sure there are lots of other good books on the
> topic too.
>

Read the document provided by the harden-doc package.

Read the document provided by the shorewall-doc package.

Your own box cannot monitor itself (there was just a thread on this).
If you want intrusion-detection, get an old box as a detector/monitor.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

David Bernier 10-29-2008 06:52 AM

intrusion detection
 
Douglas A. Tutty wrote:

On Tue, Oct 28, 2008 at 03:37:05PM +0000, Sam Kuper wrote:


2008/10/28 David Bernier <david250@videotron.ca>


I'd like to know about ideas for security, including for example
intrusion-detection systems.



I recently read Linux Firewalls <http://www.nostarch.com/firewalls_mr.htm> ,
and can recommend it. I'm sure there are lots of other good books on the
topic too.




Read the document provided by the harden-doc package.


Read the document provided by the shorewall-doc package.

Your own box cannot monitor itself (there was just a thread on this).
If you want intrusion-detection, get an old box as a detector/monitor.

Doug.



Thanks for all the replies. I've installed the latest version of OSSEC.
That was easy.

I used a "local" type. I'll have to learn a bit about hardening the system.

David


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Osamu Aoki 10-29-2008 01:52 PM

intrusion detection
 
Hi,

On Tue, Oct 28, 2008 at 09:55:32PM +0630, David Bernier wrote:
> Dear Debian users,
>
> I think my computer was hacked. A music CD that I bought in a store
> (Redbook audio
> standard) was left in the CD/DVD bay. Then, mysteriously, a song
> by Destiny's Child ("Jumpin' Jumpin' ") got transformed into the *.ogg
> format, but
> I didn't ask for that. Same sound from stereo playing Redbook format
> audio CD
> and the *.ogg file on the hard drive ...

I do not have hard facts but tis seems to be just clicking wrong
key/mouse which caused to creaye such thing. ...

> So I took a test-drive of Ubuntu 8.04 Live CD, and then did a complete
> reinstall. Now, I'm using Ubuntu and the firestarter firewall.
>
> I'd like to know about ideas for security, including for example
> intrusion-detection systems.

If you are playing with Ubuntu, please ask their mailing list.
Then you get better support.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

David Bernier 10-29-2008 02:30 PM

intrusion detection
 
Osamu Aoki wrote:

Hi,

On Tue, Oct 28, 2008 at 09:55:32PM +0630, David Bernier wrote:


Dear Debian users,

I think my computer was hacked. A music CD that I bought in a store
(Redbook audio

standard) was left in the CD/DVD bay. Then, mysteriously, a song
by Destiny's Child ("Jumpin' Jumpin' ") got transformed into the *.ogg
format, but
I didn't ask for that. Same sound from stereo playing Redbook format
audio CD

and the *.ogg file on the hard drive ...



I do not have hard facts but tis seems to be just clicking wrong
key/mouse which caused to creaye such thing. ...



So I took a test-drive of Ubuntu 8.04 Live CD, and then did a complete
reinstall. Now, I'm using Ubuntu and the firestarter firewall.

I'd like to know about ideas for security, including for example
intrusion-detection systems.



If you are playing with Ubuntu, please ask their mailing list.
Then you get better support.



Yes. Truth is I left the music CD in the bay and the BIOS settings had
the CD/DVD drive as
the first boot device. It may have contributed to my Debian installation
crashing.


---

The Gnome system monitor now shows incoming traffic at 4 kB/sec every 20
seconds. Maybe
this is when my computer contacts an SNTP server ( simple network time
protocol).


Would a package such as ethereal tell me what this traffic is?

Thanks,

David



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Eduardo M KALINOWSKI 10-29-2008 02:39 PM

intrusion detection
 
David Bernier escreveu:
> Would a package such as ethereal tell me what this traffic is?
>

Yes (and all other traffic happening in the machine).

There's also the netstat command, but if the connection is opened and
closed quickly it may be hard to catch it.

--
Eduardo M Kalinowski
eduardo@kalinowski.com.br


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 12:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.