FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 10-28-2008, 02:37 PM
"Sam Kuper"
 
Default intrusion detection

2008/10/28 David Bernier <david250@videotron.ca>

I'd like to know about ideas for security, including for example intrusion-detection systems.

I recently read Linux Firewalls*, and can recommend it. I'm sure there are lots of other good books on the topic too.

Sam
 
Old 10-28-2008, 02:55 PM
en0f
 
Default intrusion detection

David Bernier wrote:

[ .. ]

I'd like to know about ideas for security, including for example
intrusion-detection systems.


Usually a properly configured iptables should do but if you want maybe
extra protection I guess you should start with snort.


--
en0f


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-28-2008, 11:12 PM
Andrew Reid
 
Default intrusion detection

On Tuesday 28 October 2008 11:25, David Bernier wrote:
> Dear Debian users,
>
> Now, I'm using Ubuntu and the firestarter firewall.
>
> I'd like to know about ideas for security, including for example
> intrusion-detection systems.

There are (at least) two kinds of these, the "network based"
intrusion detection, like firewalls and "snort", and "host-based",
which maintain a database of the sizes, ownership, location,
inode number, and so forth, of files on the system, and report
on changes to these systems.

In the host-based category, I'm aware of two -- there's the
samhain/yule/beltane family, which are really one intrustion
detection apparatus. Samhain is the daemon that runs on the
clients being monitored, yule is the server that maintains
the (remote from the client) database, and beltane is the
web app you can use to monitor changes. Beltane costs
a small amount of money, and the others are free (as in beer).

The other one I know of is "tripwire", which is packaged
for Debian, and which is a single stand-alone application, but
can report to a remote monitoring host.

Both of these require a fair amount of configuration, and
it can be a challenge to tune them so that routine file
changes don't set off the alarms, but anomalous ones do.
They can potentially be spoofed by sophisticated rootkits,
as well, but samhain at least has ways of dealing with that.

I recommend checking out the docs on these (googling
the names will get you there), as I'm not really an expert,
just a user and sometime-tuner of these.

-- A.
--
Andrew Reid / reidac@bellatlantic.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 12:22 AM
David Bernier
 
Default intrusion detection

Andrew Reid wrote:

On Tuesday 28 October 2008 11:25, David Bernier wrote:


Dear Debian users,

Now, I'm using Ubuntu and the firestarter firewall.

I'd like to know about ideas for security, including for example
intrusion-detection systems.



There are (at least) two kinds of these, the "network based"
intrusion detection, like firewalls and "snort", and "host-based",
which maintain a database of the sizes, ownership, location,
inode number, and so forth, of files on the system, and report
on changes to these systems.

In the host-based category, I'm aware of two -- there's the
samhain/yule/beltane family, which are really one intrustion
detection apparatus. Samhain is the daemon that runs on the
clients being monitored, yule is the server that maintains

the (remote from the client) database, and beltane is the
web app you can use to monitor changes. Beltane costs
a small amount of money, and the others are free (as in beer).

The other one I know of is "tripwire", which is packaged
for Debian, and which is a single stand-alone application, but
can report to a remote monitoring host.

Both of these require a fair amount of configuration, and
it can be a challenge to tune them so that routine file
changes don't set off the alarms, but anomalous ones do.
They can potentially be spoofed by sophisticated rootkits,

as well, but samhain at least has ways of dealing with that.

I recommend checking out the docs on these (googling
the names will get you there), as I'm not really an expert,
just a user and sometime-tuner of these.


Yes, thanks. I'm using the Ubuntu Hardy gnome-system-monitor, which is
quite impressive. It has a graphical user interface. I'd like to copy to
the clip-board the information about all running processes. I haven't
succeeded with that. But come to think of it,
ps -aux > data_file or something like that
should write info. on processes to a file.
Also, my setup is simple, with no web servers, mail servers: just me.


David Bernier





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 01:36 AM
Julian De Marchi
 
Default intrusion detection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>

> In the host-based category, I'm aware of two -- there's the
> samhain/yule/beltane family, which are really one intrustion
> detection apparatus. Samhain is the daemon that runs on the
> clients being monitored, yule is the server that maintains
> the (remote from the client) database, and beltane is the
> web app you can use to monitor changes. Beltane costs
> a small amount of money, and the others are free (as in beer).

<snip>

I can recommend ossec[0]. It is a great little host IDs, which works
great out of the box.

- --
Cheers,
Julian De Marchi
- --
OpenNIC user - http://www.opennicproject.org/ | http://www.opennic.glue
Support OpenNIC, become a member today!
- --
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

0 - http://www.ossec.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFJB8w1fM8nSo1lmBQRAl2QAJ9Cqw8OIfuSMjGVW5N50o EdIrCGAQCY+W46
hQ1QecZiNbjGKCZ3+Nfh1Q==
=3Z5B
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 04:51 AM
"Douglas A. Tutty"
 
Default intrusion detection

On Tue, Oct 28, 2008 at 03:37:05PM +0000, Sam Kuper wrote:
> 2008/10/28 David Bernier <david250@videotron.ca>
> >
> > I'd like to know about ideas for security, including for example
> > intrusion-detection systems.
> >
>
> I recently read Linux Firewalls <http://www.nostarch.com/firewalls_mr.htm> ,
> and can recommend it. I'm sure there are lots of other good books on the
> topic too.
>

Read the document provided by the harden-doc package.

Read the document provided by the shorewall-doc package.

Your own box cannot monitor itself (there was just a thread on this).
If you want intrusion-detection, get an old box as a detector/monitor.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 06:52 AM
David Bernier
 
Default intrusion detection

Douglas A. Tutty wrote:

On Tue, Oct 28, 2008 at 03:37:05PM +0000, Sam Kuper wrote:


2008/10/28 David Bernier <david250@videotron.ca>


I'd like to know about ideas for security, including for example
intrusion-detection systems.



I recently read Linux Firewalls <http://www.nostarch.com/firewalls_mr.htm> ,
and can recommend it. I'm sure there are lots of other good books on the
topic too.




Read the document provided by the harden-doc package.


Read the document provided by the shorewall-doc package.

Your own box cannot monitor itself (there was just a thread on this).
If you want intrusion-detection, get an old box as a detector/monitor.

Doug.



Thanks for all the replies. I've installed the latest version of OSSEC.
That was easy.

I used a "local" type. I'll have to learn a bit about hardening the system.

David


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 01:52 PM
Osamu Aoki
 
Default intrusion detection

Hi,

On Tue, Oct 28, 2008 at 09:55:32PM +0630, David Bernier wrote:
> Dear Debian users,
>
> I think my computer was hacked. A music CD that I bought in a store
> (Redbook audio
> standard) was left in the CD/DVD bay. Then, mysteriously, a song
> by Destiny's Child ("Jumpin' Jumpin' ") got transformed into the *.ogg
> format, but
> I didn't ask for that. Same sound from stereo playing Redbook format
> audio CD
> and the *.ogg file on the hard drive ...

I do not have hard facts but tis seems to be just clicking wrong
key/mouse which caused to creaye such thing. ...

> So I took a test-drive of Ubuntu 8.04 Live CD, and then did a complete
> reinstall. Now, I'm using Ubuntu and the firestarter firewall.
>
> I'd like to know about ideas for security, including for example
> intrusion-detection systems.

If you are playing with Ubuntu, please ask their mailing list.
Then you get better support.

Osamu


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 02:30 PM
David Bernier
 
Default intrusion detection

Osamu Aoki wrote:

Hi,

On Tue, Oct 28, 2008 at 09:55:32PM +0630, David Bernier wrote:


Dear Debian users,

I think my computer was hacked. A music CD that I bought in a store
(Redbook audio

standard) was left in the CD/DVD bay. Then, mysteriously, a song
by Destiny's Child ("Jumpin' Jumpin' ") got transformed into the *.ogg
format, but
I didn't ask for that. Same sound from stereo playing Redbook format
audio CD

and the *.ogg file on the hard drive ...



I do not have hard facts but tis seems to be just clicking wrong
key/mouse which caused to creaye such thing. ...



So I took a test-drive of Ubuntu 8.04 Live CD, and then did a complete
reinstall. Now, I'm using Ubuntu and the firestarter firewall.

I'd like to know about ideas for security, including for example
intrusion-detection systems.



If you are playing with Ubuntu, please ask their mailing list.
Then you get better support.



Yes. Truth is I left the music CD in the bay and the BIOS settings had
the CD/DVD drive as
the first boot device. It may have contributed to my Debian installation
crashing.


---

The Gnome system monitor now shows incoming traffic at 4 kB/sec every 20
seconds. Maybe
this is when my computer contacts an SNTP server ( simple network time
protocol).


Would a package such as ethereal tell me what this traffic is?

Thanks,

David



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-29-2008, 02:39 PM
Eduardo M KALINOWSKI
 
Default intrusion detection

David Bernier escreveu:
> Would a package such as ethereal tell me what this traffic is?
>

Yes (and all other traffic happening in the machine).

There's also the netstat command, but if the connection is opened and
closed quickly it may be hard to catch it.

--
Eduardo M Kalinowski
eduardo@kalinowski.com.br


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:36 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org