Linux Intrustion Detection? 11
Woodie asks: "Hi,I'm wondering, after reading Dvorak's article on crackers , whether good intrustion detection software exists for Linux. He specifically mentions a product called "BlackICE" - which I checked out the details of - that sounds very interesting. What Linux alternatives are there? I'm not necessarily expecting an easy to use GUI; some kind background daemon that generates a usable log and that can be preconfigured to respond to certain "attacks" would be great. " How reliable are the results from various Intrusion Detection packages? Are these things worthwhile? Or would do-it-yourself monitors be a better choice?
Update: 11/03 11:58 by C : Jargon was also interested in Linux Intrusion Detection and was curious if there were Linux contenders to the likes of Cybercop Sting, and Mantrap"
Help me write one :) (Score:1)
Once I have IP fragment/TCP reassembly done (this may be done off-line) it may actually be quite useful.
Drop me an email if you want to play with it.
Alternatively, the Netfilter stuff in recent 2.3 kernels provides a very interesting way to do a lot of the filtering in kernelspace, saving an awful lot of copying and latency.
Matthew.
Snort (Score:1)
Of course, if you're just looking for whether or not someone is probing your host, the aforementioned PortSentry will do quite nicely.
Re:Check out LIDS (Score:1)
These measures are important for multi-user boxes, but are rather restrictive for your personal workstation.
To be extra paranoid, you want to run something like tripwire, with the database, the (staticly linked) tripwire binary, and your kernel (without loadable module support) on a write protected floppy. If you're looking at measures that extreme however, I would highly recommend evaluating OpenBSD, as it has been audited, and tends to take a much more proactive stance on security.
The same amount of work put into an OpenBSD box and a Linux box will leave the OpenBSD box much more secure. The out of box security of an OpenBSD install tends to be greater than that of the average linux distribution.
No matter what you do, there is no excuse for not keeping up with known bugs in the software you're running, and applying patches in a timely manner. Good luck!
Network Flight Recorder (Score:1)
Marcus, BSD-phile that he is though, believes that the Linux kernel's packet capture facilities are not and will not be fast enough (at least compared with BSD), so this is not an Officially Blessed Solution (TM).
Good Luck!
Tripwire (Score:1)
A freshmeat search [freshmeat.net] will let you know where to find TripWire [tripwiresecurity.com]. It's a utility that keeps track of various aspects of files (size, permissions, checksums) and alerts you when files have changed. It's a bit of a pain to set up initially, as you want some files to remain exactly the same (/bin/ls), some files to change content but not permissions (/etc/passwd), and some files you just don't care about (/tmp/*). Figuring out how much stuff you want to keep track of takes a lot of time, but when you're done, you can build a database of exactly how all your important files are supposed to look. Once you've done that, you can set TripWire to run periodically, mailing you any deltas.
Here at Miami U. [muohio.edu], we run TripWire on just about all of our production platforms. If we do get hacked, we should know about it within minutes.
One more note; TripWire recently went commercial. I've noticed their licensing has become much less free over the last year or two, to the point that you can only get the 2.0 version as a "Red Hat Linux binary" without forking over about $500(US). They've still got their Academic Source Release available for free download from their website.
clayton
Alarmed Honeypot (Score:1)
Re:Tripwire (Score:1)
Re:Tripwire (Score:1)
Portsentry is allways good. (Score:2)
It's a good scan detector.
From that link you can find hostsentry (a "login anomaly detection and response tool").