Intruder detection and Linux

[Bogler]

I would like to protect my Linux box.

What intruder detection software do people use out there?

I have had a brief look at tripwire but there must be others.

Also, when setting up a firewall i have heard that it is bad practice to set up your firewall on your main box as this can be beaten quite easily through port 25.

Is it best to have an older machine providing firewall and gateway services?

Thanks

Bogler

[JimH]

I have never installed an IDS. Another one of things I keep saying I am going to try and never get around too. :-/ I do trust my firewall though. But it does add another layer of security.

Also, when setting up a firewall i have heard that it is bad practice to set up your firewall on your main box as this can be beaten quite easily through port 25.

I don't know about that. The advantage is the firewall box is the only box exposed to the internet and visible to a hackers eyes. Besides it gives you some networking experience. ;D

Jim H

[bdl]

Also, when setting up a firewall i have heard that it is bad practice to set up your firewall on your main box as this can be beaten quite easily through port 25.

Is it best to have an older machine providing firewall and gateway services?

Hmmm. Well, I suppose if you actually use your box as a mail server, then you'd leave port 25 (smtp) open and it *might* be possible to launch a remote attack against it, but I don't think it's as likely as all that. It used to be that Sendmail was open to attacks but with the choice of Qmail and Postfix, two secure Sendmail alternatives (not to mention Sendmail's progression towards being more secure) I don't know how much of a threat it is nowadays. Otherwise, just don't allow mail services in and you can firewall port 25 anyway.

I think the best box to use as a firewall is an older one, just because it can't necessarily keep up with what you may want to do (play games, download big *ahem* image files, etc) but there are plenty of CPU cycles to use it as a firewall and web server, etc.


I don't consider Tripwire to be 'intruder detection' per se, you should be looking for something more like [snort] or [portsentry]. Don't get me wrong, Tripwire is good stuff, but that's for after someone's already borked through your firewall and are on the system, or somehow planted a trojan (you may have unwittingly done this yourself by installing software, etc).

[jmbrinks]

If you want a good security implementation for Linux / Unix I would recommend the following:

1) Start with the install
a) What is the purpose of the computer?
b) How will it connect to the internet / network?
c) What function does it serve?
d) What applications are required?
e) How sensitive is the data?

2) Install ONLY the REQUIRED packages!

3) Boot to Run Level 3 (If you want to go to X, log in and type startx)

4) Do not log in as root.

5) Have a good password (minimum of 8 characters and alphanumeric including capital letters, lower case letters, numbers and alphanumeric symbols - also not easily guessed like B0gL3r)

6) Install all updates and security packages.

7) Install Tripwire - used to verify the integrity of directories and files.

8) Install Secure Shell (SSH) - one approach to "secure", encrypted communications.

9) Install Syslogd - used to collect logging messages

10) Install Logsurfer - used to analyze log messages

11) Install Spar - used to review and understand process accounting data to identify suspicious behavior.

12) Install Tcpdump - used for Traffic Analysis

13) Install Snort - Network Intrusion Detection Tool

14) Install NSA Secure Linux (Haven't done this due to lack of time, but want to)

This will be a good start.

Do you dial up or have a broadband connection?

Do you sit behind a hardware - based firewall?

Are you directly connected or are you behind a router / switch?

Check the following sites:
http://www.linuxsecurity.com
http://www.cert.org
http://www.sans.org
http://nsa1.www.conxion.com/
http://www.nsa.gov/selinux/index.html


Let me know if you need more....This should keep you busy for a while....

[nfallon]

The best firewall is one that makes people work in order to get into the system. Most people are lazy and will not want to work very hard.

I use a Novell system followed by a Windows 2K system and then my Linux box. If the person knows enough to get through the three different systems they can have whatever is on my system. Most hackers will assume that they are working on one or at most two types of systems.

Neil

[JimH]

jmbrinks nice list. ;D

I also would add LIDS to it as a possiblity to use. http://www.lids.org/ This is something I would like to try running on my firewall box and see how well it works.

Jim H

[jmbrinks]

I heard of LIDS, but do not know anyone that has tried it. There is also a movement by the government right now to scrutinize linux and open source in general and bear down on security. I was at the web site the other day, but did not bookmark it.

When I find it I will post it.

Give me some scoop on LIDS if you have it.

[JimH]

Give me some scoop on LIDS if you have it.

This is part one of four part series on using LIDS. Does a good job of going over it.

http://online.securityfocus.com/infocus/1496
Jim H

[jmbrinks]

After reading through the article, LIDS almost looks similar to NSA Secure Linux.

Both are kernel "patches" that have to be installed on top of current Linux installs. Once the patch is installed it locks down direcories and forces specific file access to individual users. Extra bells and whistles are "built-in" and included with the "patch". Interesting....

I wish I had the time to take two platforms and compare!

Maybe turn this into a GLO Project ;D

[Bogler]

It is really just to protect a standalone box, i have a work laptop that i network but this would not be appropriate for a firewall. I may buy an old junk machine and use that as a firewall machine.

I read these mails with interest, good to hear so many different points of view.

Regards

Bogler