Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Jan 2002 13:29:38 -0800 (PST)
From:      Thomas Cannon <tcannon@noops.org>
To:        Simon Siemonsma <s.siemonsma@hccnet.nl>
Cc:        <freebsd-questions@freebsd.org>
Subject:   Re: Which intrusion detection to use?
Message-ID:  <20020113131424.E72571-100000@stereophonic.noops.org>
In-Reply-To: <200201131449.PAA27001@smtp.hccnet.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
> I have a FreeBSD box at home which I primairily use for internet access.
> All unneccesary deamon's are switched of (I have inetd turned off) and I make
> use of IPFW.
> To even increase the security more I want to add a few things:

First off, there is a principle in computer security along the lines of
'if it isn't running, nobody can break in through it' that you are using,
and then reversing. You shut down all the listening things, and now you
want to run a bunch of others.

Think it over, is all I'm saying.


> 1.	software that warns me when I'm under attack. I understood snort is a
> Network based Intrusion Detection System (NIDS), so not usefull on a host.

But your host is attached to a network, so it is a NIDS for a /32 (one
host) network. Host based IDS don't work for a network, but NIDS do work
on a host.

> What are the alternatives on a host? I did read about portsentry but don't
> understand what the added benefit it over a tightly configured firewall. I

There isn't one, really.

> mean I use statefull packet filtering, allowing connections to be build up
> from me to the internet and not the other way round. Further my ports are
> stealthed.

And all this is logged, yes? Then have logcheck
(/usr/ports/security/logcheck/) scan your logs every five minutes and send
you mail to your pager if you see things from ipfw or unapproved zone
transfers, or checks for CGI scripts that aren't there. It won't listen to
the network, so it'd be hard to find a way in through that.

> 2.	software which will detect that I'm hacked. Tripware is a well know name,
> but AIDE clames to do more. Integrit claimes to be simpler and focus on the
> essentials.

There's a bunch. They're all functionally equivalent. The only imporant
thing is that you keep the checksums on a read-only media. Flick the
write-only tab on the floppy that you leave mounted in the drive.

Other things you can do would be to log to a line printer. Or log to an
OpenBSD machine with nothing running (no SSH, no nothing) other than
syslogd that will accept from that host and that host only.

Or you can go all out and study intrustion detection in depth, learn what
traffic looks like, and then what bad traffic looks like, and run
shomething like SHADOW and have your machine scarf all your network
traffic in one hour bites, and present you with anything that doesn't look
normal. The problem is, running it involves tcpdump, which while it seems
innoculous, has had problems and has been exploitable in the past, which
brings up back to the beginning of this email.

Think it over, is all I'm saying.


Thomas


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020113131424.E72571-100000>