From owner-freebsd-security Sun Jan 13 12: 8:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id A279337B417 for ; Sun, 13 Jan 2002 12:08:26 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id B22861DA7; Sun, 13 Jan 2002 21:08:21 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g0DK89r01049; Sun, 13 Jan 2002 21:08:09 +0100 Date: Sun, 13 Jan 2002 21:08:09 +0100 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: Re: Which intrusion detection to use? Message-Id: <20020113210809.6be9f991.kzaraska@student.uci.agh.edu.pl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 13 Jan 2002 19:00:30 +0000 Simon Siemonsma wrote: > I have a FreeBSD box at home which I primairily use for internet access. > All unneccesary deamon's are switched of (I have inetd turned off) and I make > use of IPFW. > To even increase the security more I want to add a few things: > 1. software that warns me when I'm under attack. I understood snort is a > Network based Intrusion Detection System (NIDS), so not usefull on a host. Wrong. This term simply means that it will sniff your network (i.e. connection to your ISP) and alert you when it sees a packet that matches known attack signature. So yes, you can run it on single host. Be warned, however, that Snort can generate false positives: e.g. it can report that you are being exploited with unknown exploit while FTP'ing a new release of FreeBSD, because some archives have strings of 0x70's in them what triggers alert. > What are the alternatives on a host? To clean up terminology: a host-based IDS is AIDE, since it monitors changes on host. Snort is network-based since it monitors network. A hybrid IDS monitors both. > I did read about portsentry but don't > understand what the added benefit it over a tightly configured firewall. I don't know how tight your particular setup is, but if you deny access to all unused ports to the world there will be no use in PortSentry since the offending packets will never his the port PortSentry is listening on. Snort does not care about firewalls, so just tell it to listen on outside interface and you're set. > I > mean I use statefull packet filtering, allowing connections to be build up > from me to the internet and not the other way round. You mean you have no services available from outside? Well, duh, not much can be hacked here anyhow, unless there is some exploit for the kernel we don't know of I guess... > Further my ports are > stealthed. This doubles the functionality of the firewall, but may be useful if you switch your firewall off for debugging etc. A nice example of 'layer security'. :) > 2. software which will detect that I'm hacked. Tripware is a well know name, > but AIDE clames to do more. Personally I use AIDE and I find it to be quite OK. After setting up AIDE I made an MD5 checksum of the database. I keep this checksum offsite and compare it against the current checksum to be sure that no one tampered with database :) > Integrit claimes to be simpler and focus on the > essentials. Haven't tested. However all these tools operate on the same principles... > Does anyone have some recommendations for me. If this is a NAT gateway that has all ports firewalled from the outside I'd be satisified with the steps described above. Just re-check your firewall rules, since it's your most important line of defense. You may however (it's your system, anyhow ;-)) consider raising your securelevel and making some files immutable (binaries, configuration) and some other append-only (logs). man securelevel for details. > Other recommendations to increase my security are also welcome? Well, there are some papers on the subject available on the net, so just do a Google search :) but they mostly focus on multi-user systems and servers. Actually simple setup == less possible points of entry. I'm afraid that if you exagerrate you may end up with a system generating tons of logs although nothing serious is happening. Best regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message