Re: intrusion detection
On Tuesday 28 October 2008 11:25, David Bernier wrote:
> Dear Debian users,
>
> Now, I'm using Ubuntu and the firestarter firewall.
>
> I'd like to know about ideas for security, including for example
> intrusion-detection systems.
There are (at least) two kinds of these, the "network based"
intrusion detection, like firewalls and "snort", and "host-based",
which maintain a database of the sizes, ownership, location,
inode number, and so forth, of files on the system, and report
on changes to these systems.
In the host-based category, I'm aware of two -- there's the
samhain/yule/beltane family, which are really one intrustion
detection apparatus. Samhain is the daemon that runs on the
clients being monitored, yule is the server that maintains
the (remote from the client) database, and beltane is the
web app you can use to monitor changes. Beltane costs
a small amount of money, and the others are free (as in beer).
The other one I know of is "tripwire", which is packaged
for Debian, and which is a single stand-alone application, but
can report to a remote monitoring host.
Both of these require a fair amount of configuration, and
it can be a challenge to tune them so that routine file
changes don't set off the alarms, but anomalous ones do.
They can potentially be spoofed by sophisticated rootkits,
as well, but samhain at least has ways of dealing with that.
I recommend checking out the docs on these (googling
the names will get you there), as I'm not really an expert,
just a user and sometime-tuner of these.
-- A.
--
Andrew Reid / reidac@bellatlantic.net
Reply to: