Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly     
intrusion detection E-mail      Save Save This

Linux Intrusion Checklist


{LANG_NAVORIGIN} Reference




Introduction



Securing your network is a crucial issue for any systems administrator, but once its up and running, how do you find out who’s probing you, and who’s trying to gain access to your sensitive data?


Promiscuous mode



Promiscuous mode is a term that will be used later in this document. You can put any network device that supports it, into this mode under Linux and it will begin capturing ALL data that it receives and not just that data that is destined for it. Very useful for sniffing and network exploration.


Snort



First and foremost, is an open source IDS (Intrusion Detection System) called Snort. In its simplest form, snort runs as a daemon and puts your network device into promiscuous mode, and matches all packets and sequences of packets against a complex set of rules within its database. It then can be set to trigger certain events when certain sequences are captured, i.e. scans and probes. For the next section on ACID, you should be aware that Snort features a MySQL database plugin, allowing it to log to MySQL.


ACID/MySQL/Apache



ACID is an excellent FE (Front End) for Snort. It produces a user friendly HTML from a MySQL database of Snort alerts. You can then install a daemon such as Apache as your webserver which will serve your ACID content to anyone you wish.


IDS methods



There are a number of intrusion detection methods that you can use, just google for “IDS.” I have only outlined one above, and further methods are listed below:

grsec


Grsec is an excellent open source tool. This secures your system against a large proportion of local exploits. grsec can be set to log, and you’re free to use a script of your choice to grep these logs for useful information, and begin creating your own IDS/IDS Log Analyzer.

/var/log/messages


You will find a number of useful system messages in this file, especially from grsec.

bb monitoring



BB is an open source machine monitoring software. It can monitor the state of certain files on your client machines, as well as the availability of services, etc..

iptables


I shalln’t go into depth on iptables at this point, however I shall say that iptables comes with a very useful ‘LOG’ target, which can be invoked with ‘-j LOG’ and will log certain packets to output files. Again, you are then free to log what you wish and grep through the log files, either automatically or manually.


Honeypots



“The first step to understanding honeypots is defining what a honeypot is. This can be harder then it sounds. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. Its is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. As such, I use the following definition to define what a honeypot is.” - http://www.tracking-hackers.com/pap ers/honeypots.html

Honeypots are able to be used on your machine, or an adjacent machine on your network to:
  1. Tempt hackers towards your honeypot.
  2. Gather statistical information on attacks being aimed at you, as well as new attacks which hackers are trying, etc..














E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
2389 Views
0/5 Rating
0 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact