[plug] Methods for intruder detection

Alastair Irvine alastair at plug.org.au
Fri Aug 7 15:55:20 AWST 2020 

On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:
> Hi Pluggers!
> 
> I was wondering of some easy / simple to deploy intruder detection on my
> vps.
> 
> https://cmd.com/ looks very interesting and I was wondering if anyone know
> of some opensource local cli that might do something similar (even if much
> less powerful)

Rather than focusing on what someone might have done once they've
compromised your box, I think it's a better use of time to harden it in
the first place.  Some techniques:

  - Automatic security updates
  - Avoid running custom-built or self-compiled Internet-facing services
  - Limit plugins (for WordPress, Jenkins, etc.) to those from
    trustworthy sources and review the need for them regularly
  - Ensure any plugins or non-distro-provided software install their own
    security updates automatically
  - Use the latest LTS distro release
  - Don't open any ports except HTTP/HTTPS to the Internet; even SSH
    should be locked down, and if you can't, turn off passwords and
    install fail2ban
  - Use a VPN for anything else you need private access to
  - Ensure you have console access in case you get locked out
  - Don't use password-less sudo on your account or the default cloud
    admin account (e.g. ubuntu, ec2-user, etc.)
  - When you do have to use password-less sudo (for cron jobs etc.),
    lock down the commands it can run
  - Use a Web Application Firewall to detect and block intrusion attempts
  - Use a bastion host as an application-level "filter" to prevent hosts
    containing critical data from being exposed to the Internet
  - Spend time learning about other security techniques

Off-site backups and log mirrors are generally a good idea too.

If you want intrusion detection, you need to install software like AIDE,
rkhunter or chkrootkit.  In practice, these tend to be a pain because
usually there are so many false-positives that you end up filtering the
reports to an e-mail folder that you never look at.

It's probably less of a pain to use "immutable infrastructure" where
possible.

More information about the plug mailing list