[plug] Methods for intruder detection

ıuoʎ yonjah at gmail.com
Fri Aug 7 22:16:34 AWST 2020


Hi Alastair.
Thank you for a detailed response.
The information is really useful for hardening your box, but it wasn't
really what I was looking for.
Looking back at my question it probably wasn't very clear.

Hardening is probably the first and most important step in trying to secure
a system, but it has its limitations.
1. It is impossible to get a 100% impenetrable system, even if you ignore
0days or delayed updates there is still a big chance you are missing
something you don't even knows that requires your attention.
2. Hardening won't protect you if your credentials are stolen, or if you
host provider is getting popped

By intrusion detection I didn't mean scanning the system for rootkits or
even having complex rules to detect system changes,
I was mostly thinking of having small targeted beacons that will send
alerts whenever triggers.
example of some I already have on my vps -
- Get an email on every login (might be noisy for people but I don't often
login to my vps, and even if I did I'll notice getting such e-mail when I
haven't)
- Spread some canary files that will look sensitive but will send an e-mail
once opened (this are very accurate as they will never be opened by someone
who knows the system, but attacker will find it hard to avoid opening
credit_cards_backup-2019.pdf especially if it's in the trash folder)

*cmd.com <http://cmd.com> *seem to be an amazing solution.
If you enable 2fa not only you get notifications when someone tries to run
a command on the server, but you also prevent the execution

I was wondering if there is anything similar who might be opensource.
And any other tools who might fill a similar role of relatively low noise
signals once intrusion did happen.



On Fri, Aug 7, 2020 at 3:53 PM Alastair Irvine <alastair at plug.org.au> wrote:

> On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:
> > Hi Pluggers!
> >
> > I was wondering of some easy / simple to deploy intruder detection on my
> > vps.
> >
> > https://cmd.com/ looks very interesting and I was wondering if anyone
> know
> > of some opensource local cli that might do something similar (even if
> much
> > less powerful)
>
> Rather than focusing on what someone might have done once they've
> compromised your box, I think it's a better use of time to harden it in
> the first place.  Some techniques:
>
>   - Automatic security updates
>   - Avoid running custom-built or self-compiled Internet-facing services
>   - Limit plugins (for WordPress, Jenkins, etc.) to those from
>     trustworthy sources and review the need for them regularly
>   - Ensure any plugins or non-distro-provided software install their own
>     security updates automatically
>   - Use the latest LTS distro release
>   - Don't open any ports except HTTP/HTTPS to the Internet; even SSH
>     should be locked down, and if you can't, turn off passwords and
>     install fail2ban
>   - Use a VPN for anything else you need private access to
>   - Ensure you have console access in case you get locked out
>   - Don't use password-less sudo on your account or the default cloud
>     admin account (e.g. ubuntu, ec2-user, etc.)
>   - When you do have to use password-less sudo (for cron jobs etc.),
>     lock down the commands it can run
>   - Use a Web Application Firewall to detect and block intrusion attempts
>   - Use a bastion host as an application-level "filter" to prevent hosts
>     containing critical data from being exposed to the Internet
>   - Spend time learning about other security techniques
>
> Off-site backups and log mirrors are generally a good idea too.
>
> If you want intrusion detection, you need to install software like AIDE,
> rkhunter or chkrootkit.  In practice, these tend to be a pain because
> usually there are so many false-positives that you end up filtering the
> reports to an e-mail folder that you never look at.
>
> It's probably less of a pain to use "immutable infrastructure" where
> possible.
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200807/aa6f346c/attachment.html>


More information about the plug mailing list