[plug] Methods for intruder detection

Ben Woods woodsb02 at gmail.com
Sat Aug 8 10:50:54 AWST 2020 

The main open source host-based intrusion detection systems (HIDS) that I
am aware of are:

   - OSSEC https://www.ossec.net/about/
   - Wazuh https://wazuh.com/
   - Tripwire https://github.com/Tripwire/tripwire-open-source
   - AIDE https://aide.github.io/
   - Samhain https://www.la-samhna.de/samhain/

I have never used any of these in great detail, so can't recommend one over
another.

Regards,
Ben

--
From: Benjamin Woods
woodsb02 at gmail.com


On Fri, 7 Aug 2020 at 22:17, ıuoʎ <yonjah at gmail.com> wrote:

> Hi Alastair.
> Thank you for a detailed response.
> The information is really useful for hardening your box, but it wasn't
> really what I was looking for.
> Looking back at my question it probably wasn't very clear.
>
> Hardening is probably the first and most important step in trying to
> secure a system, but it has its limitations.
> 1. It is impossible to get a 100% impenetrable system, even if you ignore
> 0days or delayed updates there is still a big chance you are missing
> something you don't even knows that requires your attention.
> 2. Hardening won't protect you if your credentials are stolen, or if you
> host provider is getting popped
>
> By intrusion detection I didn't mean scanning the system for rootkits or
> even having complex rules to detect system changes,
> I was mostly thinking of having small targeted beacons that will send
> alerts whenever triggers.
> example of some I already have on my vps -
> - Get an email on every login (might be noisy for people but I don't often
> login to my vps, and even if I did I'll notice getting such e-mail when I
> haven't)
> - Spread some canary files that will look sensitive but will send an
> e-mail once opened (this are very accurate as they will never be opened by
> someone who knows the system, but attacker will find it hard to avoid
> opening credit_cards_backup-2019.pdf especially if it's in the trash
> folder)
>
> *cmd.com <http://cmd.com> *seem to be an amazing solution.
> If you enable 2fa not only you get notifications when someone tries to run
> a command on the server, but you also prevent the execution
>
> I was wondering if there is anything similar who might be opensource.
> And any other tools who might fill a similar role of relatively low noise
> signals once intrusion did happen.
>
>
>
> On Fri, Aug 7, 2020 at 3:53 PM Alastair Irvine <alastair at plug.org.au>
> wrote:
>
>> On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:
>> > Hi Pluggers!
>> >
>> > I was wondering of some easy / simple to deploy intruder detection on my
>> > vps.
>> >
>> > https://cmd.com/ looks very interesting and I was wondering if anyone
>> know
>> > of some opensource local cli that might do something similar (even if
>> much
>> > less powerful)
>>
>> Rather than focusing on what someone might have done once they've
>> compromised your box, I think it's a better use of time to harden it in
>> the first place.  Some techniques:
>>
>>   - Automatic security updates
>>   - Avoid running custom-built or self-compiled Internet-facing services
>>   - Limit plugins (for WordPress, Jenkins, etc.) to those from
>>     trustworthy sources and review the need for them regularly
>>   - Ensure any plugins or non-distro-provided software install their own
>>     security updates automatically
>>   - Use the latest LTS distro release
>>   - Don't open any ports except HTTP/HTTPS to the Internet; even SSH
>>     should be locked down, and if you can't, turn off passwords and
>>     install fail2ban
>>   - Use a VPN for anything else you need private access to
>>   - Ensure you have console access in case you get locked out
>>   - Don't use password-less sudo on your account or the default cloud
>>     admin account (e.g. ubuntu, ec2-user, etc.)
>>   - When you do have to use password-less sudo (for cron jobs etc.),
>>     lock down the commands it can run
>>   - Use a Web Application Firewall to detect and block intrusion attempts
>>   - Use a bastion host as an application-level "filter" to prevent hosts
>>     containing critical data from being exposed to the Internet
>>   - Spend time learning about other security techniques
>>
>> Off-site backups and log mirrors are generally a good idea too.
>>
>> If you want intrusion detection, you need to install software like AIDE,
>> rkhunter or chkrootkit.  In practice, these tend to be a pain because
>> usually there are so many false-positives that you end up filtering the
>> reports to an e-mail folder that you never look at.
>>
>> It's probably less of a pain to use "immutable infrastructure" where
>> possible.
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200808/d2bd81fb/attachment.html>

More information about the plug mailing list