[plug] Methods for intruder detection
woodsb02 at gmail.com
Sat Aug 8 10:50:54 AWST 2020
The main open source host-based intrusion detection systems (HIDS) that I
am aware of are:
- OSSEC https://www.ossec.net/about/
- Wazuh https://wazuh.com/
- Tripwire https://github.com/Tripwire/tripwire-open-source
- AIDE https://aide.github.io/
- Samhain https://www.la-samhna.de/samhain/
I have never used any of these in great detail, so can't recommend one over
From: Benjamin Woods
woodsb02 at gmail.com
On Fri, 7 Aug 2020 at 22:17, ıuoʎ <yonjah at gmail.com> wrote:
> Hi Alastair.
> Thank you for a detailed response.
> The information is really useful for hardening your box, but it wasn't
> really what I was looking for.
> Looking back at my question it probably wasn't very clear.
> Hardening is probably the first and most important step in trying to
> secure a system, but it has its limitations.
> 1. It is impossible to get a 100% impenetrable system, even if you ignore
> 0days or delayed updates there is still a big chance you are missing
> something you don't even knows that requires your attention.
> 2. Hardening won't protect you if your credentials are stolen, or if you
> host provider is getting popped
> By intrusion detection I didn't mean scanning the system for rootkits or
> even having complex rules to detect system changes,
> I was mostly thinking of having small targeted beacons that will send
> alerts whenever triggers.
> example of some I already have on my vps -
> - Get an email on every login (might be noisy for people but I don't often
> login to my vps, and even if I did I'll notice getting such e-mail when I
> - Spread some canary files that will look sensitive but will send an
> e-mail once opened (this are very accurate as they will never be opened by
> someone who knows the system, but attacker will find it hard to avoid
> opening credit_cards_backup-2019.pdf especially if it's in the trash
> *cmd.com <http://cmd.com> *seem to be an amazing solution.
> If you enable 2fa not only you get notifications when someone tries to run
> a command on the server, but you also prevent the execution
> I was wondering if there is anything similar who might be opensource.
> And any other tools who might fill a similar role of relatively low noise
> signals once intrusion did happen.
> On Fri, Aug 7, 2020 at 3:53 PM Alastair Irvine <alastair at plug.org.au>
>> On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:
>> > Hi Pluggers!
>> > I was wondering of some easy / simple to deploy intruder detection on my
>> > vps.
>> > https://cmd.com/ looks very interesting and I was wondering if anyone
>> > of some opensource local cli that might do something similar (even if
>> > less powerful)
>> Rather than focusing on what someone might have done once they've
>> compromised your box, I think it's a better use of time to harden it in
>> the first place. Some techniques:
>> - Automatic security updates
>> - Avoid running custom-built or self-compiled Internet-facing services
>> - Limit plugins (for WordPress, Jenkins, etc.) to those from
>> trustworthy sources and review the need for them regularly
>> - Ensure any plugins or non-distro-provided software install their own
>> security updates automatically
>> - Use the latest LTS distro release
>> - Don't open any ports except HTTP/HTTPS to the Internet; even SSH
>> should be locked down, and if you can't, turn off passwords and
>> install fail2ban
>> - Use a VPN for anything else you need private access to
>> - Ensure you have console access in case you get locked out
>> - Don't use password-less sudo on your account or the default cloud
>> admin account (e.g. ubuntu, ec2-user, etc.)
>> - When you do have to use password-less sudo (for cron jobs etc.),
>> lock down the commands it can run
>> - Use a Web Application Firewall to detect and block intrusion attempts
>> - Use a bastion host as an application-level "filter" to prevent hosts
>> containing critical data from being exposed to the Internet
>> - Spend time learning about other security techniques
>> Off-site backups and log mirrors are generally a good idea too.
>> If you want intrusion detection, you need to install software like AIDE,
>> rkhunter or chkrootkit. In practice, these tend to be a pain because
>> usually there are so many false-positives that you end up filtering the
>> reports to an e-mail folder that you never look at.
>> It's probably less of a pain to use "immutable infrastructure" where
>> PLUG discussion list: plug at plug.org.au
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
> PLUG discussion list: plug at plug.org.au
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the plug