<div dir="ltr"><div>The main open source host-based intrusion detection systems (HIDS) that I am aware of are:</div><div><ul><li>OSSEC <a href="https://www.ossec.net/about/">https://www.ossec.net/about/</a></li><li>Wazuh <a href="https://wazuh.com/">https://wazuh.com/</a></li><li>Tripwire <a href="https://github.com/Tripwire/tripwire-open-source">https://github.com/Tripwire/tripwire-open-source</a></li><li>AIDE <a href="https://aide.github.io/">https://aide.github.io/</a></li><li>Samhain <a href="https://www.la-samhna.de/samhain/">https://www.la-samhna.de/samhain/</a></li></ul></div><div>I have never used any of these in great detail, so can't recommend one over another.</div><div><br></div><div>Regards,</div><div>Ben<br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br>--<br>From: Benjamin Woods<br><a href="mailto:woodsb02@gmail.com" target="_blank">woodsb02@gmail.com</a></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 7 Aug 2020 at 22:17, ıuoʎ <<a href="mailto:yonjah@gmail.com">yonjah@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Hi Alastair. <br></div>Thank you for a detailed response.<br></div><div>The information is really useful for hardening your box, but it wasn't really what I was looking for.<br></div><div>Looking back at my question it probably wasn't very clear.<br><br></div><div>Hardening is probably the first and most important step in trying to secure a system, but it has its limitations.<br></div><div>1. It is impossible to get a 100% impenetrable system, even if you ignore 0days or delayed updates there is still a big chance you are missing something you don't even knows that requires your attention.<br></div><div>2. Hardening won't protect you if your credentials are stolen, or if you host provider is getting popped<br><br></div><div>By intrusion detection I didn't mean scanning the system for rootkits or even having complex rules to detect system changes,<br></div><div>I was mostly thinking of having small targeted beacons that will send alerts whenever triggers.<br></div><div>example of some I already have on my vps -<br></div><div>- Get an email on every login (might be noisy for people but I don't often login to my vps, and even if I did I'll notice getting such e-mail when I haven't)<br></div><div>- Spread some canary files that will look sensitive but will send an e-mail once opened (this are very accurate as they will never be opened by someone who knows the system, but attacker will find it hard to avoid opening credit_cards_backup-2019.pdf especially if it's in the trash folder) <br><br></div><div><b><a href="http://cmd.com" target="_blank">cmd.com</a> </b>seem to be an amazing solution. <br></div><div>If you enable 2fa not only you get notifications when someone tries to run a command on the server, but you also prevent the execution<br><br></div><div>I was wondering if there is anything similar who might be opensource.<br></div><div>And any other tools who might fill a similar role of relatively low noise signals once intrusion did happen.<br><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 7, 2020 at 3:53 PM Alastair Irvine <<a href="mailto:alastair@plug.org.au" target="_blank">alastair@plug.org.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 15 January, 2020 at 09:55:25PM +0800, ıuoʎ wrote:<br>
> Hi Pluggers!<br>
> <br>
> I was wondering of some easy / simple to deploy intruder detection on my<br>
> vps.<br>
> <br>
> <a href="https://cmd.com/" rel="noreferrer" target="_blank">https://cmd.com/</a> looks very interesting and I was wondering if anyone know<br>
> of some opensource local cli that might do something similar (even if much<br>
> less powerful)<br>
<br>
Rather than focusing on what someone might have done once they've<br>
compromised your box, I think it's a better use of time to harden it in<br>
the first place. Some techniques:<br>
<br>
- Automatic security updates<br>
- Avoid running custom-built or self-compiled Internet-facing services<br>
- Limit plugins (for WordPress, Jenkins, etc.) to those from<br>
trustworthy sources and review the need for them regularly<br>
- Ensure any plugins or non-distro-provided software install their own<br>
security updates automatically<br>
- Use the latest LTS distro release<br>
- Don't open any ports except HTTP/HTTPS to the Internet; even SSH<br>
should be locked down, and if you can't, turn off passwords and<br>
install fail2ban<br>
- Use a VPN for anything else you need private access to<br>
- Ensure you have console access in case you get locked out<br>
- Don't use password-less sudo on your account or the default cloud<br>
admin account (e.g. ubuntu, ec2-user, etc.)<br>
- When you do have to use password-less sudo (for cron jobs etc.),<br>
lock down the commands it can run<br>
- Use a Web Application Firewall to detect and block intrusion attempts<br>
- Use a bastion host as an application-level "filter" to prevent hosts<br>
containing critical data from being exposed to the Internet<br>
- Spend time learning about other security techniques<br>
<br>
Off-site backups and log mirrors are generally a good idea too.<br>
<br>
If you want intrusion detection, you need to install software like AIDE,<br>
rkhunter or chkrootkit. In practice, these tend to be a pain because<br>
usually there are so many false-positives that you end up filtering the<br>
reports to an e-mail folder that you never look at.<br>
<br>
It's probably less of a pain to use "immutable infrastructure" where<br>
possible.<br>
_______________________________________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer" target="_blank">http://www.plug.org.au/membership</a></blockquote></div>
_______________________________________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au" target="_blank">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au" target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer" target="_blank">http://www.plug.org.au/membership</a></blockquote></div>