Intrusion Detection: Foresee Problems
In real life, in most cases it’s hard to penetrate a secured area without leaving no traces altogether.
In cyberspace, everything is more complicated. There are no universal, totally reliable means to guarantee certain areas have not been tampered with. Since every software has its bugs and limitations, every intrusion attempt should be at least detected and reported quickly.
That makes human-only watching nearly impossible. Proper program means should be used instead. A short review of popular free intrusion detection tools for Linux systems is listed below, to give you ideas what to begin with.
First of all, follow “nothing should be assumed” rule from the onset. If you are building a secure server, make sure you, and you only have access to it during configuration stage. There should be no moments when you can’t tell who has access to the system.
It’s hard to achieve. Using, say, firewall to block all incoming communication save your own IP address is a close match for this condition. However, after all the initial setup is done, what should be used to ensure no critical areas of system have been altered with malicious goals?
Strictly speaking, rkhunter, “rootkit hunter”, isn’t real intrusion detection tool. However, it can be used along with other tools, and notify if system/important files have been compromised.
Even if it’s “post factum” detection, it can alert you that system most probably have been compromised (or looks like it’s been compromised).
Note, important step is to memorize current situation as valid (and it means it should be done before server is open to wide public).
AIDE, Tripwire and Samhain
The mentioned are host-based intrusion detection systems (HIDS). Putting it simple, they monitor file system for all possibly insecure or important changes (example: system files, popular tools) and performs programmed action if detects changes to watched areas.
As for “which is better”, this is simply a matter of personal preferences. If it makes difference, TripWire has both free and commercial version. AIDE, in my opinion, is simplest to learn. Samhain can become “invisible”, masking its presence, thus gaining some advantage over possible intruders.
The essence of all of them is the same: check for altering file systems. Note that good HIDS should also take measures to prevent its own unauthorized changing (otherwise, it can be disabled or tricked into ignoring real threats).
When installing such checkers, make sure all alerting works. Test software by imitating real alarms: if you receive no alert, something went wrong. Intrusion detection has no measning if it can inform you as soon as possible.
While HIDS work with file systems, network intrusion detection/prevention systems (NIDS or NIPS, respectively) deal with network-based threats.
Snort is a good example of such a system. While relatively resource-consuming, Snort is an advanced tool that can detect a large number of malicious activity (virus/malware in action, port scanning, transferring possibly important data from local network and so on).
The rules that guide Snort and define what is malicious activity can be changed/updated by administrator of Snort installation at any moment (although there are always at least so called community rules – a good collection of more or less recent known threats).
Snort should be used along with HIDS, since it covers another security problems – those related with data exchange with outer world.
“What shall I use”?
Simple answer: at least one from every section. Note, that although rkhunter and Snort were the only examples in their area, they are not single and only pieces of software to perform the task described.
I encourage you to look for the above software pieces in your OS standard repositories. It will give you additional software titles to look at and study.
If you have a VPS at hand, I also encourage you to test every title I mentioned. Apart from gaining experience in establishing better level of security, you will definitely learn more about these specific security areas, learns terms, understand what kind of threats there are and so on.
The worst possible way would be completely ignoring intrusion detection, in assumption that hosting provider will do all of that for you.
Final piece of advice is the same: do not assume anything. Even when HIDS, NIDS etc are all set up, their databases updated, their reports taken into account and so on – it doesn’t mean you can just relax and stop worrying about security issues. It only mean you have tools that will most probably help you to detect problems before they actually happen (or when they only start to grow).
Carefully picked pieces of software can remove much load off your shoulders, when talking about information security.
May your Internet be safe!