Re: [CentOS] Intrusion Detection
On Thu, 4 Mar 2010, Dan Burkland wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Try OSSEC, seems nice. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Nux Sent: Friday, March 05, 2010 1:51 PM To: centos@centos.org Subject: Re: [CentOS] Intrusion Detection On Thu, 4 Mar 2010, Dan Burkland wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Try OSSEC, seems nice. Thank you all for your suggestions, I have been evaluating OSSEC so far and like it quite a bit. I just need to figure out how to get it to email me nightly reports of all modifications to the file system every night like I did with AIDE. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Intrusion Detection
Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
On Thu, 2010-03-04 at 16:02 -0600, Dan Burkland wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). I don't remember my exact thought process, but I've been using afick from RPMforge for a few years now. It does have a GUI available, though I don't use it myself. Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Ron Loftin relof...@twcny.rr.com God, root, what is difference ? Piter from UserFriendly ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
On Thu, Mar 4, 2010 at 5:02 PM, Dan Burkland dburk...@nmdp.org wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). You can use auditd to watch specific files if you're after some key things. Beyond that I just use aide. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
On Thu, Mar 4, 2010 at 2:02 PM, Dan Burkland dburk...@nmdp.org wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland I would use tripwire or Cfengine, run frequently, they can both send alerts if files get changed. Best, -at ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
Jim Perrin wrote: On Thu, Mar 4, 2010 at 5:02 PM, Dan Burkland dburk...@nmdp.org wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). You can use auditd to watch specific files if you're after some key things. Beyond that I just use aide. I like tripwire and rkhunter. Mike -- p=p=%c%s%c;main(){printf(p,34,p,34);};main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
Dan Burkland wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). I use aide and ossec to get the warnings Thank you, Dan Burkland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos attachment: rkampen.vcf___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
Greetings, On Fri, Mar 5, 2010 at 3:32 AM, Dan Burkland dburk...@nmdp.org wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). inotify perhaps? Regards Rajagopal ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection
On Fri, Mar 5, 2010 at 12:02 AM, Dan Burkland dburk...@nmdp.org wrote: Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland Hello Dan, For auditing your entire network for patches / vulnerabilities I recommend you use Nessus. For server protection you can use tripwire and clamav. Clamav can detect and block most rootkits and exploit code, therefor the attacker will not be able to execute it. Theoretically... :-) Best regards, Bazy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection Systems
On 27 September 2007, John Hinton [EMAIL PROTECTED] wrote: Message: 50 Date: Thu, 27 Sep 2007 03:13:00 -0400 snip WOW! I just did an install of OSSEC on a couple of servers and so far I'm very impressed. First, the installation was as good as anything John: Sounds like you are very pleased with OSSEC. Did you look at and discard SNORT? http://www.snort.org/ -- Lanny Over 800 Magazine titles up to 80% off http://lowcostmagazines.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection Systems
Lanny Marcus wrote: On 27 September 2007, John Hinton [EMAIL PROTECTED] wrote: Message: 50 Date: Thu, 27 Sep 2007 03:13:00 -0400 snip WOW! I just did an install of OSSEC on a couple of servers and so far I'm very impressed. First, the installation was as good as anything John: Sounds like you are very pleased with OSSEC. Did you look at and discard SNORT? http://www.snort.org/ I did look at snort and actually some people run both snort and OSSEC. I don't remember the reasons. Best, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection Systems
John Hinton [EMAIL PROTECTED] wrote: I did look at snort and actually some people run both snort and OSSEC. I don't remember the reasons. Simply put, they're different things. Snort is a network IDS which examines network traffic packets, looking for the signatures of various attacks. OSSEC is host IDS which monitors logs for evidence of attacks or misuse on a host OS. In many installations, you need them both. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection Systems
Stephen John Smoogen wrote: On 9/26/07, John Hinton [EMAIL PROTECTED] wrote: Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter thinking about LIDS or Log Based Intrusion Detection. I've run across four systems. Blockhosts, DenyHosts, fail2ban and OSSEC. DenyHosts apparently only works with ssh, so I've discounted using that. denyhosts will work with anything that uses tcp_wrappers. You can futz it to work with ssh, vsftpd, etc. However beyond that I can't be of much help at the moment. I would say go with multiple layers as much as possible. WOW! I just did an install of OSSEC on a couple of servers and so far I'm very impressed. First, the installation was as good as anything I've ever done with the exception of an RPM. Extremely clear and worked great. You do need gcc and glibc on the system. As I was reading about doing the installation, I discovered there are three different installs. These are local, server, and agent. If you are doing a single stand-alone system you do local. If you have a bank of servers with like configurations you do server on one and agent on the others. The program contains a key generation allowing you to very easily create a ssh connection between the server and agent(s). If one had systems that were a bit different, like three of one type of setup and 5 of another, you could do two server installs and do agent installs on those like systems. The install includes rules for just about everything.. vsftpd, sendmail, postfix, ssh, spamd, mailscanner and on and on even into the winders world as it runs on that platform as well. It tracks various logfile errors, filesystem changes and looks for rootkits. Those rules can all be edited for what to do, from notify you to taking an active response. For instance you can set it to block failed login attempts on ssh after a certain number of attempts and for the amount of time you want to do the block. You can even wrap rules together so that if this rule goes off during a time period and this other rule is then set off, you can have it do something more strict.. like longer times of blocking. The blocks can be done with hosts.deny or iptables or both. There's also a web based gui which refreshes itself which shows you the latest warnings. It will also send email alerts based on set security levels. As for the file/directory checks, you can set it to watch any particular file or directory for changes and if the initial setup is throwing too many errors, you can set it to ignore any particular file or directory change. So, it will monitor activities and allow you to simply be informed via email and/or web interface, or you can just hit its logs to see what's going on. You can tune the rules to be proactive, stopping pretty much any attack or attempt for any service. I'm actually thinking about tying it into the spamhaus rules so that a block is done before smtp based on multiple failures due to blacklisting. This will reduce server loads. It could also do rejects based on non-existent email addresses, spamassassin scores, or clamav responses. For instance one could set a rule that if a virus came in 5 times from a particular IP address, you could block that address for a day. I'm seeing this as much more than a script-kiddie tool. More a tool to handle that and also reduce mailserver loads. The worst thing will be deciding what is safe and where to stop. :) Anyway, I have to give this a big thumbs up so far. It has successful blocked a few vsftpd attempts, one ssh attempt over the last few hours. This kills the script on the other end even if they are just blocked for ten minutes. It sure beats the heck out of waking up to logwatch reports to find a 24 meg email with 79000 attempts to make a connection to vsftpd! Best, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Intrusion Detection Systems
Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter thinking about LIDS or Log Based Intrusion Detection. I've run across four systems. Blockhosts, DenyHosts, fail2ban and OSSEC. DenyHosts apparently only works with ssh, so I've discounted using that. Is anyone using one of these or something else that I've missed. At present, I'm leaning towards OSSEC for several reasons. First it seems very robust. Second, you can set up a server/client structure, so only one machine acts as the server and all the others present data to it so that it can share with the entire system. The author seems to have considered some of the basic problems of log based systems and addressed those. There does seem to be flexibility among these three systems in having the ability to monitor just about any log system and take action based on failed logins for instance. So, whats the word from the list? Pros cons or other directions? Thanks, John Hinton ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection Systems
John Hinton wrote: ... There does seem to be flexibility among these three systems in having the ability to monitor just about any log system and take action based on failed logins for instance. So, whats the word from the list? Pros cons or other directions? I've always been rather fond of labrea (http://labrea.sourceforge.net/labrea-info.html) and portsentry (http://sourceforge.net/projects/sentrytools/), you might give them a gander. -- Said one park ranger, 'There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.' Mark D. Foster, CISSP [EMAIL PROTECTED] http://mark.foster.cc/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Intrusion Detection Systems
On 9/26/07, John Hinton [EMAIL PROTECTED] wrote: Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter thinking about LIDS or Log Based Intrusion Detection. I've run across four systems. Blockhosts, DenyHosts, fail2ban and OSSEC. DenyHosts apparently only works with ssh, so I've discounted using that. denyhosts will work with anything that uses tcp_wrappers. You can futz it to work with ssh, vsftpd, etc. However beyond that I can't be of much help at the moment. I would say go with multiple layers as much as possible. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos