From owner-freebsd-questions Sun Jan 13 13:29:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from stereophonic.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with SMTP id 0A2EE37B400 for ; Sun, 13 Jan 2002 13:29:37 -0800 (PST) Received: (qmail 72992 invoked by uid 1000); 13 Jan 2002 21:29:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jan 2002 21:29:38 -0000 Date: Sun, 13 Jan 2002 13:29:38 -0800 (PST) From: Thomas Cannon To: Simon Siemonsma Cc: Subject: Re: Which intrusion detection to use? In-Reply-To: <200201131449.PAA27001@smtp.hccnet.nl> Message-ID: <20020113131424.E72571-100000@stereophonic.noops.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I have a FreeBSD box at home which I primairily use for internet access. > All unneccesary deamon's are switched of (I have inetd turned off) and I make > use of IPFW. > To even increase the security more I want to add a few things: First off, there is a principle in computer security along the lines of 'if it isn't running, nobody can break in through it' that you are using, and then reversing. You shut down all the listening things, and now you want to run a bunch of others. Think it over, is all I'm saying. > 1. software that warns me when I'm under attack. I understood snort is a > Network based Intrusion Detection System (NIDS), so not usefull on a host. But your host is attached to a network, so it is a NIDS for a /32 (one host) network. Host based IDS don't work for a network, but NIDS do work on a host. > What are the alternatives on a host? I did read about portsentry but don't > understand what the added benefit it over a tightly configured firewall. I There isn't one, really. > mean I use statefull packet filtering, allowing connections to be build up > from me to the internet and not the other way round. Further my ports are > stealthed. And all this is logged, yes? Then have logcheck (/usr/ports/security/logcheck/) scan your logs every five minutes and send you mail to your pager if you see things from ipfw or unapproved zone transfers, or checks for CGI scripts that aren't there. It won't listen to the network, so it'd be hard to find a way in through that. > 2. software which will detect that I'm hacked. Tripware is a well know name, > but AIDE clames to do more. Integrit claimes to be simpler and focus on the > essentials. There's a bunch. They're all functionally equivalent. The only imporant thing is that you keep the checksums on a read-only media. Flick the write-only tab on the floppy that you leave mounted in the drive. Other things you can do would be to log to a line printer. Or log to an OpenBSD machine with nothing running (no SSH, no nothing) other than syslogd that will accept from that host and that host only. Or you can go all out and study intrustion detection in depth, learn what traffic looks like, and then what bad traffic looks like, and run shomething like SHADOW and have your machine scarf all your network traffic in one hour bites, and present you with anything that doesn't look normal. The problem is, running it involves tcpdump, which while it seems innoculous, has had problems and has been exploitable in the past, which brings up back to the beginning of this email. Think it over, is all I'm saying. Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message