Re: Which intrusion detection to use?

From: Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl)
Date: 01/13/02


Date: Sun, 13 Jan 2002 21:08:09 +0100
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To: freebsd-security@freebsd.org

On Sun, 13 Jan 2002 19:00:30 +0000 Simon Siemonsma wrote:

> I have a FreeBSD box at home which I primairily use for internet access.
> All unneccesary deamon's are switched of (I have inetd turned off) and I
make
> use of IPFW.
> To even increase the security more I want to add a few things:
> 1. software that warns me when I'm under attack. I understood snort is a
> Network based Intrusion Detection System (NIDS), so not usefull on a
host.
Wrong. This term simply means that it will sniff your network (i.e.
connection to your ISP) and alert you when it sees a packet that matches
known attack signature. So yes, you can run it on single host. Be warned,
however, that Snort can generate false positives: e.g. it can report that
you are being exploited with unknown exploit while FTP'ing a new release
of FreeBSD, because some archives have strings of 0x70's in them what
triggers alert.

> What are the alternatives on a host?
To clean up terminology: a host-based IDS is AIDE, since it monitors
changes on host. Snort is network-based since it monitors network. A
hybrid IDS monitors both.

> I did read about portsentry but don't
> understand what the added benefit it over a tightly configured firewall.

I don't know how tight your particular setup is, but if you deny access to
all unused ports to the world there will be no use in PortSentry since the
offending packets will never his the port PortSentry is listening on.
Snort does not care about firewalls, so just tell it to listen on outside
interface and you're set.

> I
> mean I use statefull packet filtering, allowing connections to be build
up
> from me to the internet and not the other way round.
You mean you have no services available from outside? Well, duh, not much
can be hacked here anyhow, unless there is some exploit for the kernel we
don't know of I guess...

> Further my ports are
> stealthed.
This doubles the functionality of the firewall, but may be useful if you
switch your firewall off for debugging etc. A nice example of 'layer
security'. :)

> 2. software which will detect that I'm hacked. Tripware is a well know
name,
> but AIDE clames to do more.
Personally I use AIDE and I find it to be quite OK. After setting up AIDE
I made an MD5 checksum of the database. I keep this checksum offsite and
compare it against the current checksum to be sure that no one tampered
with database :)

> Integrit claimes to be simpler and focus on the
> essentials.
Haven't tested. However all these tools operate on the same principles...

> Does anyone have some recommendations for me.
If this is a NAT gateway that has all ports firewalled from the outside
I'd be satisified with the steps described above. Just re-check your
firewall rules, since it's your most important line of defense.

You may however (it's your system, anyhow ;-)) consider raising your
securelevel and making some files immutable (binaries, configuration) and
some other append-only (logs). man securelevel for details.

> Other recommendations to increase my security are also welcome?
Well, there are some papers on the subject available on the net, so just
do a Google search :) but they mostly focus on multi-user systems and
servers. Actually simple setup == less possible points of entry.

I'm afraid that if you exagerrate you may end up with a system generating
tons of logs although nothing serious is happening.

Best regards,
Krzysztof

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: Firewall question! Two Firewalls, DMZ, U-PnP, MSN Messenger - Will it work?
    ... I have been looking into FreeBSD as well, but I could not figure out how to ... configure the PCMCIA cards. ... have as a firewall instead. ... >> Will MSN Messenger be able to configure FireWall2 and open the ports it ...
    (comp.security.firewalls)
  • Re: Best type of firewall for aDSL Web server - Hardware or Software?
    ... >> router I received from the aDSL provider and open only those ports on ... > 3) use the hardware firewall, AND the firewall functionality in FreeBSD ... what is the difference between ipf and ipfw? ...
    (comp.unix.bsd.freebsd.misc)
  • Re: ipfw and nmap
    ... for mapping firewall rulesets to see what is being let in. ... show open ports unless most of the time too. ... > to freebsd and i've run across an oddity wrt nmap and freebsd firewalls. ...
    (freebsd-questions)
  • FBSD 4.9 : port 587 open by default in firewall ?
    ... Then I made an on line ports scan ... the default firewall and I obtained better results (in FreeBSD, ... most ports are "closed" and in linux the ports are "Stealth" and the ...
    (comp.unix.bsd.freebsd.misc)
  • Re: solaris
    ... >> router while I attempted to explain the router was ... >> of handling a CLI OS like FreeBSD? ... that these individuals would not be the target market ... > despite the fact that it should include a firewall. ...
    (freebsd-questions)