Understand the four major IDS intrusion detection tools for Linux platform

If you only have one computer, it is entirely possible for you to spend a lot of time scrutinizing the weaknesses and problems of the system. Maybe you don't really want this, but it's possible. However, in the real world, we need some good tools to help us monitor the system and warn us about where problems may arise, so we can always relax. Intrusion detection can be one of the issues that we worry about. However, there are always two things, but fortunately Linux administrators have powerful tools to choose from. The best strategy is to adopt a layered approach, which is to combine the old-fashioned programs such as Snort and iptables with some new forces such as psad, AppArmor, and SELinuxu. With powerful analysis tools, we can always Standing at the forefront of technology.

In modern times, any user account on the machine may be used to do evil. The author believes that all the focus is on protecting the root, just as other user accounts are not important. This is a long-standing, chronic weakness in Linux and Unix security. A simple reload can replace a damaged system file, but what about data files? Any intrusion has the potential to cause a lot of damage. In fact, to spread spam, copy sensitive files, provide fake music or movie files, and launch attacks on other systems, you don't need access to root at all.

IDS New Pamper: PSAD

Psad is the abbreviation of Port Scanning Attack Detection Program. It is a new tool that works closely with iptables and Snort to show us all malicious attempts to enter the network. attempt. This is my preferred Linux intrusion detection system. It uses a number of snort tools that can be used in conjunction with fwsnort and iptables logs, meaning you can even drill down into the application layer and perform some content analysis. It can perform packet header analysis like Nmap, alert users, and even configure it to automatically block suspicious IP addresses.

In fact, a key aspect of any intrusion detection system is the capture and analysis of large amounts of data. If you don't do this, it can only be blindly messed up, and you can't really adjust IDS effectively. We can export the PSAD data to AfterGlow and Gnuplot to know who is attacking the firewall and show it in a friendly interface.

Old and strong: Snort

Just as a trusted old man, Snort has matured with age. It's a lightweight and easy-to-use tool that works stand-alone or with psad and iptables. We can find and install it from the Linux distribution of the library, which should be a big improvement over the past source code installation. As for keeping the rules updated, it's the same simple, because as Snort's rule updater and hypervisor, oinkmaster is also in the Linux distribution.

Snort is easy to manage, although it has some configuration requirements. To get started, the default configuration is not suitable for most network systems because it includes all the rules that are not needed. So the first thing we have to do is to clear all the unneeded rules, otherwise it will hurt performance and generate some false warnings.

Another important strategy is to run Snort in secret mode, which means listening to a network interface without an IP address. On an interface that does not have an IP address assigned to it, such as ifconfig eth0 up, run Snort with the -i option, such as snort –i eth0. It is also possible that if your network management program is running on the system, it will “help” to show the ports that have not been configured yet, so it is recommended to clear the network management program.

Snort can collect large amounts of data, so you need to add BASE (Basic Analysis and Security Engine) to get a friendly visual analysis tool with an older ACID (Intrusion Database Analysis Console). basis.

Concise and Convenient: chkrootkit and rootkit

The rootkit detection program chkrootkit and rootkit Hunter are also considered veteran rootkit detection programs. Obviously, they are a more trusted tool when running from a non-writable external device, such as when running from a CD or write-protected USB drive. I like the SD card because of the write-protected switch. These two programs can search for known rooktkits, backdoors, and local exploits, and can find limited suspicious activity. The reason we need to run these tools is that they can look at /proc, ps, and other important activities on the file system. Although they are not for the network, they can quickly scan personal computers.

All-rounder: Tripwire

Tripwire is an intrusion detection and data integrity product that allows users to build a basic server state that represents optimal settings. It does not prevent damage from happening, but it can compare the current state to the ideal state to determine if any unexpected or intentional changes have occurred. If any changes are detected, they are reduced to the state with the least operational obstacles.

If you need to control changes to Linux or UNIX servers, you have three options: open source Tripwire, server version of Tripwire, and enterprise version of Tripwire. Although these three products have something in common, they have a large number of different aspects, making this product meet the requirements of different IT environments.

For example, the open source Tripwire is suitable for monitoring a small number of servers, because this situation does not require centralized control and reporting; the server version of Tripwire requires server monitoring only on Linux/UNIX/Windows platforms. IT organizations that provide detailed reporting and optimized centralized server management are an ideal solution; and Enterprise Edition Tripwire provides IT for securely auditing configurations between Linux/UNIX/Windows servers, databases, network devices, desktops, and directory servers. Organization is the best choice.