All the Perl that's Practical to Extract and Report

Tripwire, Snort et al...?

ajt on 2005-01-26T13:35:42

Later this month we are going to replace a Windows NT AdvancedServer box with a Red Hat Linux Enterprise ES box. The machine is in our DMZ with an exposed port 80 to the Internet.

When the change takes place the Linux box will be my responsibility, I don't look after the current NT box. At the same time we'll also be exposing the box to the Interent with an inbound FTP enabled as well.

Officially I'm the web/Perl person, but I'm also the only really knowledgeable Linux admin here. I have passed from the "knowing a little but not how little", to the the "knowing a little more but now knowing how little that is" stage. My paranoia is starting to kick in.

What kind of tools are there for knowing if a machine has been got at? Which ones are worth installing... Where to start?

Snort and Nessus

include on 2005-01-26T15:00:21

Hello ajt,,


Snort as a Intrusion Detection System it's very powerfull, he scans your DMZ in real time and produces pretty HTML (with snortsnarf for example),, but if your want to sniff all your network DMZ/LANs your do a better job with two or more IDS's (NIDS) one in DMZ and other in your lan, and join the results for a better analise
In this area of IDS's you have another choise very good too, the AIDE.

Tripwire is very nice too but for static contents, it takes a snapshot of your filesystem while out of the production evironment and then compares that snapshot with the current filesystem properties (files size date etc etc).

Nessus its an audit tool very very powerfull i use it to test servers to see if i have everything secure and updated.

Your will see many many apps to do this work, bot not (for now) "the app to do all this things",, you will have to use a group of them. But wathever aplications you use, you will need to give a big importance to the first rule of security: "Dont think you are 100% secure".
Now some nice links:
http://www.sans.org/rr/
http://www.sans.org/rr/whitepapers/testing/
http://www.sans.org/rr/whitepapers/forensics/
http://www.sans.org/rr/whitepapers/firewalls/
http://www.sans.org/rr/whitepapers/monitoring/
and because i use FreeBSD
http://www.freebsd.org/ports/security.html
;) I hope you can understand my english :)

Re:Snort and Nessus

Dom2 on 2005-01-26T15:31:39

AIDE is what we've started using here. I've no experience with it because I'm no longer the sysadmin (hurrah!). But it seems to work ok for our (simple) needs. I suspect we're using it more to prevent mistakes than as an actual intrusion detection system though.

-Dom

Re:Snort and Nessus

ajt on 2005-01-26T15:46:18

I Spotted that when I was looking round the Debian site. Though the work box is RHEL-ES3, I run Debian at home, and I have the same paranoid worries there too...

I know there are lots of tools to choose from, it's knowing where to start that is the problem. Thanks for the suggestion, I'll investigate that too.

Re:Snort and Nessus

ajt on 2005-01-26T15:40:17

Most helpful, and your English is fine.

Will do some investigating...

grargh, i hate having to put a subject on replies

drhyde on 2005-01-26T17:36:24

chkrootkit is rather handy.

In theory, chkrootkit and tripwire can only really be trusted once you've booted from known-good media, and tripwire's database likewise should be on media you trust, such as a CD. This is because an attacker could manipulate the kernel to lie about what's on the disk, and hence tripwire et al would not be giving you a true picture of what's going on. Also an attacker could change tripwire's database if that's stored on the machine that's been compromised. In practice this is not too much of a concern, but your paranoia may prompt you into rebooting from a trusted CD, running tripwire etc from the CD, and then rebooting as normal every so often.

Another good idea is to not run Apache - which while pretty good is still a target for the script kiddies - on port 80, but to instead run a filtering proxy which passes requests through to apache. That proxy can be really small and dumb - in fact small and dumb is good, as it means less bugs - and only pass through requests which look well-formed for your application. Maybe there's something HTTP::Proxy-based for this.

Re:grargh, i hate having to put a subject on repli

ajt on 2005-01-26T20:27:31

Will checkout chkrootkit. It was easy to install on my Debian box at home, I'll have to try it at work tomorrow. I'm quite happy to build the tripwire or AIDE database and then burn it and the binary to CD, and run the application from CD. For home I just want to be safe, it's my money at stake, at work it's a lot more money, but also my job.

Running Apache via a proxy is a good idea, the Apache use on the work system is light and very basic so it could be very easy to do.