Network Security: IDS intrusion detection tool in Linux

This article briefly introduces several Linux IDS intrusion detection tools, such as psad, Apparmor, and SELinuxu. First, let's take a look at the principles and practices of the intrusion detection system.

If you only have one computer, it is entirely possible for you to spend a lot of time carefully reviewing system vulnerabilities and problems. Maybe you don't really want this, but it does. However, in the real world, we need some good tools to help us monitor the system, and warn us about where problems may occur, so we can always relax. Intrusion detection may be one of our concerns. However, there are always two things. Fortunately, Linux administrators have powerful tools to choose from. The best strategy is to adopt a layered approach to integrate old-fashioned programs such as Snort and iptables with some new forces such as psad, Apparmor, and SELinuxu, with powerful analysis tools, we can always stay at the forefront of technology.

In modern times, any user account on the machine may be used for evil. I believe that all the focus is on protecting the root account, just as other user accounts are not important. This is a long-term and chronic weakness in Linux and Unix security. A simple reinstallation can replace damaged system files, but what should I do with data files? Any intrusion has the potential to cause massive damage. In fact, to spread spam, copy sensitive files, provide fake music or movie files, and launch attacks against other systems, there is no need for root access.

IDS new favorite: PSAD

Psad is short for Port Scan attack detection programs. As a new tool, it can work closely with iptables and Snort to show us all malicious attempts to access the network. This is my preferred Linux intrusion detection system. It uses many snort tools, which can be used in combination with fwsnort and iptables logs, meaning you can even go deep into the application layer and perform some content analysis. It performs packet header analysis like Nmap, sends a warning to the user, and even configures it to automatically block suspicious IP addresses.

In fact, a key aspect of any intrusion detection system is to capture and analyze a large amount of data. If you do not do this, you can only blindly confuse it and cannot adjust IDS effectively. We can export PSAD data to AfterGlow and Gnuplot to know who is attacking the firewall and display it on a friendly interface.

Old and strong: Snort

As a trusted old man, Snort is becoming more mature as he grows older. It is a lightweight and easy-to-use tool that can run independently or be used together with psad and iptables. We can find and install it from the library of the Linux release version, which should be a great improvement over the source code installation in the past. The issue of keeping its rules updated is equally simple, because oinkmaster is also in the library of the Linux release version as the Snort rule update program and management program. Snort is easy to manage, although it has some configuration requirements. To start using it, the default configuration is not applicable to most network systems, because it includes all unnecessary rules. So the first thing we need to do is to clear all unnecessary rules, otherwise it will damage the performance and generate some false warnings.

Another important policy is to run Snort in the confidential mode, that is, to listen to a network interface without an IP address. Run Snort, such as a snort-ieth0, with the-I option, on an interface that does not assign an IP address to it, such as ifconfigeth0up. It is also possible that if your Network Manager program is running in the system, it will "help" display the ports that have not been configured, therefore, we recommend that you clear the Network Manager program.

Snort can collect a large amount of data. Therefore, you need to add a BASE (Basic Analysis and security engine) to obtain a friendly and visualized analysis tool, it is based on older ACID (intrusion into the database analysis console.

Simple and Convenient: chkrootkit and rootkit

The Rootkit detection programs chkrootkit and rootkitHunter are also old rootkit detection programs. Obviously, when running from a non-writable external device, they are more trustworthy tools, such as running from a CD or write-protected USB drive. I like the SD card because of the write protection switch. These two programs can search for known rooktkit, backdoor, and local vulnerability exploitation programs, and discover limited suspicious activities. The reason we need to run these tools is that they can view/proc, ps and other important activities on the file system. Although they are not used for networks, they can quickly scan personal computers.

Versatile: Tripwire

Tripwire is an intrusion detection and data integrity product that allows users to build a basic server state that best represents the settings. It does not prevent the occurrence of a damage event, but it can compare the current state with the ideal state to determine whether any unexpected or intentional change has occurred. If any change is detected, it will be minimized.

If you need to control changes to Linux or UNIX servers, You can have three options: open-source Tripwire, server Tripwire, and enterprise Tripwire. Although these three products have something in common, they have many different aspects, so that they can meet the requirements of different IT environments.

For example, open-source Tripwire is suitable for monitoring a small number of servers, because this situation does not require centralized control and reporting; server version Tripwire is an ideal solution for IT organizations that require server monitoring and provide detailed reports and optimize centralized server management only on Linux/UNIX/Windows platforms; enterprise Tripwire is the best choice for IT organizations that need to securely review configurations between Linux/UNIX/Windows servers, databases, network devices, desktops, and directory servers.

1. Research on SQL injection attacks and Prevention and Detection Technology
2. Three major measures minimize the harm of SQL injection attacks
3. Types and Preventive Measures of SQL injection attacks