Host-based Intrusion Detection Systems (HIDS)
Host-based Intrusion Detection Systems (HIDS)
Intrusion detection can be divided into three broad categories: NIDS, HIDS, and vulnerability scans. In this post I will review several options for HIDS and OpenVAS (vulnerability scanner). If you are wanting information on NIDS, see the NIDS sticky
Most Windows users are familiar with HIDS. Examples include virus and spyware scanners. HIDS monitor system files and detect unauthorized changes and known threats / malware.
Many Linux users may feel these tools are of limited utility because:
1. These tools are notorious for quirks, hiccups, and the sky is falling. As with the boy who cried wolf, excessive warnings and false positives tend to get ignored.
2. These tools detect only known vulnerabilities and thus do not protect against "zero day exploits". Known vulnerabilities are generally patched rapidly in Linux. Thus many people are of the opinion keeping their systems up to date is sufficient and these tools are superfluous.
3. The majority of these tools are command line tools with limited, if any, graphical interface (web interfaces are more common). Some people tend to shy away from tools lacking a graphical interface.
4. Although every OS has potential security holes, many users find Ubuntu is "secure enough" such that additional measures are not warranted . For an overview of this mentality, see this discussion .
This post is for those who are interested in "learning the ropes" and will review HIDS tools. IMO it is best to try these tools out before you suspect your system is compromised.
Security is an advanced topic on any OS, requires knowledge of how the OS works, and comes with a steep learning curve (yes, you are expected to read). If you find these tools overwhelming, I suggest you start with the Security Sticky and come back to these tools when you are more comfortable with Linux, the command line, and/or have the time to work through the use of these tools.
Contents :
First steps
OSSEC
OpenVAS
Alternatives to OSSEC / OpenVAS
Tiger
chkrootkit
rkhunter
clamav
Etiquette: If you are going to run these HIDS/Vulnerability tools, please read the documentation (FAQ / README ) and perform a Google search on the results of alerts or warnings before posting on the Ubuntu forums. These tools have esoteric tendencies and support may be limited on the Ubuntu forums. Please see the various home pages / wiki and/or use the application specific forums / mailing lists for support.
Discussion Thread - The discussion thread is for comments / feedback. Please do not use the discussion tread for support questions, start a support thread in the security forums.
Re: Host-based Intrusion Detection Systems (HIDS)
First steps
There is a nice review of the issues with HIDS here. It was written in 2004, but the basic principles still apply.
IMO the foundation of HIDS is with understanding how your OS works and what types of activity are "normal". If you are new to Ubuntu or Linux security I suggest you start with the Security Sticky. In addition I suggest :
1. Keep your systems up to date, at least with security updates. Consider security only automatic updates (I set synaptic to do this).
2. Learn the following commands:
Code:
w
last
netstat -tulnp
ps aux # or variants
top
3. Familiarize yourself with the Log files. IMO the two most relevant to HIDS are /var/log/messages and /var/log/auth.log. You may view the logs with any number of tools including System -> Administration -> Log File Viewer or install Logwatch.
/var/log/messages -> apparmor logs here
/var/log/auth.log -> logins and sudo access.
Code:
grep sudo --color=always /var/log/auth.log
To track user commands use acct
Consider installing faillog (locks user accounts after failed log in attempts).
My blog post on faillog
Also watch the logs for your servers, particularly any error logs.
/var/log/apache2/error.log
Last, consider using logwatch. Logwatch will analyse your log files and generate a summary report. The report is a summary and you may need to manually review the logs for more specific information.
Logwatch - Written for Debian, but works with Ubuntu.
4. Know what services (servers) are running (hint see the netstat command above) and how to secure them (firewall, ssh keys, fail2ban, denyhosts, etc).
Keep in mind, the most common Ubuntu security breaches are due to ;
1. Installing servers - SSH and VNC (desktop sharing )in particular - with weak passwords and port forwarding (allowing connections from the internet).
2. Installing packages (software) or running commands / scripts from untrusted sources. This may include ppa, web sites such as gnome-look.org, and even Linux user forums.
3. Social engineering which then results in #2 ...
4. Phishing - evil twin of Social engineering.
5. Learn to use Apparmor. bodhi.zazen's Ubuntu 10.04 apparmor profiles. Although Apparmor is not a HIDS tool, I highly suggest you use apparmor to confine as many, if not all, network aware applications.
6. Highly recommended - Integrit / Tripwire / Aide (Advanced Intrusion Detection Environment) - These tools monitor system files for changes. These tools are fairly straight forward to configure, however they may need some customization (read the configuration file and documentation). Unless you want to review a long list of changes, consider not monitoring files expected to change ( /var/log/* , /tmp , /mnt , /media , /proc ). See This blog for tips.
Integrit - Integrit is very easy to both configure and run, IMO it works well.
Advantage - Very easy to install, customize, and configure (it gets the job done).
Disadvantage - The report may be too brief for some.
Tripwire -
How to tripwire
How to Centralwire (centralized server for tripwire)
Detailed how-to tripwire
Advantage - One can customize what directories are monitored.
Disadvantage - Many of the files will change over time, particularly logs, so you may need to fine tune what is monitored.
Tripwire needs some Ubuntu specific adjustments in the configuration file. For example, adding /etc/init and remove monitoring of some files in /root .
Aide - Debian / Ubuntu highly customize aide and I highly suggest you read the (Debian / Ubuntu) documentation. It is located at /usr/share/doc/aide-common/README.Debian.gz Online README.Debian.
Despite the guides below, aide is configured to:
1. Automatically generate a daily report. The report is mailed to root and is in /var/mail/root
2. It generates a lot of noise, you may wish to exclude a few directories - Delete the delete 99_aide_root, 70_aide_var, and 70_aide_tmp files.
3. Run with a wrapper script. Simply substitute "aide.wrapper" for "aide" in the commands in the guides below
ie -
aide.wrapper --init rather then aide --init
aide.wrapper --check rather then aide --check
AIDE: Advanced Intrusion Detection Environment
Ubuntu wiki AIDE
Ubutu 8.04
7. Optional - Ninja monitors your system for unauthorized root access.
8. "Don't panic" - Douglas Adams (The Hitchhiker's Guide to the Galaxy).
Back to top
Re: Host-based Intrusion Detection Systems (HIDS)
OSSEC
OSSEC
Advantages of OSSEC :
1. Open source (yea).
2. OSSEC monitors integrity of system and log files.
3. Root kit detection.
4. An active response system. This means OSSEC will not only monitor, but also respond to threats (black list naughty IP addresses).
5. Optional web based graphical (monitoring) interface.
6. Optional central server (consolidates monitoring multiple systems).
7. OSSEC is relatively easy to set up.
The potential disadvantage of ossec, you would need to install apache to use the web interface. If you are already running a headless or remote server with apache then adding the ossec-wui is not as drastic. If you are on a Desktop you can bind apache to localhost (127.0.0.1) and restrict external connections with iptables (see below).
Home page: http://www.ossec.net/
OSSEC manual
OSSEC FAQ
Download and install OSSEC
Install Dependencies (gcc)
Code:
apt-get install -y gcc
Download the latest version of OSSEC
Code:
wget http://www.ossec.net/files/ossec-hids-2.4.tar.gz
Extract the archive and install
Code:
tar xvf ossec-hids-2.4.tar.gz
cd ossec-hids-2.4
sudo ./install.sh
The installation is very easy, you simply answer a few questions or hit the enter key for the defaults. The only question you have to answer is "What kind of installation do you want (server, agent, local or help)?" , at that question type "local" and hit enter (see below).
Select your language
Select "local" as the type of installation
Quote:
What kind of installation do you want (server, agent, local or help)? local
The only default I personally change is the email report. Because I prefer the web interface I answer no to this question.
Quote:
Do you want e-mail notification? (y/n) [y]:n
Otherwise go with the defaults (hit enter).
Start ossec
Code:
sudo /etc/init.d/ossec start
Install and configure the web interface
Step 1: Install apache and php5
Code:
sudo apt-get -y install apache2 php5
Setp 2: Download and configure the wui (Web User Interface)
Code:
cd /var/www
sudo wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
sudo tar xvf ossec-wui-0.3.tar.gz
sudo rm ossec-wui-0.3.tar.gz
sudo mv ossec-wui-0.3 ossec
cd into the ossec directory and install ossec
Code:
cd /var/www/ossec
sudo ./setup.sh
As the wui is installed you will be asked a user name and password. Enter the user name and password of your choice.
Set the proper permissions of the ossec directory:
Code:
sudo chown -R www-data.www-data /var/www/ossec
Add www-data to the ossec group
Code:
sudo nano /etc/group
Find the ossec line (most likely at the bottom of the file) and add www-data to the ossec group
Quote:
ossec:x:1001:www-data
Save and exit nano
Set the permissions of /var/www/ossec/tmp
Code:
sudo chmod 770 /var/www/ossec/tmp
sudo chgrp www-data /var/www/ossec/tmp
Restart apache
Code:
sudo service apache2 restart
Open the page with firefox and go to the ossec directory
http://localhost/ossec
http://ip_address/ossec
As is typical of HIDS, be prepared to read up on any alerts you receive from OSSEC.
Restricting access to the ossec-wui
1. Using Apache.
Edit your Virtual Host. Unless you defined a virtual host for ossec, the default is /etc/apache2/sites-available/default
Under the section <Directory /var/www> edit the following lines :
From
Quote:
Order allow,deny
allow from all
To
Code:
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
Restart Apache
Code:
sudo service apache2 restart
2. With iptables
One line (assuming your default policy is ACCEPT):
Code:
sudo iptables -A INPUT -p tcp -m tcp --dport 80 ! -s 127.0.0.1 -j DROP
3. As an alternate to iptables, simply enable ufw
That will block incoming requests to apache (connections from localhost are allowed).
4. If you connect to the ossec wui, from an external client, especially over the internet, I highly advise you use ssl (https) and password protect the ossec directory.
There are several tutorials on the internet including the Ubuntu wiki is, IMO, a nice start.
Apache documentation Authentication, Authorization and Access Control
5. If you do NOT have access to the apache configuration file , use .htaccess :
Password protecting a directory with Apache and .htaccess
Apache Web Login Authentication
Apache Tutorial: .htaccess files
Quote:
In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.
Back to top
Re: Host-based Intrusion Detection Systems (HIDS)
OpenVAS
OpenVAS (Open Vulnerability Assessment System) is, as the name implies, is used for vulnerability testing rather then a method of monitoring your host for changes.
OpenVAS is feature rich and this post will get you started, see the online documentation for additional details.
Install the OpenVAS server and client
Openvas is in the Ubuntu 10.04 repositories.
Code:
sudo apt-get -y install openvas-server openvas-client nikto
The installation process will configure (server) certificates, but will not make an openvas user certificate.
wapiti and w3af were problems, you may have to run them manually.
The default icon is ugly, I downloaded and used this one.
Create a user
Code:
sudo openvas-adduser
Add a user and assign a password. You can either leave the roles blank or assign roles (see man openvas-adduser). Roles define which hosts a user is allowed to audit.
Syntax:
accept host_ip
accept host_name
accept netmask
default deny
For example, these rules restrict the audits to your LAN.
Code:
accept 192.168.0.0/24
default deny
In a nutshell, a Role == what host you are allowed to scan.
If you wish to use user certificates you will need to generate them yourself.
Update rules
Code:
sudo openvas-nvt-sync
The command failed for me, I downloaded the update from
http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
I extracted the contents (be warned, they are not packaged neatly, I suggest you extract them into a directory).
Copied the *.nasl to /var/lib/openvas/plugins/
(Re)Start openvas
Code:
service openvas-server start & #Yes, I needed the &
Scan the host (you can only scan a host that has openvas-server installed).
Openvas client
Command line:
The file hostname.txt must exist
Code:
echo openvas_server_ip_address > openvas_hostname.txt
Syntax :
Quote:
openvas-client -q hostname port user password hostname.txt results.html -T html
For example :
Code:
echo 127.0.0.1 > localhost.txt
openvas-client -q localhost 127.0.0.1 bodhi bodhi's_password localhost.txt results_localhost.html -T html
View the results with
Code:
firefox results_localhost.html
GUI tool
Open the client
Applications -> Internet -> OpenVAS client
Connect (use the connect icon) -> enter user name and password
Start a scan
File -> scan assistant
Back to top
Re: Host-based Intrusion Detection Systems (HIDS)
Alternates to OSSEC / OpenVAS
OSSEC / Openvas not your cup of tea ? You could consider one of these alternates:
Bastille - Ubuntu Wiki Bastille . Take care, bastille can lock you out of your own system and can be difficult to reverse changes. In addition it is somewhat dated and needs to be customized for Ubuntu.
Nagios - Nagios
Nessus - Nessus
Osiris - Osiris (last update 2007) .
Samhain - Samhain (Beltane is the web interface). The samhain client is in the Ubuntu repositories (and works fine), but if you wish to use the server (yule) and Beltane you have some serious reading to do.
Zenoss - Zenoss
Install / Download / Run the vulnerability tools manually.
Back to top
Re: Host-based Intrusion Detection Systems (HIDS)
Tiger
Tiger is my next favorite HIDS tool as it performs a security audit as well as several security checks including john the ripper (checks for weak passwords), scanning your system for listening "back door" ports, and chkrootkit. Output can be formatted in a HTML document, which you may then open with any browser.
Features:
1. Runs chkrootkit.
2. Gives options for hardening your installation.
3. The built in help / information for tiger alerts (tigexp) is, IMO, superior to some of the other options.
Home page: http://www.nongnu.org/tiger/
Please READ the "README" files !!!!
tiger README
tiger USING file
tiger README.hids
man tiger
Install tiger
Code:
sudo apt-get install tiger
Note: This will install john and ckrootkit as well.
Note: John does not work with the default Ubuntu password hashes (sha-512).
Run tiger
tiger takes some time and appears to hang at the (output) line:
Quote:
Performing system specific checks ...
Let it run ...
Tiger will generate a long list of suggestions for your investigation.
To view the output (it is a bit of an effort):
Code:
sudo bash -c "cp /var/log/tiger/security.report.* /home/bodhi
sudo chown bodhi.bodhi /home/bodhi/security.report.*
Change "bodhi" to your user name.
Then view with Firefox:
Code:
firefox security.report.<tab>
<tab> == Use the tab key for tab completion ^^
To see an explanation of a warning or alert, use tigexp. The syntax is tigexp alert_code
For example :
Quote:
bodhi@lucid:~$ tigexp pass014w
The listed login ID is disabled in some manner ('*' in passwd field, etc),
but the login shell for the login ID is a valid shell (from /etc/shells
or the system equivalent). A valid shell can potentially enable the
login ID to continue to be used. The login shell should be changed to
something that doesn't exist, or to something like /bin/false.
Etiquette: If you are going to run these tools, please read the documentation (FAQ / README ) and perform a google search on the results of alerts or warnings before posting on the forums.
You may review the security audit and decide for yourself if you wish to implement any of the suggestions (knock yourself out ... ).
Back to top
Re: Host-based Intrusion Detection Systems (HIDS)
Chkrootkit
chkrootkit is a HIDS tool that scans your computer for possible root kits. It is one of the most popular rootkit scanners on these forums.
Home page: http://www.chkrootkit.org/
chkrootkit FAQ
man chkrootkit
Install chkrootkit
Code:
sudo apt-get install chkrootkit
Run chkrootkit
The output should all read "not found" and / or "not infected"
As with all these tools false positives are common, use Google to search for suspicious results.
Etiquette: If you are going to run these tools, please read the documentation (FAQ / README ) and perform a google search on the results of alerts or warnings before posting on the forums.
Re: Host-based Intrusion Detection Systems (HIDS)
Rkhunter
rkhunter is the next most common HIDS tool. This tool is command line only and the output is to the terminal and a log file.
Home page : http://rkhunter.sourceforge.net/
rkhunter FAQ
man rkhunter
Run rkhunter
Interpreting the Output of rkhunter
You will see a number of tests, output of "[ OK ] " is good.
Warnings are exactly that, warnings and not necessarily problems. You should not either panic or ignore them, you should investigate to see if they are "normal" for your system.
Results of the scan are in /var/log/rkhunter.log
Code:
gksu gedit /var/log/rkhunter.log
Google search any warnings or alerts.
Etiquette: If you are going to run these tools, please read the documentation (FAQ / README ) and perform a google search on the results of alerts or warnings before posting on the forums.
Back to top
Re: Host-based Intrusion Detection Systems (HIDS)
Clamav
- A brief word about virus / spyware scanners -
In Linux there are no known active viruses and user cases for antivirus scanners include :
1. If you are running a file server (mail server, FTP, Samba, NFS, etc) and serve windows clients you might scan all uploaded files for viruses.
2. As a netizen you may wish to scan files you receive or give (mail, usb device, etc) windows users.
3. You wish to scan / clean a Windows partition of viruses.
Overview of Antivirus software on Ubuntu Keep in mind, IMO, the strongest proponents of many of these tools are either new to Linux or trying to sell you something.
I have never seen spyware on Linux nor have I seen a Linux spyware scanner/removal tool.
Clamav is one of the more popular and IMO easiest to use Linux virus scanner. In addition clamav has the ability to run in daemon mode. This is, IMO, particularly useful on servers. Clamav can also interface with dansguardian and scan web content for viruses.
While this last feature is beyond this long series of posts, see Squid Proxy Server On Ubuntu 9.04 Server With DansGuardian, ClamAV, And WPAD (Proxy Auto-Detection)
Clamav Home page
Clamav wiki
clamav FAQ
Ubuntu wiki ClamAV
Install clamav
Code:
sudo apt-get install clamav
Update virus definitions
Scan with clamav
Syntax : sudo clamscan -r directory_to_scan
You do NOT need sudo if you own the files to be scanned.
Scan home directories
Code:
sudo clamscan -r /home
Scan flash drive (change "/media/disk" to the mount point of the usb device
Code:
sudo clamscan -r /media/disk
Scan the entire system
Remove "infected files"
Code:
sudo clamscan -r /home --remove
Note: clamav deletes infected files IT DOES NOT REMOVE or CLEAN THE "virus" FROM THE FILE. Take care not to delete / remove files without researching if they are infected (same with any OS).
Running clamav as a daemon
clamav can be installed on mail / samba servers and run as a daemon.
Install clamav-daemon
Code:
sudo apt-get install clamav-daemon
Then run as a daemon
Code:
sudo clamav-daemon -r /home
You may also use the --remove option with clamav-daemon
Graphical front ends
You may scan your user directory or removable devices as a regular user. To scan system files or update virus definitions you will need to run these tools as root.
klamav - klamav is a KDE application but runs on gnome and xfce.
Installation:
Code:
sudo apt-get install -y klamav
klamav is in your menu under Applications -> System tools
If you wish to scan system files you will need to run klaav as root.
http://bodhizazen.net/img/clam/kav1_thumb.png
http://bodhizazen.net/img/clam/kav2_thumb.png
clamtk - a gtk application
Home page: http://clamtk.sourceforge.net/
http://downloads.sourceforge.net/pro...ror=hivelocity
Check the home page for more recent versions.
Install
Code:
wget http://downloads.sourceforge.net/project/clamtk/ClamTk/4.25/clamtk_4.25-1_all.deb?use_mirror=hivelocity
sudo dpkg -i clamtk_4.25-1_all.deb
sudo apt-get install -f
clamtk is in the menu under
Applications -Accessories -> Virus Scan
To run as root:
http://bodhizazen.net/img/clam/ctk1_thumb.png
http://bodhizazen.net/img/clam/ctk2_thumb.png
Clamav Test Files
If you wish to test clamav, install the test files and re-scan.
Code:
sudo apt-get install -y clamav-testfiles
Then run clamscan, or one of the graphical tools, and scan /
Note: If you run from the command line you will see you have 4 infected files, but the listing of the files is lost in the output.
Code:
sudo bash -c "clamscan -r / 2>/dev/null | grep -v OK | grep -v Empty | grep -v Excluded
Additional information
1. clamav is maintained in backports, so you may wish to enable the backports repository.
2. There is also a ppa for clamav . New versions of clamav are available in the ppa first -> then if stable backports. see MOTU - clamav
3. clamav has an apparmor profile. To enable it :
Back to top