Results 1 to 9 of 9

Thread: Host-based Intrusion Detection Systems (HIDS)

  1. #1
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Host-based Intrusion Detection Systems (HIDS)

    Host-based Intrusion Detection Systems (HIDS)

    Intrusion detection can be divided into three broad categories: NIDS, HIDS, and vulnerability scans. In this post I will review several options for HIDS and OpenVAS (vulnerability scanner). If you are wanting information on NIDS, see the NIDS sticky

    Most Windows users are familiar with HIDS. Examples include virus and spyware scanners. HIDS monitor system files and detect unauthorized changes and known threats / malware.

    Many Linux users may feel these tools are of limited utility because:

    1. These tools are notorious for quirks, hiccups, and the sky is falling. As with the boy who cried wolf, excessive warnings and false positives tend to get ignored.

    2. These tools detect only known vulnerabilities and thus do not protect against "zero day exploits". Known vulnerabilities are generally patched rapidly in Linux. Thus many people are of the opinion keeping their systems up to date is sufficient and these tools are superfluous.

    3. The majority of these tools are command line tools with limited, if any, graphical interface (web interfaces are more common). Some people tend to shy away from tools lacking a graphical interface.

    4. Although every OS has potential security holes, many users find Ubuntu is "secure enough" such that additional measures are not warranted . For an overview of this mentality, see this discussion .


    This post is for those who are interested in "learning the ropes" and will review HIDS tools. IMO it is best to try these tools out before you suspect your system is compromised.

    Security is an advanced topic on any OS, requires knowledge of how the OS works, and comes with a steep learning curve (yes, you are expected to read). If you find these tools overwhelming, I suggest you start with the Security Sticky and come back to these tools when you are more comfortable with Linux, the command line, and/or have the time to work through the use of these tools.


    Contents :

    First steps
    OSSEC
    OpenVAS
    Alternatives to OSSEC / OpenVAS
    Tiger
    chkrootkit
    rkhunter
    clamav


    Etiquette: If you are going to run these HIDS/Vulnerability tools, please read the documentation (FAQ / README ) and perform a Google search on the results of alerts or warnings before posting on the Ubuntu forums. These tools have esoteric tendencies and support may be limited on the Ubuntu forums. Please see the various home pages / wiki and/or use the application specific forums / mailing lists for support.

    Discussion Thread - The discussion thread is for comments / feedback. Please do not use the discussion tread for support questions, start a support thread in the security forums.
    Last edited by bodhi.zazen; May 9th, 2010 at 07:25 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    First steps


    There is a nice review of the issues with HIDS here. It was written in 2004, but the basic principles still apply.

    IMO the foundation of HIDS is with understanding how your OS works and what types of activity are "normal". If you are new to Ubuntu or Linux security I suggest you start with the Security Sticky. In addition I suggest :


    1. Keep your systems up to date, at least with security updates. Consider security only automatic updates (I set synaptic to do this).

    2. Learn the following commands:

    Code:
    w
    last
    netstat -tulnp
    ps aux # or variants
    top

    3. Familiarize yourself with the Log files. IMO the two most relevant to HIDS are /var/log/messages and /var/log/auth.log. You may view the logs with any number of tools including System -> Administration -> Log File Viewer or install Logwatch.

    /var/log/messages -> apparmor logs here
    /var/log/auth.log -> logins and sudo access.

    Code:
    grep sudo --color=always /var/log/auth.log
    To track user commands use acct

    Consider installing faillog (locks user accounts after failed log in attempts).

    My blog post on faillog

    Also watch the logs for your servers, particularly any error logs.

    /var/log/apache2/error.log

    Last, consider using logwatch. Logwatch will analyse your log files and generate a summary report. The report is a summary and you may need to manually review the logs for more specific information.

    Logwatch - Written for Debian, but works with Ubuntu.


    4. Know what services (servers) are running (hint see the netstat command above) and how to secure them (firewall, ssh keys, fail2ban, denyhosts, etc).

    Keep in mind, the most common Ubuntu security breaches are due to ;

    1. Installing servers - SSH and VNC (desktop sharing )in particular - with weak passwords and port forwarding (allowing connections from the internet).

    2. Installing packages (software) or running commands / scripts from untrusted sources. This may include ppa, web sites such as gnome-look.org, and even Linux user forums.

    3. Social engineering which then results in #2 ...

    4. Phishing - evil twin of Social engineering.


    5. Learn to use Apparmor. bodhi.zazen's Ubuntu 10.04 apparmor profiles. Although Apparmor is not a HIDS tool, I highly suggest you use apparmor to confine as many, if not all, network aware applications.


    6. Highly recommended - Integrit / Tripwire / Aide (Advanced Intrusion Detection Environment) - These tools monitor system files for changes. These tools are fairly straight forward to configure, however they may need some customization (read the configuration file and documentation). Unless you want to review a long list of changes, consider not monitoring files expected to change ( /var/log/* , /tmp , /mnt , /media , /proc ). See This blog for tips.

    Integrit - Integrit is very easy to both configure and run, IMO it works well.

    Advantage - Very easy to install, customize, and configure (it gets the job done).
    Disadvantage - The report may be too brief for some.

    Tripwire -
    How to tripwire
    How to Centralwire (centralized server for tripwire)
    Detailed how-to tripwire

    Advantage - One can customize what directories are monitored.
    Disadvantage - Many of the files will change over time, particularly logs, so you may need to fine tune what is monitored.

    Tripwire needs some Ubuntu specific adjustments in the configuration file. For example, adding /etc/init and remove monitoring of some files in /root .


    Aide - Debian / Ubuntu highly customize aide and I highly suggest you read the (Debian / Ubuntu) documentation. It is located at /usr/share/doc/aide-common/README.Debian.gz Online README.Debian.

    Despite the guides below, aide is configured to:

    1. Automatically generate a daily report. The report is mailed to root and is in /var/mail/root
    2. It generates a lot of noise, you may wish to exclude a few directories - Delete the delete 99_aide_root, 70_aide_var, and 70_aide_tmp files.
    3. Run with a wrapper script. Simply substitute "aide.wrapper" for "aide" in the commands in the guides below

    ie -

    aide.wrapper --init rather then aide --init
    aide.wrapper --check rather then aide --check


    AIDE: Advanced Intrusion Detection Environment
    Ubuntu wiki AIDE
    Ubutu 8.04



    7. Optional - Ninja monitors your system for unauthorized root access.

    8. "Don't panic" - Douglas Adams (The Hitchhiker's Guide to the Galaxy).

    Back to top
    Last edited by bodhi.zazen; May 9th, 2010 at 05:57 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    OSSEC

    OSSEC

    Advantages of OSSEC :

    1. Open source (yea).

    2. OSSEC monitors integrity of system and log files.

    3. Root kit detection.

    4. An active response system. This means OSSEC will not only monitor, but also respond to threats (black list naughty IP addresses).

    5. Optional web based graphical (monitoring) interface.

    6. Optional central server (consolidates monitoring multiple systems).

    7. OSSEC is relatively easy to set up.


    The potential disadvantage of ossec, you would need to install apache to use the web interface. If you are already running a headless or remote server with apache then adding the ossec-wui is not as drastic. If you are on a Desktop you can bind apache to localhost (127.0.0.1) and restrict external connections with iptables (see below).

    Home page: http://www.ossec.net/

    OSSEC manual
    OSSEC FAQ

    Download and install OSSEC

    Install Dependencies (gcc)

    Code:
    apt-get install -y gcc
    Download the latest version of OSSEC

    Code:
    wget http://www.ossec.net/files/ossec-hids-2.4.tar.gz
    Extract the archive and install

    Code:
    tar xvf ossec-hids-2.4.tar.gz
    cd ossec-hids-2.4
    sudo ./install.sh
    The installation is very easy, you simply answer a few questions or hit the enter key for the defaults. The only question you have to answer is "What kind of installation do you want (server, agent, local or help)?" , at that question type "local" and hit enter (see below).

    Select your language

    Select "local" as the type of installation

    What kind of installation do you want (server, agent, local or help)? local
    The only default I personally change is the email report. Because I prefer the web interface I answer no to this question.

    Do you want e-mail notification? (y/n) [y]:n
    Otherwise go with the defaults (hit enter).

    Start ossec

    Code:
    sudo /etc/init.d/ossec start
    Install and configure the web interface

    Step 1: Install apache and php5

    Code:
    sudo apt-get -y install apache2 php5
    Setp 2: Download and configure the wui (Web User Interface)

    Code:
    cd /var/www
    sudo wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
    sudo tar xvf ossec-wui-0.3.tar.gz
    sudo rm ossec-wui-0.3.tar.gz
    sudo mv ossec-wui-0.3 ossec
    cd into the ossec directory and install ossec

    Code:
    cd /var/www/ossec
    sudo ./setup.sh
    As the wui is installed you will be asked a user name and password. Enter the user name and password of your choice.

    Set the proper permissions of the ossec directory:

    Code:
    sudo chown -R www-data.www-data /var/www/ossec
    Add www-data to the ossec group

    Code:
    sudo nano /etc/group
    Find the ossec line (most likely at the bottom of the file) and add www-data to the ossec group

    ossec:x:1001:www-data
    Save and exit nano

    Set the permissions of /var/www/ossec/tmp

    Code:
    sudo chmod 770 /var/www/ossec/tmp
    sudo chgrp www-data /var/www/ossec/tmp
    Restart apache

    Code:
    sudo service apache2 restart
    Open the page with firefox and go to the ossec directory

    http://localhost/ossec
    http://ip_address/ossec

    As is typical of HIDS, be prepared to read up on any alerts you receive from OSSEC.

    Restricting access to the ossec-wui

    1. Using Apache.

    Edit your Virtual Host. Unless you defined a virtual host for ossec, the default is /etc/apache2/sites-available/default

    Under the section <Directory /var/www> edit the following lines :

    From
    Order allow,deny
    allow from all
    To

    Code:
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
    Restart Apache

    Code:
    sudo service apache2 restart
    2. With iptables

    One line (assuming your default policy is ACCEPT):

    Code:
    sudo iptables -A INPUT -p tcp -m tcp --dport 80 ! -s 127.0.0.1 -j DROP
    3. As an alternate to iptables, simply enable ufw

    Code:
    sudo ufw enable
    That will block incoming requests to apache (connections from localhost are allowed).

    4. If you connect to the ossec wui, from an external client, especially over the internet, I highly advise you use ssl (https) and password protect the ossec directory.

    There are several tutorials on the internet including the Ubuntu wiki is, IMO, a nice start.

    Apache documentation Authentication, Authorization and Access Control

    5. If you do NOT have access to the apache configuration file , use .htaccess :

    Password protecting a directory with Apache and .htaccess

    Apache Web Login Authentication

    Apache Tutorial: .htaccess files

    In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.
    Back to top
    Last edited by bodhi.zazen; February 15th, 2011 at 11:06 PM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    OpenVAS

    OpenVAS (Open Vulnerability Assessment System) is, as the name implies, is used for vulnerability testing rather then a method of monitoring your host for changes.

    OpenVAS is feature rich and this post will get you started, see the online documentation for additional details.

    Install the OpenVAS server and client

    Openvas is in the Ubuntu 10.04 repositories.

    Code:
    sudo apt-get -y install openvas-server openvas-client nikto
    The installation process will configure (server) certificates, but will not make an openvas user certificate.

    wapiti and w3af were problems, you may have to run them manually.

    The default icon is ugly, I downloaded and used this one.

    Create a user

    Code:
    sudo openvas-adduser
    Add a user and assign a password. You can either leave the roles blank or assign roles (see man openvas-adduser). Roles define which hosts a user is allowed to audit.

    Syntax:
    accept host_ip
    accept host_name
    accept netmask
    default deny

    For example, these rules restrict the audits to your LAN.
    Code:
    accept 192.168.0.0/24
    default deny
    In a nutshell, a Role == what host you are allowed to scan.

    If you wish to use user certificates you will need to generate them yourself.

    Update rules

    Code:
    sudo openvas-nvt-sync
    The command failed for me, I downloaded the update from

    http://www.openvas.org/openvas-nvt-feed-current.tar.bz2

    I extracted the contents (be warned, they are not packaged neatly, I suggest you extract them into a directory).

    Copied the *.nasl to /var/lib/openvas/plugins/

    (Re)Start openvas

    Code:
    service openvas-server start & #Yes, I needed the &
    Scan the host (you can only scan a host that has openvas-server installed).

    Openvas client

    Command line:

    The file hostname.txt must exist

    Code:
    echo openvas_server_ip_address > openvas_hostname.txt
    Syntax :
    openvas-client -q hostname port user password hostname.txt results.html -T html
    For example :

    Code:
    echo 127.0.0.1 > localhost.txt
    openvas-client -q localhost 127.0.0.1 bodhi bodhi's_password localhost.txt results_localhost.html -T html
    View the results with

    Code:
    firefox results_localhost.html
    GUI tool

    Open the client

    Applications -> Internet -> OpenVAS client

    Connect (use the connect icon) -> enter user name and password

    Start a scan

    File -> scan assistant

    Back to top
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    Alternates to OSSEC / OpenVAS

    OSSEC / Openvas not your cup of tea ? You could consider one of these alternates:

    Bastille - Ubuntu Wiki Bastille . Take care, bastille can lock you out of your own system and can be difficult to reverse changes. In addition it is somewhat dated and needs to be customized for Ubuntu.

    Nagios - Nagios

    Nessus - Nessus

    Osiris - Osiris (last update 2007) .

    Samhain - Samhain (Beltane is the web interface). The samhain client is in the Ubuntu repositories (and works fine), but if you wish to use the server (yule) and Beltane you have some serious reading to do.

    Zenoss - Zenoss

    Install / Download / Run the vulnerability tools manually.

    Back to top
    Last edited by bodhi.zazen; May 9th, 2010 at 06:10 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    Tiger

    Tiger is my next favorite HIDS tool as it performs a security audit as well as several security checks including john the ripper (checks for weak passwords), scanning your system for listening "back door" ports, and chkrootkit. Output can be formatted in a HTML document, which you may then open with any browser.

    Features:

    1. Runs chkrootkit.
    2. Gives options for hardening your installation.
    3. The built in help / information for tiger alerts (tigexp) is, IMO, superior to some of the other options.

    Home page: http://www.nongnu.org/tiger/

    Please READ the "README" files !!!!

    tiger README
    tiger USING file
    tiger README.hids

    man tiger

    Install tiger

    Code:
    sudo apt-get install tiger
    Note: This will install john and ckrootkit as well.
    Note: John does not work with the default Ubuntu password hashes (sha-512).

    Run tiger

    Code:
    sudo tiger -H
    tiger takes some time and appears to hang at the (output) line:

    Performing system specific checks ...
    Let it run ...

    Tiger will generate a long list of suggestions for your investigation.

    To view the output (it is a bit of an effort):

    Code:
    sudo bash -c "cp /var/log/tiger/security.report.* /home/bodhi
    sudo chown bodhi.bodhi /home/bodhi/security.report.*
    Change "bodhi" to your user name.

    Then view with Firefox:

    Code:
    firefox security.report.<tab>
    <tab> == Use the tab key for tab completion ^^

    To see an explanation of a warning or alert, use tigexp. The syntax is tigexp alert_code

    For example :

    bodhi@lucid:~$ tigexp pass014w

    The listed login ID is disabled in some manner ('*' in passwd field, etc),
    but the login shell for the login ID is a valid shell (from /etc/shells
    or the system equivalent). A valid shell can potentially enable the
    login ID to continue to be used. The login shell should be changed to
    something that doesn't exist, or to something like /bin/false.

    Etiquette: If you are going to run these tools, please read the documentation (FAQ / README ) and perform a google search on the results of alerts or warnings before posting on the forums.

    You may review the security audit and decide for yourself if you wish to implement any of the suggestions (knock yourself out ... ).

    Back to top
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  7. #7
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    Chkrootkit

    chkrootkit is a HIDS tool that scans your computer for possible root kits. It is one of the most popular rootkit scanners on these forums.

    Home page: http://www.chkrootkit.org/

    chkrootkit FAQ

    man chkrootkit

    Install chkrootkit

    Code:
    sudo apt-get install chkrootkit
    Run chkrootkit

    Code:
    sudo chkrootkit
    The output should all read "not found" and / or "not infected"

    As with all these tools false positives are common, use Google to search for suspicious results.

    Etiquette: If you are going to run these tools, please read the documentation (FAQ / README ) and perform a google search on the results of alerts or warnings before posting on the forums.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  8. #8
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    Rkhunter

    rkhunter is the next most common HIDS tool. This tool is command line only and the output is to the terminal and a log file.

    Home page : http://rkhunter.sourceforge.net/

    rkhunter FAQ

    man rkhunter

    Run rkhunter

    Code:
    sudo rkhunter -c
    Interpreting the Output of rkhunter

    You will see a number of tests, output of "[ OK ] " is good.

    Warnings are exactly that, warnings and not necessarily problems. You should not either panic or ignore them, you should investigate to see if they are "normal" for your system.

    Results of the scan are in /var/log/rkhunter.log

    Code:
    gksu gedit /var/log/rkhunter.log
    Google search any warnings or alerts.

    Etiquette: If you are going to run these tools, please read the documentation (FAQ / README ) and perform a google search on the results of alerts or warnings before posting on the forums.

    Back to top
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  9. #9
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Host-based Intrusion Detection Systems (HIDS)

    Clamav

    - A brief word about virus / spyware scanners -

    In Linux there are no known active viruses and user cases for antivirus scanners include :

    1. If you are running a file server (mail server, FTP, Samba, NFS, etc) and serve windows clients you might scan all uploaded files for viruses.

    2. As a netizen you may wish to scan files you receive or give (mail, usb device, etc) windows users.

    3. You wish to scan / clean a Windows partition of viruses.

    Overview of Antivirus software on Ubuntu Keep in mind, IMO, the strongest proponents of many of these tools are either new to Linux or trying to sell you something.

    I have never seen spyware on Linux nor have I seen a Linux spyware scanner/removal tool.

    Clamav is one of the more popular and IMO easiest to use Linux virus scanner. In addition clamav has the ability to run in daemon mode. This is, IMO, particularly useful on servers. Clamav can also interface with dansguardian and scan web content for viruses.

    While this last feature is beyond this long series of posts, see Squid Proxy Server On Ubuntu 9.04 Server With DansGuardian, ClamAV, And WPAD (Proxy Auto-Detection)

    Clamav Home page

    Clamav wiki

    clamav FAQ

    Ubuntu wiki ClamAV


    Install clamav

    Code:
    sudo apt-get install clamav
    Update virus definitions

    Code:
    sudo freshclam
    Scan with clamav

    Syntax : sudo clamscan -r directory_to_scan

    You do NOT need sudo if you own the files to be scanned.

    Scan home directories

    Code:
    sudo clamscan -r /home
    Scan flash drive (change "/media/disk" to the mount point of the usb device

    Code:
    sudo clamscan -r /media/disk
    Scan the entire system

    Code:
    sudo clamscan -r /
    Remove "infected files"

    Code:
    sudo clamscan -r /home --remove
    Note: clamav deletes infected files IT DOES NOT REMOVE or CLEAN THE "virus" FROM THE FILE. Take care not to delete / remove files without researching if they are infected (same with any OS).

    Running clamav as a daemon

    clamav can be installed on mail / samba servers and run as a daemon.

    Install clamav-daemon

    Code:
    sudo apt-get install clamav-daemon
    Then run as a daemon

    Code:
    sudo clamav-daemon -r /home
    You may also use the --remove option with clamav-daemon


    Graphical front ends

    You may scan your user directory or removable devices as a regular user. To scan system files or update virus definitions you will need to run these tools as root.

    klamav - klamav is a KDE application but runs on gnome and xfce.

    Installation:

    Code:
    sudo apt-get install -y klamav
    klamav is in your menu under Applications -> System tools

    If you wish to scan system files you will need to run klaav as root.

    Code:
    gksu klamav




    clamtk - a gtk application

    Home page: http://clamtk.sourceforge.net/

    http://downloads.sourceforge.net/pro...ror=hivelocity

    Check the home page for more recent versions.

    Install

    Code:
    wget http://downloads.sourceforge.net/project/clamtk/ClamTk/4.25/clamtk_4.25-1_all.deb?use_mirror=hivelocity
    sudo dpkg -i clamtk_4.25-1_all.deb
    sudo apt-get install -f
    clamtk is in the menu under

    Applications -Accessories -> Virus Scan

    To run as root:

    Code:
    gksu clamtk




    Clamav Test Files

    If you wish to test clamav, install the test files and re-scan.

    Code:
    sudo apt-get install -y clamav-testfiles
    Then run clamscan, or one of the graphical tools, and scan /

    Note: If you run from the command line you will see you have 4 infected files, but the listing of the files is lost in the output.

    Code:
    sudo bash -c "clamscan -r / 2>/dev/null | grep -v OK | grep -v Empty | grep -v Excluded
    Additional information

    1. clamav is maintained in backports, so you may wish to enable the backports repository.

    2. There is also a ppa for clamav . New versions of clamav are available in the ppa first -> then if stable backports. see MOTU - clamav

    3. clamav has an apparmor profile. To enable it :

    Back to top
    Last edited by bodhi.zazen; May 9th, 2010 at 06:24 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •