Host-based Intrusion Detection Systems (HIDS)
Intrusion detection can be divided into three broad categories: NIDS, HIDS, and vulnerability scans. In this post I will review several options for HIDS and OpenVAS (vulnerability scanner). If you are wanting information on NIDS, see the NIDS sticky
Most Windows users are familiar with HIDS. Examples include virus and spyware scanners. HIDS monitor system files and detect unauthorized changes and known threats / malware.
Many Linux users may feel these tools are of limited utility because:
1. These tools are notorious for quirks, hiccups, and the sky is falling. As with the boy who cried wolf, excessive warnings and false positives tend to get ignored.
2. These tools detect only known vulnerabilities and thus do not protect against "zero day exploits". Known vulnerabilities are generally patched rapidly in Linux. Thus many people are of the opinion keeping their systems up to date is sufficient and these tools are superfluous.
3. The majority of these tools are command line tools with limited, if any, graphical interface (web interfaces are more common). Some people tend to shy away from tools lacking a graphical interface.
4. Although every OS has potential security holes, many users find Ubuntu is "secure enough" such that additional measures are not warranted . For an overview of this mentality, see this discussion .
This post is for those who are interested in "learning the ropes" and will review HIDS tools. IMO it is best to try these tools out before you suspect your system is compromised.
Security is an advanced topic on any OS, requires knowledge of how the OS works, and comes with a steep learning curve (yes, you are expected to read). If you find these tools overwhelming, I suggest you start with the Security Sticky and come back to these tools when you are more comfortable with Linux, the command line, and/or have the time to work through the use of these tools.
Contents :
First steps
OSSEC
OpenVAS
Alternatives to OSSEC / OpenVAS
Tiger
chkrootkit
rkhunter
clamav
Etiquette: If you are going to run these HIDS/Vulnerability tools, please read the documentation (FAQ / README ) and perform a Google search on the results of alerts or warnings before posting on the Ubuntu forums. These tools have esoteric tendencies and support may be limited on the Ubuntu forums. Please see the various home pages / wiki and/or use the application specific forums / mailing lists for support.
Discussion Thread - The discussion thread is for comments / feedback. Please do not use the discussion tread for support questions, start a support thread in the security forums.
Bookmarks