# Proper procedure on intrusion-detection?



## bmildh (May 18, 2009)

Hi!

I was not sure were to put this, so I do apologize if this is a little off-topic.

I'm still new to FreeBSD but I'm already totally hooked. I love it. 

By chance, I happened to take a look at the file:

/var/log/auth.log

I noticed there was quite a few entries where sshd reported of:


```
Invalid user foo from xx.xx.xx.xx
```

The list reports of all kinds of usernames from different ip-adresses. I did a "whois"-lookup on some of these adresses and they're coming from all over. So, eh, anyway, I was wondering, what does one do in cases like this? Report it to the abuse department of the owner of ip-adresses? Something else? Nothing? Learn from it  Is there a "best-practice" or something?

Sincerly


----------



## DutchDaemon (May 18, 2009)

You'll never see the end of it, there are tens of millions of compromised systems, controlled by dozens of botnet operators. Most abuse desks have no idea where to start or what to do.

Install a bruteforce-blocker and let it feed your firewall, or use the firewall to open up ports to selected IPs only.


----------



## vivek (May 19, 2009)

Install software as suggested by above poster.

Configure firewall and grant limited access to ssh and other services.

Change SSH port.

Configure public keybased login for ssh.

Install host-based intrusion detection system such as AIDE.

Use jails for httpd, smtpd, mysqld services. 

Watch log files and read email. FreeBSD sent security audit reports via cron. You can also use software like logwatch to get detailed information.

Secure root account and only grant admin level access via sudo.

Run kernel is highest security level when everything is configured properly by setting  kern.securelevel.

Put limits on disk usage, email usage, network sockets, open files etc. 

Read security man page for all basic info.
security()


----------



## Oko (May 19, 2009)

vivek said:
			
		

> Install software as suggested by above poster.
> 
> Configure firewall and grant limited access to ssh and other services.
> 
> ...



I like this list so lets make it more complete.

Use carefully flags (schg) on your server before you change 
security level to two.

Be clever about fstab and partition in general. Most things can be mounted as read only noexec. 

Do not install compiler on your server. 

Make sure the time and history can not be reset on your server.

Map directory hierarchy (mtree) on a floppy disk which you will carry with
yourself and make sure you check hierarchy on your server against the one on
floppy on the regular basis.

Make sure you do not have any unnecessary service running on your server (ntpd, inetd come to mind).

Encrypt at least Swap partition possibly even more things. 

Increase the minimum length of passwords.

Choose your ISP wisely. Make sure that its DNS servers are secure. You 
might want to lock into OpenDNS as alternative.

Learn how to use MAC control. 

Finally make sure that nobody, absolutely nobody have physical 
access to your hardware.


----------



## bmildh (May 19, 2009)

*Thanks for the feedback*

Hi!

Appreciate the feedback. There's a lot of good pointers there. I have much studying to do


----------



## SirDice (May 19, 2009)

Oko said:
			
		

> Encrypt at least Swap partition possibly even more things.


Do realise this will only protect you from _physical_ theft. It does nothing to protect you against a network based attacker.


----------



## DutchDaemon (May 19, 2009)

Nice lists indeed. Would any one of you be inclined to turn the list into a nice itemised and linked (to man files, handbook articles, etc.) article in the HOWTO section?


----------



## vivek (May 19, 2009)

DutchDaemon said:
			
		

> Nice lists indeed. Would any one of you be inclined to turn the list into a nice itemised and linked (to man files, handbook articles, etc.) article in the HOWTO section?



http://forums.freebsd.org/showthread.php?p=24680


----------



## DutchDaemon (May 19, 2009)

Nice, good work.


----------



## SirDice (May 19, 2009)

Looks good, just a few notes. I'll drop 'm here as to not clutter the howto :e

For the port tag to work it must also include the directory. So it's security/sshguard etc..

You can use the man tag to point to man pages, i.e. man(1).


----------



## DutchDaemon (May 19, 2009)

And the 'pman' tag to point to port man pages.


----------



## Oko (May 19, 2009)

SirDice said:
			
		

> Do realise this will only protect you from _physical_ theft. It does nothing to protect you against a network based attacker.


Do you even read my posts before trying to flame mex(. 

The last thing on my list was never, ever allow physical access to your hardware. Encryption was not there to protect you from physical theft. Read my list very carefully. Encrypting swap will help you against your own rogue users who can extract information from swap.

Oh by the way I just realized you said another stupid thing. *You think* that
encryption *will protect you* from physical theft. Please let me have a hold of
your encrypted HDD (with Geli or whatever crap you might be using) and you will see how it will protect you.


----------



## vivek (May 19, 2009)

I will update the howto later on. I wasn't aware of port tag and man tag issue.


----------



## SirDice (May 19, 2009)

Oko said:
			
		

> Do you even read my posts before trying to flame mex(.


Yes, and it wasn't a flame, just a side note. I've seen many people encrypting their drives thinking it protects them against malware. Which is silly if you think about it.

I've been told the Dutch can be quite direct and to the point. Sorry about that but I'm not going to change anytime soon 



> Oh by the way I just realized you said another stupid thing. You think that
> encryption will protect you from physical theft. Please let me have a hold of
> your encrypted HDD (with Geli or whatever crap you might be using) and you will see how it will protect you.


There once was a time when people thought DES was safe and more recently MD5 (not really an encryption but you get my point). Encryption schemes get broken all the time. Sure it'll be safe now, at least as far as we know (who knows what the NSA is capable off?), but in the long run it'll be broken just like everything else.


----------



## Oko (May 19, 2009)

SirDice said:
			
		

> I've been told the Dutch can be quite direct and to the point. Sorry about that but I'm not going to change anytime soon


Just like Serbian


----------



## SirDice (May 19, 2009)

Oko said:
			
		

> Just like Serbian



I don't know, up until now I've never met one :e


----------



## vivek (May 20, 2009)

I've fixed port and man page issue. Also, added list for Apache and BIND9 dns. 

HTH.


----------



## chaseepoch (Jan 16, 2012)

*Some fair time later...*

Even though it is years later, I would like to see Oko put his proverbial money in the rather loud hole in his face regarding decrypting a drive or getting around geli or whatever claim he would like to phrase he was there making.

I just had a chuckle.


----------



## SocialHaze (Jan 17, 2012)

To respond to the OPs question... it's not really a cause for concern but it is a reality that some people craft software to scan well known ports and attempt connections.

Every server process has ways to prevent unauthorized access, from IP-level access control, to shared secrets and multi-layer schemes implementing cryptographic certificates.  For instance, SSHd supports security certificates, username/password authentication and IP-level access control that can actually be combined to grant access only to jsmith from 192.168.10.123 if he possesses a security certificate that descends from the server's own certificate.  Apache has similar mechanisms as does MySQL and most other daemons.

These processes, in turn, run in varying levels of sandboxing on the host OS, from simple user/group access control to more complex jailing and multiplexing to prevent cross-contamination in case one process is indeed compromised.  Data channels are also often filtered and defended with encryption for drives and pipes, with routing information for network packets.

As someone else mentioned, you then need to physically protect your data... with encrypted filesystems and other physically-implemented security measures such as booting the OS from a read-only media.

Computer security is a science unto itself and every day new vulnerabilities are found, flaws in implemented and accepted concepts are exploited, trust chains are broken.

Should you report these people?  That's up to you.  Most attackers are unaware that they are, they simply use an infected device.  If you report them, it creates a load on the ISP or law enforcement's manpower and resources, it can create a financial and psychological burden for the unknowing perpetrator if they have to bring their machine to a shop to get it formatted... it can be a kid in the dark in his bedroom "trying to get in" and who can't really be prosecuted.

You must also ask yourself: Is your data worthwhile?  Does anyone really care about your downloaded music, your spam and your lack of a calendar, or does your system host dynamic web pages that are served to a lot of people and where an attacker could profit from access to your database or by tampering with your data or perhaps research and development data of a 10 year-old project that several of your competitors would love a peek into.

Paranoia should always be commensurate to the value of the data, unless you plan on making it your day job.  Computer security can go very far and prosecution can get very serious if you're a big enough player.

My direct advice is to ignore these attempts unless they seem to follow a pattern, such as always originating from the same ISP, being of the same nature, occurring at the same time or are very frequent and repetitive such as in a brute force attack.

Intrusion detection is another thing entirely.  You have to monitor data channels for certain patterns, you should also use quotas, to ensure no one actually unloads your hard drive without you knowing and resources should be monitored in case a trojan is present... you also usually should rely on a particular security device to monitor the other ones, such as a dedicated gateway for internet-based intrusion and remote logging and local sniffing to monitor your own local network.

For the common of mortals, a $30.00 router with a good WPA-2 key, a relatively decent security suite, keeping clean computer usage habits and letting the company ensure work-related security is sufficient security.  If you buy all your software and keep legit, technically you should never be infected, never be compromised and no one should actually care about your data anyway.  It can also be seen as a marketing ploy to hog computer resources with bloated security suites and scare people into purchasing software from marketplaces... but I digress.

Computer security has very deep ramifications and in today's society could very well be what really keeps the world from entering into chaos... but I digress again.

If you're comfortable enough to mess with openssl I suggest you generate certificates for yourself and your server, about 4096 bits long and valid until 2015, when you should likely upgrade to a 6KiB-long key.  After that a new technology will likely be implemented as the key will become too large to be really useful.  I think that certain military, paramilitary and rogue organization groups' clusters can break a 1KiB key in about 20 minutes these days.

But anyway cell phone cameras are so tiny and it'd just be easier for me to just film you type in your password at StarBucks or send you a hot date to drop some LSD in your drink before bed before asking you a few questions... yes, I do have a tinfoil hat, but I'm not wearing it right now.


----------



## chaseepoch (Jan 17, 2012)

Considering the profound design flaws in some operating systems, the record of people involved in computing security and their connections to some very "black hat" entities, the fact that purchased software is frequently detrimental to the system and a myriad of other factors, I would contend that "buy all you software legit" and having faith in the apparent product of a system with a vested interest in computers lacking security is no peace of mind and far from a data security strategy. Moreover, no data can be secure as long as the computer storing it is connected to others, can be connected to others, can be accessed by anyone who isn't the person who owns the data, or could be stolen. Insofar as we keep finding new ways to complexify data security, it is ultimately only a game of contended escalation. The idea that when soldiers bring guns, their opponents will turn to rockets is more than allegorical in a figurative sense. That would be a fallacy of logic if it were not historically referent in this case (see the history of DARPA and Soviet cryptographic espionage for an easy example and any other technological pissing contest you can think of in the last century or so).

All the cryptography in the world won't ultimately save you, but as it stands, breaking through 128-bit encryption or higher is exceedingly difficult. It becomes a question of how much exposure you are giving to those who would seek to access the data concerned and the best way to avoid that is to take basic security measures, keep your nose clean, maintain the system and to the degree possible stay off their radar. In all reality, the likelihood of someone taking interest in a private user who does not have something massive to lose is microscopic in scope and the paranoia around data security in personal computing has mostly been generated by the over-hyped horror stories of people who made obviously bad choices in interacting with the technology, when one gives their situation half a second's thought. Add Windows to the mix, encourage people to be helpless and excessively paranoid and we have the fine mess of profiteering opportunism and media shitstorms that we see today. 

Granted, there are majorly unaddressed areas of consumer data security, but I hardly think that computer security is what keeps the world from descending into chaos, considering throughout history we have found a way to adapt to our technologies, some far more radical, without losing governance or social cohesion. Recommending solidly common-sense measures and educating the population at large, without the theatrics is probably more productive, and perhaps it is time we retired terminologies like "infection" for systems that have been actively compromised by a user and not simply an embedded program or malicious user-installed software. The OP didn't seem to concerned with their system being endemically compromised, either,so the tone may be a bit overboard to use conditions with an internal locus of propagation to describe the problems with their system. It is fairly easy to keep people out of your system, if you are willing to learn a new trick or two (potentially) and take the necessary steps (which takes a couple of hours at best).


----------



## Migelo (Mar 13, 2014)

*Re:*



			
				vivek said:
			
		

> DutchDaemon said:
> 
> 
> 
> ...



Reading this thread 5 years later and found out that this link isn't working. I would very like to have a good read about security, where has it been moved?


----------



## SirDice (Mar 14, 2014)

The forum software was migrated a while back, that broke a lot of the old links. I think it's this one: viewtopic.php?f=39&t=4108


----------

