Open Source IDS
Scot L. Harris
webid at cfl.rr.com
Tue Feb 22 01:24:01 UTC 2005
On Mon, 2005-02-21 at 19:58, Michael Leung wrote:
> Hi all,
> I am trying to improve the security of my server. Does anyone know
> Fedora Core 3 come with any IDS? I Or you can remcommend to me any IDS
> which is easy to install and config?
There are a couple of different types of IDS tools available. You can
get tripwire and chkrootkit or rkhunter. These tools look for
indications that your system has been compromised. Tripwire is very
good although a little configuration intensive when you first set it
up. Tripwire monitors specified files for any kind of changes. You can
configure a report in cron to run periodically that shows any changes
that have occurred on your system. chkrootkit and rkhunter look for
actual signs of common root kits, files, permissions, that sort of
thing.
Another is snort. This tool looks at network traffic and can be
configured to look for suspicious packets and such. Rules can be
written to auto block sites that suspicious activity originates from.
Another is portsentry.
It all depends on what you want to setup. tripwire and its like will
detect stuff after it happens no matter if the user is at the console or
came in from the network.
Portsentry and snort look at it from the network side and can be a
little proactive as they can be configured to block connections as soon
as something odd is detected. But be careful. Such tools can be used
to DOS your own box if someone figures out what you are running and the
rules used to trigger it.
--
Scot L. Harris
webid at cfl.rr.com
I've run DOOM more in the last few days than I have the last few
months. I just love debugging ;-)
(Linus Torvalds)
More information about the fedora-list
mailing list