# intrusion detection

## farmer.ro

```
#aide #snort #chkrootkit #netstat #iftop #htop #ufw #sudo #common sense #physical contact #reading log files #no software from outside the Gentoo repository #staying up to date #least privileges #secure browser #no script #add block
```

the next two questions rush trough my mind:

Question: what does one have to do to have a secure Linux system? 

Question: how does one check the Linux System for network intrusion?

----------

## szatox

 *Quote:*   

> Question: what does one have to do to have a secure Linux system? 

 

Unplugging wires and putting the PC into a strongbox did the trick for me. I can't even access it myself anymore, so it must be secure enough.

More seriously, the system itself is a pretty tough target. You want to make sure you don't expose any vulnerable services to the world though.

Say, if you run SSH, you better use public-key authentication and completely block password login. 

If you have a web server, run it as a user without access to any files but those it's supposed to serve.

Basically look at the way you're going to use this machine, and ask yourself what could make a possible security issue. In most cases the answer is going to be "the user".

 *Quote:*   

> 
> 
> Question: how does one check the Linux System for network intrusion?

  I dare say it's impossible to do that automagically, at least when speaking of a single machine. Rumour says sophisticated security systems that analyse behaviour of the whole datacenter exist and are more effective than single-machine scanners.

It is possible to detect _some_ attempts and mitigate the numbers a bit. Stuff like fail2ban does that. Tripwire may help too, though running it inside the system it's supposed to protect would mean it can be easily dismantled.

----------

## Syl20

 *farmer.ro wrote:*   

> Question: what does one have to do to have a secure Linux system? 

 

You can make lots of things. And the more you do, the safer your system is. For example (there is no priority order below) :

- delete, disable, or uninstall all you don't need (but make backups first !) ;

- take the time to understand how to secure your apps (there are plenty of tutorials for each of them on the web), and, of course, do it ;

- make them produce all the logs you'd need ;

- read these logs, or make one or more softs (like logwatch) parse them ;

- keep your system up-to-date ;

- give your users (real or not) as few rights as possible ;

- configure and maintain a decent firewall ; only open the minimum required, and make it produce logs ;

- harden your system ;

- read GLSAs, and apply their recommendations ;

- install and use dedicated softs, like lynis, and apply their recommendations.

 *Quote:*   

> Question: how does one check the Linux System for network intrusion?

 

Logs are a good start. But you can also look for unknown processus, files, users, groups, open tcp/UDP ports... If you disabled all you don't need, that's easier.

Last, but not least : think about the worst. Consider your system is really compromised. Are you able to quickly isolate it from your network ? Are you able to retrieve all the stored data ? To reinstall your system from scratch ?

----------

