# a good intrusion detection setup ?

## InsaneHamster

what kind of intrusion detection setup does everyone have ? 

i run iptables, ip6tables, arpwatch, logger with logsentry, chkrootkit, rkhunter. but i still fear entry as it has happened before can anyone reccomend different tools and other security procedures on my box then a hardened system.

i heard setting up a chroot jail for the browser is a good idea how efficient is that if i were to enter malicous sites designed specifically for my system.

also im debatin on putting a firewall gentoo box infront of it and running it stritcly as firewall and router whats a good way to go

----------

## desultory

 *InsaneHamster wrote:*   

> i heard setting up a chroot jail for the browser is a good idea how efficient is that if i were to enter malicous sites designed specifically for my system.

 They are out to get you, you need better security. 

A chrooted web browser can be, deliberately or not, configured so as to provide essentially no additional security. 

Why would anyone tailor a malicious site for your specific system? It is quite unlikely that it would be worth the trouble. Is your system really that important or valuable? If it is, it should not be used for browsing untrusted, or really any, websites.

----------

## InsaneHamster

 *desultory wrote:*   

>  *InsaneHamster wrote:*   i heard setting up a chroot jail for the browser is a good idea how efficient is that if i were to enter malicous sites designed specifically for my system. They are out to get you, you need better security. 
> 
> A chrooted web browser can be, deliberately or not, configured so as to provide essentially no additional security. 
> 
> Why would anyone tailor a malicious site for your specific system? It is quite unlikely that it would be worth the trouble. Is your system really that important or valuable? If it is, it should not be used for browsing untrusted, or really any, websites.

 

yes i do browse untrusted websites which know me and where i come from (proxies are too slow) and they are very profficent at gaining access remember this is a gentoo system configured by one user i may not be the best im only learning. now im not paranoid but there is a person out there for some reason enjoys to always hack my box and is very good at it. the site is usually the origin. which i keep returning to because i want to test what works and what doesnt.

i refuse to accept the fact that a gentoo linux box will always be hacked when visiting a website. the gentoo is the fastest underwater swimming penguin the most efficient and in my case the most nominal operating system to date.

obviously its my error in the setup. and even if they did use VMWARE and thats still networked into your box that its running on.Last edited by InsaneHamster on Sun Dec 24, 2006 9:32 am; edited 1 time in total

----------

## desultory

 *InsaneHamster wrote:*   

> obviously its my error in the setup.

 What, you use software with no bugs or other security holes?

I suggest that you try bastille (app-admin/bastille) and shut off scripting and unnecessary plugins, including Java, then try again if you must.

----------

## InsaneHamster

 *desultory wrote:*   

>  *InsaneHamster wrote:*   obviously its my error in the setup. What, you use software with no bugs or other security holes?
> 
> I suggest that you try bastille (app-admin/bastille) and shut off scripting and unnecessary plugins, including Java, then try again if you must.

 

never heard of it already emerging it thank you, as far as my software goes im 100% thinking my configuration of iptables (all modules) and following of security guide + the scanning tools they still can get in through my router. im pretty sure they reflashed the uclinux on my router and within that are able to work their way either it be my security holes. or exploits.

i cannot use any bittorrent clients or limewire clients safely without being penitrated.Last edited by InsaneHamster on Sun Dec 24, 2006 9:36 am; edited 1 time in total

----------

## desultory

 *InsaneHamster wrote:*   

> and even if they did use VMWARE and thats still networked into your box that its running on.

 True, but it requires much more prowess (user or software) to escape a virtual machine than it does a chroot.

 *InsaneHamster wrote:*   

> im pretty sure they reflashed the uclinux on my router and within that are able to work their way either it be my security holes. or exploits.

 A game for multiple players.

----------

## InsaneHamster

 *desultory wrote:*   

>  *InsaneHamster wrote:*   and even if they did use VMWARE and thats still networked into your box that its running on. True, but it requires much more prowess (user or software) to escape a virtual machine than it does a chroot.

 

i agree. i heard userland tools are also a good thing but im a little sketchy as i already have a full system up and running 

im debating on encrypting my hard drive but see no point if network entry comes.

logs are up and running and kernel shows strange attempts from ipv6 mac addres i dont know how to trace to ip and verify

----------

## InsaneHamster

 *Quote:*   

> A game for multiple players.

 

which i enjoy as it helps me learn security. i dont retaliate i only fix in trust one day they will be held off. once that is complete i would have won. knowledge at a free price. why would i waste my time attacking other people. winston churchhill V is for VICTORY. not peace.

----------

## desultory

 *InsaneHamster wrote:*   

> i heard userland tools are also a good thing but im a little sketchy as i already have a full system up and running

 As in running a browser in User-mode Linux? Interesting, though it could still provide a dynamic environment.

 *InsaneHamster wrote:*   

> im debating on encrypting my hard drive but see no point if network entry comes.

 Agreed, encrypting local storage is a physical security measure and of little or no use in this case.

 *InsaneHamster wrote:*   

> logs are up and running and kernel shows strange attempts from ipv6 mac addres i dont know how to trace to ip and verify

 I do not know, perhaps http://ws.arin.net/whois/? would be of use. Other data of interest could be gathered from http://www.google.com/search?q=IPv6+whois.

 *InsaneHamster wrote:*   

>  *Quote:*   A game for multiple players. 
> 
> which i enjoy as it helps me learn security. i dont retaliate i only fix in trust one day they will be held off. once that is complete i would have won. knowledge at a free price. why would i waste my time attacking other people. winston churchhill V is for VICTORY. not peace.

 Exactly the sense in which I meant that remark.

----------

## InsaneHamster

 *Quote:*   

> As in running a browser in User-mode Linux? Interesting, though it could still provide a dynamic environment.

 

from what iv researched user-mode linux has to reboot ? into the new system which makes it phsyically useless then all i would be doing is running and other linux box on top of one. still has potential to be compromised. i could be wrong on this

 *Quote:*   

> Agreed, encrypting local storage is a physical security measure and of little or no use in this case.

 

unfortunatly that is the case. i will however do my swap. but my /tmp and /var/tmp are already on my hard drive so i dont think a ramdisk is efficient or even worth as using in encrypting considering it will be stored in memory bogging down my system

 *Quote:*   

> http://ws.arin.net/whois/?[/url] would be of use. Other data of interest could be gathered from http://www.google.com/search?q=IPv6+whois. 

  thank you i will look into it. as i found some sneaky kernel messages about flagged ipv6 mac address that connected to my system and had packet transfer. its a mac address which i have which makes it hard not an ip address

 *Quote:*   

> Exactly the sense in which I meant that remark.

  i see it as a learning experience as i am clueless. first i must learn to properly setup run and hold the fort. before i could even attempt at breaking someone elses. 

like my churchhill metaphore   :Cool:   iv been hacked more times within the past 2 months then i could even remember. (generic home router)

im thinking setting up a gentoo firewall box. then into a another switch / gateway before my computers.  i m still boggled at how someone would put time and effort into this and if so why they wouldnt blatently contact me that way i could work with them in unison.

----------

## desultory

 *InsaneHamster wrote:*   

>  *Quote:*   As in running a browser in User-mode Linux? Interesting, though it could still provide a dynamic environment. 
> 
> from what iv researched user-mode linux has to reboot ? into the new system which makes it phsyically useless then all i would be doing is running and other linux box on top of one. still has potential to be compromised. i could be wrong on this

 User-mode Linux is a way to run a modified Linux kernel as a process under another kernel.

 *InsaneHamster wrote:*   

>  *Quote:*   Exactly the sense in which I meant that remark.  i see it as a learning experience as i am clueless. first i must learn to properly setup run and hold the fort. before i could even attempt at breaking someone elses.

 Do not violate the security of a computer system you neither own nor have specific legal contract to use and abuse in such fashion, to do otherwise is both illegal and foolish.

 *InsaneHamster wrote:*   

> im thinking setting up a gentoo firewall box. then into a another switch / gateway before my computers.

 Done properly that can be highly effective.

 *InsaneHamster wrote:*   

> i m still boggled at how someone would put time and effort into this and if so why they wouldnt blatently contact me that way i could work with them in unison.

 It is probably a script kiddie.

----------

## InsaneHamster

 *Quote:*   

> User-mode Linux is a way to run a modified Linux kernel as a process under another kernel.

  Yes i read but u have to boot into that u cant run ur normal system then within that lets say X-server boot up another linux kernel ?

 *Quote:*   

> Do not violate the security of a computer system you neither own nor have specific legal contract to use and abuse in such fashion, to do otherwise is both illegal and foolish.

  i have absoletly no interest what so ever in hacking, it is foolish unless its done within governments for well state security. home users and corporations are useless unles money is involved. either way im only in to protect my self

 *Quote:*   

> Done properly that can be highly effective.

  however if done inefficiently or poorly it is a key to the door

 *Quote:*   

> script kiddies

   are not capable of changing uclinux firmware, they are uncapable of reflashing your computers hardware bios so interupts would flag. building their own rootkits adapting to my change and defeating my lines of defense maybe a simple task to some but its a time consuming one

i think a full out network is the best way to go might as well good experience and excellent knowledge but when building it easily gives them ample time to operate and build their rats nest. its more of a race.

----------

## InsaneHamster

in an theory we say if it is a script kiddie where does he find this information so efficiently ?

----------

## desultory

 *InsaneHamster wrote:*   

>  *Quote:*   User-mode Linux is a way to run a modified Linux kernel as a process under another kernel.  Yes i read but u have to boot into that u cant run ur normal system then within that lets say X-server boot up another linux kernel ?

 It is just a process, you can run anything else you want. With X, clients and servers do not need to be in the same logical system any more than they need to be in the same physical system.

 *InsaneHamster wrote:*   

>  *Quote:*   Done properly that can be highly effective.  however if done inefficiently or poorly it is a key to the door

 Which is why I recommended bastille.

 *InsaneHamster wrote:*   

>  *Quote:*   script kiddies   are not capable of changing uclinux firmware, they are uncapable of reflashing your computers hardware bios so interupts would flag. building their own rootkits adapting to my change and defeating my lines of defense maybe a simple task to some but its a time consuming one

 Script kiddies can do anything that their tools let them do, regardless it is the mentality that matters here.

 *InsaneHamster wrote:*   

> i think a full out network is the best way to go might as well good experience and excellent knowledge but when building it easily gives them ample time to operate and build their rats nest. its more of a race.

 Start by making the network an unattractive target.

When configuring a new system, use a live CD with no network services exposed to the outside network. secure it before booting the installed kernel.

 *InsaneHamster wrote:*   

> in an theory we say if it is a script kiddie where does he find this information so efficiently ?

 Given known vulnerabilities it should not be terribly difficult to find exploits, again it is primarily the mentality which matters here.

----------

## InsaneHamster

much help in all areas its good to have reassurances sometimes when dealing with these things and this basttle program is genious its auditing my system by asking me questions and explaining to me functions. most iv gone over but some i should have known better.

final question about basttle. i fear that in its state and condition it will change options either locking me out or changing what i customly configured

is there a backup / restore point after i run it i mean after the batch file is created

can i strictly see what it plans to change in script ?

----------

## desultory

 *InsaneHamster wrote:*   

> is there a backup / restore point after i run it i mean after the batch file is created

 Just run bastille -r and the configuration should be reverted.

 *InsaneHamster wrote:*   

> can i strictly see what it plans to change in script ?

 Proposed changes are described at each step, the present configuration is by default stored in /etc/Bastille/config under Linux.

----------

## InsaneHamster

 *desultory wrote:*   

>  *InsaneHamster wrote:*   is there a backup / restore point after i run it i mean after the batch file is created As I recall bastille-restore is the revertion tool.
> 
>  *InsaneHamster wrote:*   can i strictly see what it plans to change in script ? Proposed changes are described at each step, the present configuration is by default stored in /etc/Bastille/config under Linux.

 

k cause i would like to see each file what its changing it to and what mine is currently set as. i would assume it would be excellent comparison tool of how im doing.

----------

## desultory

 *InsaneHamster wrote:*   

> k cause i would like to see each file what its changing it to and what mine is currently set as. i would assume it would be excellent comparison tool of how im doing.

 I do not know quite how to view the exact text of all proposed changes.

----------

## InsaneHamster

 *desultory wrote:*   

>  *InsaneHamster wrote:*   k cause i would like to see each file what its changing it to and what mine is currently set as. i would assume it would be excellent comparison tool of how im doing. I do not know quite how to view the exact text of all proposed changes.

 

im sure ill stumble upon it. if i dont i wouldnt trust it chances are i could be locked out even with my user account. or sudo/su disabled for some unknown reason.

but good tool im sure as first forensic program to run after a clean install then continue on.

----------

## desultory

 *InsaneHamster wrote:*   

> im sure ill stumble upon it. if i dont i wouldnt trust it chances are i could be locked out even with my user account. or sudo/su disabled for some unknown reason.

 Keep a live CD (or equivalent) available, and you will still be able to gain access.

 *InsaneHamster wrote:*   

> but good tool im sure as first forensic program to run after a clean install then continue on.

 Quite so.

----------

## InsaneHamster

 *desultory wrote:*   

>  *InsaneHamster wrote:*   im sure ill stumble upon it. if i dont i wouldnt trust it chances are i could be locked out even with my user account. or sudo/su disabled for some unknown reason. Keep a live CD (or equivalent) available, and you will still be able to gain access.
> 
>  *InsaneHamster wrote:*   but good tool im sure as first forensic program to run after a clean install then continue on. Quite so.

 

im currently in the process now of installing gentoo on a test machine basically hardening and securing it inorder to have a firewall which ill connect to this box(the one that keeps getting hacked) and see how it goes

----------

## desultory

Please, post about it as work progresses.

----------

## InsaneHamster

 *desultory wrote:*   

> Please, post about it as work progresses.

 

clearly that would allow any person following my progress to not only note but also gain advantage as to what im doing its a very stupid principle considering i just want to secure my self.

so basically im installing a stage 1 g4 powerbook gentoo only starting on the bootstrap right now. i really dont mind documenting it and will acctually enjoy it incase people can spot sloppy methods of installation. and ill keep track with netstat for connections and do as much of it offline as possible

----------

## desultory

Security through obscurity is no security at all.

----------

## InsaneHamster

 *desultory wrote:*   

> Security through obscurity is no security at all.

 

i belive building security through obscurity is the best way to go . i mean if u are given information about it . and u hack it appart. this creates  the need for fixing holes and proper assement which increases the security as it is built.

----------

## desultory

If you detail the requirements on the system and your preferences for the system to others willing to help secure the system they might be able to find problems that you did not find and possibly even fix those problems. Providing you with at least more information and at best better security.

----------

## halfgaar

InsaneHamster, you might wanna add denyhosts to your setup. My SSH daemon gets dozens of attempts every day, and denyhosts blocks hosts which are bruteforcing your SSH connection.

 *Quote:*   

> yes i do browse untrusted websites which know me and where i come from (proxies are too slow) and they are very profficent at gaining access

 

Could you elaborate a bit more on why you think certain websites target you specificly? Is it just a hunch, or do you have concrete evidence?

 *Quote:*   

>  im pretty sure they reflashed the uclinux on my router and within that are able to work their way either it be my security holes. or exploits. 

 

Again, is it a hunch that your router is flashed or do you have evidence?

 *Quote:*   

>  but there is a person out there for some reason enjoys to always hack my box and is very good at it. the site is usually the origin. which i keep returning to because i want to test what works and what doesnt. 

 

How can you see that someone's gained control of your system? Also, could you give the site in question? I'm curious to check it out...

What you're describing is highly unusual (hence my questions); a non-windows machine connected to the internet through a NAT router which keeps getting compromised. (with non-windows I don't imply insecurity in Windows, I mean most attacks are tailored for Windows machine, as they are used the most).

Edit: Before I forget; 

 *Quote:*   

> logs are up and running and kernel shows strange attempts from ipv6 mac addres i dont know how to trace to ip and verify

 

you can't see the MAC address of an IP based connection. MAC addresses are hardware addresses, stored in the network card for example. They are used to allow your computer and other network hardware to communicate below the IP level. They are not transferred in IP packets. IPv6 address may look like MAC addresses, but they are not the same.

----------

## someguy

I dont know if it was mentioned yet but snort is your friend  :Wink: 

----------

## madisonicus

 *halfgaar wrote:*   

> (good stuff)

 ++

Also, if you have discovered a website that can completely compromise your system simply by visiting it with currently supported software, it is incumbent upon you to report it to the web browser devs and others through bugzilla, etc.  What website is it?

WRT to your initial question, tripwire and aide are very good intrusion detection systems.  Basically they record checksum snapshots of files on your system, making it simple to discover what's changed in between scans.

If you're really interested in what's actually going on, I suggest you set up a honeypot machine.  See here for more information.

As a side note, there are in fact websites set up specifically for use as hack-targets: http://www.hackthissite.org/

-m

----------

## InsaneHamster

 *desultory wrote:*   

> If you detail the requirements on the system and your preferences for the system to others willing to help secure the system they might be able to find problems that you did not find and possibly even fix those problems. Providing you with at least more information and at best better security.

 

pretty much right from my cable modem i want it to be a first line of defence firewall, it will then route traffice into another small box which will be a switch nat and routing machine that has WAP and DHCP server for my internal network. 

my first line is just a first generation g4 powerbook with its eth0 card and a pcmcia eth0 card this computers job is to send the intrusion into the iner network gateway that will forward it to my main desktop or keep it on there

so far i got new astable 2006.1 gentoo ppc installed no iptales yet i only ran bastle no firewall.  and followed the gentoo security guide on it.

----------

## InsaneHamster

 *Quote:*   

> Could you elaborate a bit more on why you think certain websites target you specificly? Is it just a hunch, or do you have concrete evidence?

 

well i have problems basically its a forum site and cetain moderators and owners enjoy to play games, plus i have other people who try to gain entry not associated to the site

 *Quote:*   

> Again, is it a hunch that your router is flashed or do you have evidence?

 

this router is going to disaper but basically attacks after i tried anayzling the connection with wireshark ntop and other various tools showed random pre-made network ipaddress not on the network doing scans and stuff on my already build and sort of secure gentoo install

 *Quote:*   

> How can you see that someone's gained control of your system? Also, could you give the site in question? I'm curious to check it out...

 

yes before they have several times files were changed and connections from proxies were established and mb of bandwidth used that i had no part in iv had user accounts added and basically any host could of connected Xorg was highjacked at one point logs shutdown and changed and clean root access basically even the main root password changed 

 *Quote:*   

> What you're describing is highly unusual (hence my questions); a non-windows machine connected to the internet through a NAT router which keeps getting compromised. (with non-windows I don't imply insecurity in Windows, I mean most attacks are tailored for Windows machine, as they are used the most).

 

i realise that but this is a personal on several points

 *Quote:*   

> you can't see the MAC address of an IP based connection. MAC addresses are hardware addresses, stored in the network card for example. They are used to allow your computer and other network hardware to communicate below the IP level. They are not transferred in IP packets. IPv6 address may look like MAC addresses, but they are not the same.

 

i setup my system log to show connections and it reports traffice via MAC address and even ntop reported my router was connecting via several mac address instead of the domain name iboth IPv6 and 4. especially after firewall was pretty much closed to v4 i forgot about 6 and then they started showing up

----------

## InsaneHamster

 *madisonicus wrote:*   

>  *halfgaar wrote:*   (good stuff) ++
> 
> Also, if you have discovered a website that can completely compromise your system simply by visiting it with currently supported software, it is incumbent upon you to report it to the web browser devs and others through bugzilla, etc.  What website is it?
> 
> WRT to your initial question, tripwire and aide are very good intrusion detection systems.  Basically they record checksum snapshots of files on your system, making it simple to discover what's changed in between scans.
> ...

 

its not really a website that has standard automation of exploiting flaws but admins and users on it that take advantage of the holes which are used against alot of systems . they usually exploit firefox flaws and work from there this site has and was used in some one of these attacks. ill configure tripwire and snort now and see. but usually logs are enough to see various things and certain times the browser crashes or in threads text would change following that with various tools i was able to find certain situations

----------

## madisonicus

 *InsaneHamster wrote:*   

> its not really a website that has standard automation of exploiting flaws but admins and users on it that take advantage of the holes which are used against alot of systems . they usually exploit firefox flaws and work from there this site has and was used in some one of these attacks. ill configure tripwire and snort now and see. but usually logs are enough to see various things and certain times the browser crashes or in threads text would change following that with various tools i was able to find certain situations

 Ok, seriously, even a single specific anything would be helpful.  Do you have a log or two?  Commands that were issued?  What security flaws in firefox are you talking about?  What "holes" in Linux are you referring to?  Etc...  

Also if your system has been compromised then there is nothing to be done but pull it off the net, save what you need, and re-install.  You should not ever trust a system that has been compromised because an intruder could have changed anything on the system.

I'd suggest you get a clean, fully-patched system up and running, closely following the gentoo security handbook. Then visit this mysterious forum.  If these unnamed super-hackers still manage to compromise your clean and secure system, then I think you may be misinterpreting some of the data you're seeing.  Perhaps if you posted some specifics we might help you figure out what's going on.

See here for some guidelines for dealing with intrusions.

-m

----------

## InsaneHamster

well i already formatted im on a new system which iv seen had various attempts but how sucessfull i dont know yet, and yes i do have logs and data of what happened previous, i just want to prevent it for the future and am working on it current. 

right now im setting up tripwire and it looks good to go as far as running (i purged commands that werent on my system) and tripwire does mail me with console command but i still have yet to figure out how to update the dabase because it complains about the date wich is always different then what it seeks and reading / reporting into my syslog

im just having problems figureing out how to read what has been changed with tripwire currently it only reports 4 problems never mind i think this is solved now when i run the cron i get emails on various files that are changed depending on my configuration i just have to figure out how to work with the databases still the tripwire --update doesnt work

----------

