10.3. 设置入侵检测

Debian GNU/Linux includes tools for intrusion detection, which is the practice of detecting inappropriate or malicious activity on your local system, or other systems in your private network. This kind of defense is important if the system is very critical or you are truly paranoid. The most common approaches to intrusion detection are statistical anomaly detection and pattern-matching detection.

谨记, 为了使用介绍的工具真正改善系统的安全性, 您需要到位的报警和响应机制. 如果没有报警, 入侵检测将会非常费时.

当检测到一次特殊的攻击时, 多数的入侵检测工具要么使用 syslogd 记录事件, 要么要么发送邮件到 root 用户(邮件接收者是可以配置的). 管理员必须正确的配置这些工具, 以便错误的信息不会触发报警. 报警也许还表明当一次持续的攻击, 也许一天以后已经没用了, 因为攻击可能已经成功了. 因此要确保正确的处理报警的策略以及相应的技术机制应当到位.

An interesting source of information is http://www.cert.org/tech_tips/intruder_detection_checklist.html

10.3.1. 基于网络的入侵检测

基于网络的入侵检测工具监测在网络上传送的数据段, 并将其作为数据源. 具体就是审查网上的数据包, 看是否与某些特征匹配.

snort is a flexible packet sniffer or logger that detects attacks using an attack signature dictionary. It detects a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. snort also has real-time alerting capability. You can use snort for a range of hosts on your network as well as for your own host. This is a tool which should be installed on every router to keep an eye on your network. Just install it with apt-get install snort, follow the questions, and watch it log. For a little broader security framework, see http://www.prelude-ids.org.

Debian’s snort package has many security checks enabled by default. However, you should customize the setup to take into account the particular services you run on your system. You may also want to seek additional checks specific to these services.

There are other, simpler tools that can be used to detect network attacks. portsentry is an interesting package that can tip you off to port scans against your hosts. Other tools like ippl or iplogger will also detect some IP (TCP and ICMP) attacks, even if they do not provide the kind of advanced techniques snort does.

You can test any of these tools with the Debian package idswakeup, a shell script which generates false alarms, and includes many common attack signatures.

10.3.2. 基于主机的入侵检测

基于主机的入侵检测包括在被检测的系统中加载软件, 其使用日志文件和/或系统的检测程序作为数据源. 它搜寻可疑的进程, 监视主机的访问, 也许甚至监控对重要文件的修改.

tiger is an older intrusion detection tool which has been ported to Debian since the Woody branch. tiger provides checks of common issues related to security break-ins, like password strength, file system problems, communicating processes, and other ways root might be compromised. This package includes new Debian-specific security checks including: MD5sums checks of installed files, locations of files not belonging to packages, and analysis of local listening processes. The default installation sets up tiger to run each day, generating a report that is sent to the superuser about possible compromises of the system.

Log analysis tools, such as logcheck can also be used to detect intrusion attempts. See 第 4.13.1 节 “使用和定制 logcheck.

另外,用于监测文件系统完整性的软件包(参见 第 4.17.3 节 “文件系统的完整性检查”)在检查一个安全系统的异常现象时也非常有用. 一个有效的侵入很可能会 修改一些本地文件系统中的文件以绕过本地安全策略, 安装木马, 或创建用户. 这些事件通常可以通过使用文件系统完整性检查工具检测到.