KBTAG: kben10000052
URL: http://www.securityportal.com/lskb/10000050/kben10000052.html
Date created: 09/07/2000
Date modified: 18/10/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Network monitoring / attack detection
Keywords: IntrusionDetection
There are several methods to monitor networks and detect attacks.
If the last section has you worried you should be. There are however many defenses, active and passive against those types of attacks. The best ways to combat network scans are keep software up to date, only run what is needed, and heavily restrict the rest through the use of firewalls and other mechanisms.
Luckily in Linux these tools are free and easily available, again I will only cover OpenSource tools, since the idea of a proprietary firewall/etc is rather worrying. The first line of defense should be a robust firewall, followed by packet filters on all Internet accessible machines, liberal use of TCP-WRAPPERS, logging and more importantly automated software to examine the logs for you (it is unfeasible for an administrator to read log files nowadays).
Arachnids
Arachnids is a set of IDS signatures for use in conjunction with snort (Overview of packet sniffers for Linux), and is available at: http://whitehats.com/ids/ids.html.
The Deception ToolKit is a set of programs that emulate well known services in order to provide a false set of readings to attackers. The hope is to confuse and slow down attackers by leading them to false conclusions, you can download DTK from: http://all.net/dtk/.
The third component to the Abacus suite, it detects and logs port scans, including stealthy scans (basically anything nmap can do it should be able to detect). Psionic PortSentry can be configured to block the offending machine (in my opinion a bad idea as it could be used for a denial of service attack on legitimate hosts), making completion of a port scan difficult. As this tool is in beta I would recommend against using it, however with some age it should mature into a solid and useful tool. Psionic PortSentry is available at: http://www.psionic.com/abacus/portsentry/.
While this software is not yet ready for mass consumption I thought I would mention it anyways as it is part of a larger project (the Abacus project, http://www.psionic.com/abacus/). Basically Psionic HostSentry builds a profile of user accesses and then compares that to current activity in order to flag any suspicious activity. Psionic HostSentry is available at: http://www.psionic.com/abacus/hostsentry/.
scanlogd monitors network packets and if a threshold is exceeded it logs the packets. You can get it at: http://www.openwall.com/scanlogd/.
Most firewalls support logging of data, and ipfwadm/ipchains are no exception, using the -l switch you get a syslog entry for each packet, using automated filters (Perl is good for this) you can detect trends/hostile attempts and so on. Since most firewalls (UNIX based, and Cisco in any case) log via the syslog facility, you can easily centralize all your firewall packet logging on a single host (with a lot of harddrive space hopefully).
Wietse's TCP-WRAPPERS allow you to restrict connections to various services based on IP address and so forth, but even more importantly it allows you to configure a response, you can have it email you, finger the offending machine, and so on (use with caution however). TCP_WRAPPERS comes standard with most distributions and is available at: ftp://ftp.porcupine.org/pub/security/.
While mostly obsoleted by TCP-WRAPPERS and firewall logging, klaxon can still be useful for detecting port scans/etc if you don't want to totally lock down the machine. Klaxon is available at: ftp://ftp.eng.auburn.edu/pub/doug/.
NFR (Network Flight Recorder) is much more then a packet sniffer, it actually logs data and in real time detects attacks, scans and so on. This is a very powerful tool and requires a significant investment of time, energy and machine-power to run, but it is at the top of the food chain for detection. NFR is available at: http://www.nfr.com/.
FAQ: Network Intrusion Detection Systems, an excellent FAQ that covers all the major (and many minor) issues with IDS systems. Available at: http://www.robertgraham.com/pubs/network-intrusion-detection.html.