Ten Practical Security Steps
8. Automatically audit systems for signs of intrusion.
Protecting your systems from break-in is only of limited value if
you have no way of knowing if you've been broken into. If that's
happened, you probably have permanent unwanted residents because
when an intruder succeeds in cracking one of your systems,
they will do what they can to ensure continued access.
Firewall logs as well as network intrusion detection systems can
tell you if someone is trying to get in. Unfortunately today,
someone is always trying to get in. Large sites may report
hundreds or even thousands of probes a day and the smallest Internet
connected networks typically get multiple probes a day. Individual
PC users who install personal firewall systems on single machines,
report with surprise that even they get probed, sometimes several
times a day. By probes I mean port scans looking for open,
unprotected ports. The potential intruders typically move on
if all they find is blocked (firewalled) or closed (off) ports.
Open ports are likely to lead to additional investigation where
the intruder tries to determine if there is any vulnerable
software to exploit.
This is like people checking your doors to see if they are locked.
It happens so much now that there seems little point in being
notified about it unless it is especially intense or prolonged.
Host based intrusion detection systems look for signs that someone has
gotten in. They tend to look for several things including changes to
key system files and executable programs and scripts. Some of the key
files to look at are the system startup files, i.e. anything that
executes when the system starts, the system schedulers that start
things on a periodic basis and the user (/etc/passwd) and group files
to determine if anyone has become an administrator or equivalent.
They also look at executable programs and scripts that may have
changed or been added. Those that run at startup or from the system
scheduler are generally most important.
For an intrusion detection system to be of real value, it must be fully
automated. If an operator or administrator must check
something periodically, even daily, even if it takes less than a
minute, they are of almost no use. Successful intrusions will be the
exception and by the time one occurs, whoever does the checking will
have stopped. To be useful, these systems must do nothing until
suspicious activity is detected, and then they must do something that
an administrator won't miss, such as dial a pager, put a message on
the terminal screen or send an e-mail.
Tripwire is the best known intrusion detection system of this
type. My reading suggests the commercial versions can be adequately
automated. What's needed, can also be scripted in Perl with only
a moderate amount of work on UNIX systems.
Homegrown Intrusion Detection
describes a do-it-yourself host based intrusion detection system
that includes the automated file monitoring described here
and also process monitoring. Sample scripts are included.
Top of Page -
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is