Howto Setup a Basic IDS/IPS on a Linux Server

Posted by abefroman on May 29, 2012 5:10 PM EDT
Secure Hosting Directory; By Terry Newbury
Mail this story
Print this story

As part of your overall hardening, and suite of security software you have installed, an IDS and/or IPS should not be left out. This is also a requirement for PCI Compliance. And IDS/IPS is very important for a number of reasons, first because when you are hacked, typically some sort of activity preceeded the hack, such as a port scan, which and IDS could detect, and an IPS could block. In addition the logs from your IDS/IPS can serve as part of your audit trail when investigating a security breach.

As part of your overall hardening, and suite of security software you have installed, an IDS and/or IPS should not be left out. This is also a requirement for PCI Compliance. And IDS/IPS is very important for a number of reasons, first because when you are hacked, typically some sort of activity preceeded the hack, such as a port scan, which and IDS could detect, and an IPS could block. In addition the logs from your IDS/IPS can serve as part of your audit trail when investigating a security breach.

PSAD will help you meet the Payment Card Industry Data Security Standard 11.4, and it's related testing procedures. After installing PSAD, you will want to test it with a port scan detector to ensure PSAD is working and generating alerts. This will help you meet PCI DSS requirement 11.1's Testing Procedure 11.1.d. The log should also be part of your incident response policy which are part of requirements 12.9.3 and 12.9.5.

Depending on what you want to scan for, this can take any where from weeks to setup and confirgure to minutes. And monitoring your Intrusion Detection System / Intrusion Protection System can require any where from several full time staff, to a few minutes a day. We will be covering a simple IDS/IPS here, something you will be able to setup in minutes and be able to maintain with only a few minutes per day. Specifically we will be covering the PSAD, made by CipherDyne. For a more robust IDS/IPS, you could use something such as Snort, although PSAD contains a lot of the elements of Snort, as well as many signatures from Snort.

To install PSAD, first download the software: wget http://cipherdyne.org/psad/download/psad-2.1.7.tar.bz2 tar -jxvf psad-2.1.7.tar.bz2 cd psad-2.1.7

Now run the install file: ./install.pl

In our example we are going to use the default for most of the options: [+] Would you like alerts sent to a different address ([y]/n)? Hit enter, for yes, then enter your email, and then a . on the next line

Would you like psad to only parse specific strings in iptables messages (y/[n])? Choose the default, no.

First, is it ok to leave the HOME_NET setting as "any" ([y]/n)? Choose yes, for added security you may want to set HOME_NET to your local, onsite, IP addresses. We won't be detailing that as this is a basic install.

Would you like to enable DShield alerts (y/[n])? Choose no, this can be changed in the config file later (/etc/psad/psad.conf).

Dshield is a company that keeps a feed of bad IPs, in addition to offering a number of other security related tools, such as base64 decoder and a database of reverse MD5 and SHA-1 hashes.

Would you like to install the latest signatures from http://www.cipherdyne.org/psad/signatures (y/n)? This one doesn't have a default, so type y, to get the latest signatures. Cipherdyne is of course the makers of PSAD.

[+] Enable psad at boot time ([y]/n)? Press enter for yes.

With this setup, PSAD will log activity, such as port scans in /var/log/psad/ip/. It will have one directory for each IP. In addition to an entry in /var/log, it will also email you once a certain danger level is reached. Which we will get to configuring next. The logged output from PSAD will be useful for PCI DSS requirement 10.6, which states all logs must be reviewed daily.

Open the psad config file in your favorite text editor. By the way we are using CentOS in our example so your paths may vary if you're on a different distro. Also this on on a basic install, and we did not need any additional packages or libraries to install this. pico /etc/psad/psad.conf

Here you can set how agressive you want psad to be.

Some good settings for it to be mildly agressive would be the following changes: Change MIN_DANGER_LEVEL from 1 to 2: MIN_DANGER_LEVEL 2;

Change EMAIL_ALERT_DANGER_LEVEL from 1 to 3: EMAIL_ALERT_DANGER_LEVEL 3;

Those settings are a little loose, so got back up and change DANGER_LEVEL3 from 150 to 50: DANGER_LEVEL3 50;

If you have alerts going to a Smart Phone or PDA, there can be a lot of them, so you might want to set a limit for the number of emails you get for each IP, example change EMAIL_LIMIT to 3: EMAIL_LIMIT 3;

Full Story

  Nav
» Read more about: Story Type: Editorial, News Story; Groups: Linux

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.