What automated intrusion notification/detection setup is good for home desktop use?

software-recommendation security firewall logs
6,221

Solution 1

A simple and effective general solution is to use logcheck.

sudo apt-get install logcheck
[edit /etc/logcheck/logcheck.conf to your liking]

logcheck periodically scans all the logs efficiently (starting where it left off last time), filters what it sees to eliminate anything considered normal, and optionally emails alerts with anything that doesn't match the normal/routine patterns.

The main idea is to watch-out for appearance of any serious entries in your log files, all of them, all the time, so you don't have to.

logcheck is highly configurable (man logcheck). You may configure everything, including:

  • frequency of checks
  • which log files are checked
  • what is considered normal vs not
  • where to email the alerts (abnormal events) to

and more. Your ignore (normal/routine) patterns reside in multiple files under /etc/logcheck/ignore.d.* and you may customize them to your needs; mainly you may want to add your own patterns to ignore. The default Ubuntu package comes with an extensive set of files with ignore patterns for many services already, so there's not much to add unless your system is unusual in what it runs. There are 3 sets of pre-configured ignore file profiles: ignore.d.workstation, ignore.d.server, and ignore.d.paranoid which you can pick from.

The main idea behind logcheck is that the various services running on a system, already log abnormal events. E.g. sshd or pam already log authentication failures. So the main missing components are:

  • filtering what's normal
  • The alerting service

Both of which are provided by logcheck in a convenient package. You may combine logcheck with any other logging. For example iptables can be configured to syslog any network connection attempts that are not explicitly allowed by adding the rules:

 iptables -A input -j LOG
 iptables -A input -j DROP

immediately after all the allow rules.

I find logcheck to be much more helpful than logwatch (suggested in other answers) because it comes pre-packaged with a very large number of rules to ignore what's considered normal activity. The result is a much higher signal/noise ratio in the alerts it emails. YMMV.

Another advantage of logcheck is that it is orthogonal to any service that logs, so there's no duplication of function. Whenever you add a new service which uses syslog to log events, abnormal or not, into any file under /var/log you start getting alerts for it automatically.

HOWTO:

Since logcheck already comes preconfigured, two lines at the top of this answer essentially cover all you need to get started. Just install it, and go over the top configuration file: /etc/logcheck/logcheck.conf to change your email address so logcheck emails alerts to you.

Here's a friendly reference going over the second step in more detail. Since Ubuntu is based on Debian, these instructions should work on Ubuntu too. Here is another good reference.

Once you install, the continuous improvement process starts. Over time, you refine your rules to ignore anything that you already know about and feel shouldn't be of concern. This refinement process is as simple as adding text lines to a file in your favorite text editor.

Each line in an ignore file is an extended regular expression (see man 7 regex), but you may use simple strings as long as they match the log line you want to ignore. Just remember that characters like *, ?, '+', [], () are special in a regular expression, so if they actually appear in the log lines, you would have to escape them with a backslash \ in the ignore files.

In other words: if you get an alert you don't want to get, look at the log line that was emailed to you, and add a pattern that matches it, as one line to any ignore file of your choice. I suggest using /etc/logcheck/ignore.d.<yourloglevel>/my-ignores as your personal ignore file. Where <yourloglevel> is one of paranoid, server, or workstation (as you've already selected in the main config file: /etc/logcheck/logcheck.conf). Look at the examples in other ignore files to see how to account for text that changes all the time like process-IDs, or time-stamps. There are lots of existing examples to learn from.

One last tip: logcheck comes with a little useful utility called logcheck-test which is very handy for testing new rules. man logcheck-test for details.

Solution 2

If you don't have a lot of systems on your network, setting up an IDS like Snort is probably overkill (especially if you don't have any network services on your machine). I suggest starting by configuring logwatch to send yourself a report of what's going on on your system. Once you have that up, configure your syslog so that you get as much relevant information as possible.

Solution 3

Intrusion detection is needed for sure when you run services (ftp, web, nfs, ssh etc) in your network. This is because they are exposed on the internet and due to :

  • miss-configuration
  • software vulnerabilities

they need daily monitoring by an experienced network administrator. If you run this services, you probably have already the minimum knowledge how to avoid this problems.

If you don't run any of this services, then your internet router firewall, has already blocked any incoming connection on ports. To scan your networks router

If you are all green, then you are all good.

Last but not least, probably your router has built-in Intrusion detection system (because 99% of all routers run a striped down linux server). For this, you must check the manual of your routers manufacturer.

Share:
6,221

Related videos on Youtube

irenicus09
Author by

irenicus09

Updated on September 18, 2022

Comments

  • irenicus09
    irenicus09 over 1 year

    I've been using Linux for quite a while now and I always feel the need to have a passive software / script setup which can alert me of any suspicious network activities like scans, failed login attempts, etc. on the fly via email or by visual/audio notifications.

    I know how to look up through logs and stuff but for the most part it is a manual, time consuming process. I'm looking for something that is semi/fully automated with some good log parsing capabilities.

    I'm aware of IDS systems for monitoring networks like Snort, etc. but they are an overkill for the average home user and a painful process to get up and running.

    What is a good option for me as a home user?

    • Nanne
      Nanne almost 11 years
      How do you define 'passive'? As in, something you run once in a while yourself to see if something fishy was going on?
  • irenicus09
    irenicus09 about 11 years
    Hello, thanks for your answer. It is quite insightful and I'm aware of everything that you're talking about. But my point is let's say I'm running various services on my system, how exactly do I track activities from a security perspective. I need a simple, easy to use solution as a home user and I think you avoided that part :)
  • irenicus09
    irenicus09 about 11 years
    Hello, I like your answer...but could you please share a bit more details on how to do that. Messing up with configurations can be quite tricky, especially for an inexperienced user. But I'd appreciate if you could point me towards an in depth guide for that. Thanks.
  • AndrewX192
    AndrewX192 about 11 years
    @irenicus09 I think this should be sufficient: How to setup Logwatch on Ubuntu-based systems
  • irenicus09
    irenicus09 almost 11 years
    thanks for the guide, I've successfully setup logwatch & I like it. For port scan monitor I've also setup portsentry and I'll be trying other tools and stuff before I finalise which one's the best for me :)
  • irenicus09
    irenicus09 almost 11 years
    Hi, I like the idea behind logcheck...can you please point me to an in depth guide for that? Thanks :)
  • arielf
    arielf almost 11 years
    @irenicus09: Just added howto section with an optional link for reference.
  • irenicus09
    irenicus09 almost 11 years
    Congratz on winning the bounty, very well written answer man. Thanks :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What Firewall, anti DDOS and anti Brute-Force managers exist in Ubuntu
Help! My server has been hacked - .IptabLes and .IptabLex in /boot
How to configure UFW for a basic desktop / laptop?
GUI program to shred or wipe files with options to make sure they are unrecoverable?
I can't use ufw on WSL-Ubuntu
Why UFW has to be (re)started at boot time if it's only iptables rule manager?
How to disable internet for a user on a system
What GUI firewall manager should I use to replace Firestarter?
What rules to use for UFW?
"Successful su for user by root" - suspicious entries in my /var/log/auth.log?