Hi there dear Debian Gurus,
As a newcomer to the community, I'd like to drop my question to admins of servers:
Does anyone have solid references or recommendation for a good/common host-based intrusion detection system for Linux servers (Debian)?
Couldn't find much useful on this topic, so I'm dedicating this to the admins among you.
Is there a recommendation from someone with experience who has ideally used such systems? It would be helpful to see what HIDS are being used. Both use on individual web servers and in a cluster of servers would be of interest.
Would appreciate any feedback on this.
Best regards,
nifty
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
[Software] Recommendations for Host-based Intrusion Detection please
-
- Posts: 1
- Joined: 2023-05-22 08:41
-
- Emeritus
- Posts: 2435
- Joined: 2010-12-07 19:55
- Has thanked: 14 times
- Been thanked: 54 times
Re: [Software] Recommendations for Host-based Intrusion Detection please
ChatGPT says
There are several reliable host-based intrusion detection systems (HIDS) available for Linux servers, including those compatible with Debian-based distributions. Here are a few popular options:
1. **OSSEC**: OSSEC (Open Source Security) is a widely used HIDS that offers file integrity checking, log monitoring, rootkit detection, and active response capabilities. It has a robust ruleset and can send alerts via email or integrate with other security tools.
2. **Tripwire**: Tripwire is a well-established HIDS that focuses on file integrity monitoring. It creates a cryptographic database of file attributes and regularly checks for changes, alerting administrators if any unauthorized modifications are detected.
3. **Suricata**: Although primarily known as an Intrusion Detection and Prevention System (IDPS), Suricata can also function as a HIDS. It offers network traffic analysis and can be configured to monitor host-level events and detect anomalies or suspicious activities.
4. **AIDE**: AIDE (Advanced Intrusion Detection Environment) is a lightweight and flexible HIDS that performs file integrity checking. It generates a database of file attributes and can compare it against the current state to identify any unauthorized changes.
5. **Samhain**: Samhain is another HIDS that focuses on file integrity monitoring. It provides extensive logging capabilities, rootkit detection, and support for centralized logging and reporting.
When selecting a HIDS, consider factors such as ease of installation and configuration, resource usage, community support, and integration capabilities with your existing security infrastructure. It's also recommended to regularly update the HIDS software and its rules/signatures to stay protected against new threats.
Remember to review the official documentation and websites for each tool to ensure compatibility and obtain the most up-to-date information.[ /quote]
-
- df -h | grep > 20TiB
- Posts: 1400
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 79 times
- Been thanked: 175 times
Re: [Software] Recommendations for Host-based Intrusion Detection please
Oh FFS.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
- None1975
- df -h | participant
- Posts: 1389
- Joined: 2015-11-29 18:23
- Location: Russia, Kaliningrad
- Has thanked: 45 times
- Been thanked: 66 times
Re: [Software] Recommendations for Host-based Intrusion Detection please
I would recommend fail2ban and tripwire. These programs are in Debian repos.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github
Debian Wiki | DontBreakDebian, My config files on github
- kent_dorfman766
- Posts: 535
- Joined: 2022-12-16 06:34
- Location: socialist states of america
- Has thanked: 57 times
- Been thanked: 70 times
Re: [Software] Recommendations for Host-based Intrusion Detection please
In the times when I've needed or cared about such things I used tripwire. You probly also want to install and use chkrootkt package to compare system binaries and services against expected results. It sometimes produces false positives but probly better to see those and investiage further.