Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Software] Recommendations for Host-based Intrusion Detection please

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
niftyfifty
Posts: 1
Joined: 2023-05-22 08:41

[Software] Recommendations for Host-based Intrusion Detection please

#1 Post by niftyfifty »

Hi there dear Debian Gurus,

As a newcomer to the community, I'd like to drop my question to admins of servers:
Does anyone have solid references or recommendation for a good/common host-based intrusion detection system for Linux servers (Debian)?
Couldn't find much useful on this topic, so I'm dedicating this to the admins among you.
Is there a recommendation from someone with experience who has ideally used such systems? It would be helpful to see what HIDS are being used. Both use on individual web servers and in a cluster of servers would be of interest.
Would appreciate any feedback on this.

Best regards,
nifty

arochester
Emeritus
Emeritus
Posts: 2435
Joined: 2010-12-07 19:55
Has thanked: 14 times
Been thanked: 54 times

Re: [Software] Recommendations for Host-based Intrusion Detection please

#2 Post by arochester »

ChatGPT says
There are several reliable host-based intrusion detection systems (HIDS) available for Linux servers, including those compatible with Debian-based distributions. Here are a few popular options:

1. **OSSEC**: OSSEC (Open Source Security) is a widely used HIDS that offers file integrity checking, log monitoring, rootkit detection, and active response capabilities. It has a robust ruleset and can send alerts via email or integrate with other security tools.

2. **Tripwire**: Tripwire is a well-established HIDS that focuses on file integrity monitoring. It creates a cryptographic database of file attributes and regularly checks for changes, alerting administrators if any unauthorized modifications are detected.

3. **Suricata**: Although primarily known as an Intrusion Detection and Prevention System (IDPS), Suricata can also function as a HIDS. It offers network traffic analysis and can be configured to monitor host-level events and detect anomalies or suspicious activities.

4. **AIDE**: AIDE (Advanced Intrusion Detection Environment) is a lightweight and flexible HIDS that performs file integrity checking. It generates a database of file attributes and can compare it against the current state to identify any unauthorized changes.

5. **Samhain**: Samhain is another HIDS that focuses on file integrity monitoring. It provides extensive logging capabilities, rootkit detection, and support for centralized logging and reporting.

When selecting a HIDS, consider factors such as ease of installation and configuration, resource usage, community support, and integration capabilities with your existing security infrastructure. It's also recommended to regularly update the HIDS software and its rules/signatures to stay protected against new threats.

Remember to review the official documentation and websites for each tool to ensure compatibility and obtain the most up-to-date information.[ /quote]

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1400
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 79 times
Been thanked: 175 times

Re: [Software] Recommendations for Host-based Intrusion Detection please

#3 Post by steve_v »

arochester wrote: 2023-05-22 17:08ChatGPT says
Oh FFS. :roll:
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

User avatar
None1975
df -h | participant
df -h | participant
Posts: 1389
Joined: 2015-11-29 18:23
Location: Russia, Kaliningrad
Has thanked: 45 times
Been thanked: 66 times

Re: [Software] Recommendations for Host-based Intrusion Detection please

#4 Post by None1975 »

I would recommend fail2ban and tripwire. These programs are in Debian repos.
OS: Debian 12.4 Bookworm / DE: Enlightenment
Debian Wiki | DontBreakDebian, My config files on github

User avatar
kent_dorfman766
Posts: 535
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 57 times
Been thanked: 70 times

Re: [Software] Recommendations for Host-based Intrusion Detection please

#5 Post by kent_dorfman766 »

In the times when I've needed or cared about such things I used tripwire. You probly also want to install and use chkrootkt package to compare system binaries and services against expected results. It sometimes produces false positives but probly better to see those and investiage further.

Post Reply