Debian GNU/Linux includes tools for intrusion detection, which is the practice of detecting inappropriate or malicious activity on your local system, or other systems in your private network. This kind of defense is important if the system is very critical or you are truly paranoid. The most common approaches to intrusion detection are statistical anomaly detection and pattern-matching detection.
これらの道具を導入することによってシステムのセキュリティを本当に 向上させるためには、警告と応答を組みあわせたしくみが必要であることにいつも 注意してください。よってだれにも警告する気がないなら侵入検知を使わないように しましょう (つまり、あとで使う予定のないものを設定するのに時間をむだに 使わないようにしましょう)。
When a particular attack has been detected, most intrusion detection tools will either log the event with syslogd
or send e-mail to the root user (the mail recipient is usually configurable). An administrator has to properly configure the tools so that false positives do not trigger alerts. Alerts may also indicate an ongoing attack and might not be useful, say, one day later, since the attack might have already succeeded. So be sure that there is a proper policy on handling alerts and that the technical mechanisms to implement this policy are in place.
Network based intrusion detection tools monitor the traffic on a network segment and use this information as a data source. Specifically, the packets on the network are examined, and they are checked to see if they match a certain signature.
snort is a flexible packet sniffer or logger that detects attacks using an attack signature dictionary. It detects a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more.
snort
also has real-time alerting capability. You can use
snort
for a range of hosts on your network as well as for your own host. This is a tool which should be installed on every router to keep an eye on your network. Just install it with
apt-get install snort
, follow the questions, and watch it log. For a little broader security framework, see
http://www.prelude-ids.org.
Debian の Snort は必要かもしれない多くのセキュリティチェックが有効になって います。しかし、あなたのシステムで動いている特定のサービスを考慮して 設定をカスタマイズするべきです。これらのサービスに特有の追加のチェックを 検索したいかもしれません。
There are other, simpler tools that can be used to detect network attacks. portsentry is an interesting package that can tip you off to port scans against your hosts. Other tools like ippl or iplogger will also detect some IP (TCP and ICMP) attacks, even if they do not provide the kind of advanced techniques snort
does.
You can test any of these tools with the Debian package idswakeup, a shell script which generates false alarms, and includes many common attack signatures.
Host based intrusion detection involves loading software on the system to be monitored which uses log files and/or the systems auditing programs as a data source. It looks for suspicious processes, monitors host access, and may even monitor changes to critical system files.
tiger is an older intrusion detection tool which has been ported to Debian since the Woody branch. tiger
provides checks of common issues related to security break-ins, like password strength, file system problems, communicating processes, and other ways root might be compromised. This package includes new Debian-specific security checks including: MD5sums checks of installed files, locations of files not belonging to packages, and analysis of local listening processes. The default installation sets up tiger
to run each day, generating a report that is sent to the superuser about possible compromises of the system.
ファイルシステムの完全性チェッカー (
第 4.17.3 節「ファイルシステムの完全性を確かめる」 をごらんください)の ようなサイト上の監査ツールも安全な環境での異常を検知するのにとても 便利でしょう。有効な侵入はローカルのセキュリティポリシーを出し抜く、トロイの 木馬をインストールする、ユーザを作るなどの目的でほぼ確実にローカルの ファイルシステム中のファイルを変更します。これらのできごとは完全性チェッカーで 検知できます。
logcheck、
portsentry や ファイルシステムの完全性チェッカー (
第 4.17.3 節「ファイルシステムの完全性を確かめる」 をごらんください)の ようなサイト上の監査ツールも安全な環境での異常を検知するのにとても 便利でしょう。