simon-dreher.de

This article is the result of some synergy effects: I had a lecture in university, where a fellow student and I had to hold a talk about 'Logging, Forensics & Honeypots'. For this we researched and tested many tools and now that I already learned about them, I thought to share it with everyone on the internet.

Basics

First of all there are the usual basics you always should check:

Logs

In articles on how to harden linux you can often read that you should read the logs. But to be honest: How often do you take the time to read all the thousands of log messages that pile up every day? Right, you never do. Therefore you should use some kind of log aggregator. Thats a little program that reads your logfiles, throws the unimportant messages out and summarizes the rest. For this I personally use logwatch, an often used alternative is logcheck. For logwatch there is an excellent german description on ubuntuusers or an english version by DigitalOcean. Usually you configure it to send you an email with the summary every day and then you just have to look that through every day, which is just a minute of work. logcheck works a bit differently: it doesn't summarize your logs but sends you the log lines which look unexpected or suspicious.

Additionally I find it useful to get an information as soon as someone logs in via ssh. Most simply you can use a little script in the bashrc or similar to send an email on every login, as shown here (german) by Charly Kühnast.

Also to this category belongs fail2ban. It looks into log files and bans users with too much authentication failures. It delivers filter for nearly every popular software out of the box and is pretty easy to configure. There are many tutorials available on the internet.

IDS/IPS

The biggest part in our talk was the use of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). In general they try to supervise the system or the network and try to detect attecks (IDS) or even react to them in order to mitigate them (IPS). The problem with them is that most are very complex to configure or they spam you with false positives. We tried a few of them, but for my use case (one up to maybe five machines) it is too much of a hassle.

If you have a whole network to protect, snort looks like the tool you want, but I personally have no experience with it, since I have just some servers in different places and no network.

An example for a more simple hostbased IDS is tripwire: It monitors the integrity of your files. For this you configure which files it should watch, it generates hashes of them, stores them cryptographically secure (for which you generate a password that you shouldn't forget...) and then it checks with every run if the hashes changed. It's pretty simple to use: just install, uncomment some directories, start the initial run and add a cronjob that informs you regularly. Only downside is, it doesn't know how logrotate works, so you can't let it check /var/log.

For bigger scenarios you might want to look at OSSEC, it also features rootkit detection and advanced monitoring. Additionally you can integrate it with splunk, but for my use case it would have been overkill.

Honeypots

Honeypots are a very interesting and funny thing. Basically they simulate a vulnerable host and protocol everything an attacker tries to do. If you like to see, what script kiddies try to do to your server you can for example run kippo, a very simple honeypot implemented in Python, or it's improved fork cowrie. I only used kippo, but based on my attackers the added sftp support of cowrie would have been very useful ;-)

But be warned: I wouldn't trust the honeypot to be 100% secure, so don't use it on your production machine or at least separate it in a virtual machine.

Final words

As always, but in this case especially, feedback is very much appreciated! Surely I missed some great tool and I'm always eagerly to know more of them, so just send me an email.

And last but not least: If you have, don't forget to secure the weakest link: your users ;-)