Re: Light weight IDSes and then some
George P Boutwell wrote: ... 1) What are some projects/software for light IDS, specifically file checksome/change control. I plan on doing the MD5 checksum floppy as described in the Secuirng How-To, but then I want an software that does that and e-mails my admin user whenever checksums and permissions change. I'm using AIDE and am very happy with it. The Security Debian How-To mentions Tripwire. Looking at AIDE and Tripwire in the debian packages repositories it's hard to tell the difference. I'm sure they both do the job, anyone with experience with both these packages can describe some of the pros and cons of each? My personal opinion is that they both suck in different ways. Tripwire for its extreme verbosity and difficulty to update, and AIDE for its lack of database signing and lack of granularity on database updates (you can't update part of the database without manually editing the whole thing). Someone please correct me if i'm missing something that might overcome these difficulties - they've been driving me to despair for quite some time... -- Paul http://paulgear.webhop.net -- Did you know? Email viruses spread using addresses they find on the host computer. You can help to reduce the spread of these viruses by using Bcc: instead of To: on mass mailings, or using mailing list software such as mailman (http://www.list.org/) instead. signature.asc Description: OpenPGP digital signature
Re: Light weight IDSes and then some
On 2005-07-15 @ 11:58:26 (week 28) George P Boutwell wrote: The Security Debian How-To mentions Tripwire. Looking at AIDE and Tripwire in the debian packages repositories it's hard to tell the difference. I'm sure they both do the job, anyone with experience with both these packages can describe some of the pros and cons of each? I am gonna make things even more difficult for you... `;-) I choose samhain over both for my systems because it has some nice features I preferred to have. Like signing of the config and database files and elaborate logging facilities. Here's a link to a comparison: http://www.la-samhna.de/library/scanners.html. This page was written by the author of samhain, but seems to be reasonably unbiased. It is in the repository, so a simple apt-get install (or nowadays wajig install for me) will let you try it out. Mind you, if you had to regularly check a lot of systems I might still choose commercial tripwire because of its good central maintenance capabilities. The only drawback to that is that those administration tools were only available for that other OS the last time I setup a large environment with it (which was not too recently). Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Light weight IDSes and then some
George P Boutwell schrieb: 3) I'd like to provide some limited SFTP (SSH FTP) mechanisms for select individuals, for these I would really like to do away with the shell, but I haven't found away, how can I provide an shell-less SFTP or severely restricted SFTP service for these people? I would look into using scponly, http://www.sublimation.org/scponly/. -thh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Light weight IDSes and then some
On 7/15/05, Alec Berryman [EMAIL PROTECTED] wrote: OpenBSD places all of the user's public_html directories under the Apache chroot. I've found it no hassle to put a symlink in the user's directory, but then again I wasn't doing quotas. Alec, Thanks for the suggestion. I had thought of this, but I wondered if there might be a way to abuse the symlink to break out of the chroot jail. I understand that would be more so if the symlink where the other way (from the chroot, back to the home users dir), but I don't know about from home user's dir to chroot? -- George
Re: Light weight IDSes and then some
George P Boutwell on 2005-07-15 10:56:48 -0500: On 7/15/05, Alec Berryman [EMAIL PROTECTED] wrote: OpenBSD places all of the user's public_html directories under the Apache chroot. I've found it no hassle to put a symlink in the user's directory, but then again I wasn't doing quotas. Alec, Thanks for the suggestion. I had thought of this, but I wondered if there might be a way to abuse the symlink to break out of the chroot jail. I understand that would be more so if the symlink where the other way (from the chroot, back to the home users dir), but I don't know about from home user's dir to chroot? Let me clarify what I said: the directory which holds the content accessible under http://www.example.com/~user/ is physically locate under the chroot, and a symlink to that directory is placed in the user's home directory. Neither the user's home directory nor the symlink are not under the chroot; you don't have to worry about your machine being compromised through that symlink. Doing the setup the other way around (with the symlink under the chroot and the directory outside the chroot) would not work - the program in the chroot would follow the symlink relative to the chroot and end up somewhere other than the intended directory (most likely nowhere). pgpHxeK8zZSqd.pgp Description: PGP signature
Re: Light weight IDSes and then some
On 7/15/05, Alec Berryman [EMAIL PROTECTED] wrote: Let me clarify what I said: the directory which holds the content accessible under http://www.example.com/~user/ is physically locate under the chroot, and a symlink to that directory is placed in the user's home directory. Neither the user's home directory nor the Yes, that is how I understood it. symlink are not under the chroot; you don't have to worry about your machine being compromised through that symlink. Hmm. Ok. The alternative is the mount --bind that someone mentioned earlier... Doing the setup the other way around (with the symlink under the chroot and the directory outside the chroot) would not work - the program in the chroot would follow the symlink relative to the chroot and end up somewhere other than the intended directory (most likely nowhere). Never thought of it that way... Of course I don't deal a whole lot with symlinks directly if I can help it. -- George
Re: Light weight IDSes and then some
On 7/14/05, DI Peter Burgstaller [EMAIL PROTECTED] wrote: 1) What are some projects/software for light IDS, specifically file checksome/change control. I plan on doing the MD5 checksum floppy as described in the Secuirng How-To, but then I want an software that does that and e-mails my admin user whenever checksums and permissions change. I'm using AIDE and am very happy with it. The Security Debian How-To mentions Tripwire. Looking at AIDE and Tripwire in the debian packages repositories it's hard to tell the difference. I'm sure they both do the job, anyone with experience with both these packages can describe some of the pros and cons of each? -- George
Re: Light weight IDSes and then some
On Fri, Jul 15, 2005 at 11:58:26AM -0500, George P Boutwell wrote: The Security Debian How-To mentions Tripwire. Looking at AIDE and Tripwire in the debian packages repositories it's hard to tell the difference. I'm sure they both do the job, anyone with experience with both these packages can describe some of the pros and cons of each? Simple introduction to both aide, and integrit: http://www.debian-administration.org/articles/49 It doesn't mention tripwire, which is a shame. But I'll try to update it later. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Light weight IDSes and then some
Quoting George P Boutwell ([EMAIL PROTECTED]): The Security Debian How-To mentions Tripwire. Looking at AIDE and Tripwire in the debian packages repositories it's hard to tell the difference. I'm sure they both do the job, anyone with experience with both these packages can describe some of the pros and cons of each? I can offer: http://linuxgazette.net/issue98/moen.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Light weight IDSes and then some
Hello, I currently have a Woody NAT/Firewall machine that provides internet to my home LAN. In addition to that it provides Web proxy and Web serving (mainly for a few pages for my family and friends). It's been running nicely for several years now. Last year I had 2 cases where I had near misses on being compromised. I've gotten a new box and I'm planning and preparing it to replace my existing Woody with Sarge on this new box. I'm trying to plan a somewhat hardened and more secure installation this time to better handle the possible compromises I nearly came to face last year. I have some questions and help that I need. Goal: To provide an Internet Connection NAT/Firewall, with (Squid) Transparent Proxy, DNS Caching, Apache, and SSH. (ie replace and may be enhance a little the current box( Questions: I'm going to follow the Debian How-To on Securing Debian, which so far has been extermely helpful in seeing some thing I can do when I get that 'oh my, I've been compromised' feeling, how do I verify it ain't so. 1) What are some projects/software for light IDS, specifically file checksome/change control. I plan on doing the MD5 checksum floppy as described in the Secuirng How-To, but then I want an software that does that and e-mails my admin user whenever checksums and permissions change. 2) Apache or cgi-bins I use, where the cause of my closest to being compromised situations. If I set-up Apache, PHP, cgis, etc in a chroot jail, how can I still provide and /~username/ type set-up, as I have at least 2 situations where I rely heavily on that? As near as I can tell this is not covered in any of the Apache chroot information I've read. 3) I'd like to provide some limited SFTP (SSH FTP) mechanisms for select individuals, for these I would really like to do away with the shell, but I haven't found away, how can I provide an shell-less SFTP or severely restricted SFTP service for these people? Any help or suggestions, especially software or packages that I should research during my planning would be greatly appreciated. Thanks, -- George
Re: Light weight IDSes and then some
On 7/14/05, DI Peter Burgstaller [EMAIL PROTECTED] wrote: I'm using AIDE and am very happy with it. Thanks I'll look into it. 2) Apache or cgi-bins I use, where the cause of my closest to being compromised situations. If I set-up Apache, PHP, cgis, etc in a chroot jail, how can I still provide and /~username/ type set-up, as I have at least 2 situations where I rely heavily on that? As near as I can tell this is not covered in any of the Apache chroot information I've read. I don't really see the problem with /~username/ in a chroot environment. You can loopback mount if you need those homes somewhere else as well. Well.. Currently if I add a user, say user1... He gest an public_html directory added to his /home/user1 directory. If he set-up an index file of some kind in that directory the url http://myserver/~user1/ gives him that index file... How could I still provide ~/public_html directory in users 'home' and still have Apache serve it up from a chroot? 3) I'd like to provide some limited SFTP (SSH FTP) mechanisms for select individuals, for these I would really like to do away with the shell, but I haven't found away, how can I provide an shell-less SFTP or severely restricted SFTP service for these people? If you already have apache on that machine, why not run webdav on apache-ssl and you won't need shell accounts Hmm... I'll have to think about that... However SSH is the main way that I admin my machine (it's basically headless - my woody one has been so reliable :) ) and it has some really nice FTP like tools that support it (like FileZilla) Thanks Peter for your comment, recommendations, etc. -- George
Re: Light weight IDSes and then some
George P Boutwell wrote: ... It looks as though you've gotten at least one other reply, but I've not seen it/them (yet) 3) I'd like to provide some limited SFTP (SSH FTP) mechanisms for select individuals, for these I would really like to do away with the shell, but I haven't found away, how can I provide an shell-less SFTP or severely restricted SFTP service for these people? To provide the type of access you're talking about above, I use scponly http://www.sublimation.org/scponly/ version 4.1 available on the site, 4.0.2 is in unstable. Chrootable, easily configured for multiple users, quite handy. The man pages and README are required if you want it setup right, though. best, .brian -- Brian Bilbrey : http://www.orbdesigns.com/ Kirk to Enterprise -- beam down yeoman Rand and a six-pack. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Light weight IDSes and then some
George P Boutwell on 2005-07-14 18:02:40 -0500: 2) Apache or cgi-bins I use, where the cause of my closest to being compromised situations. If I set-up Apache, PHP, cgis, etc in a chroot jail, how can I still provide and /~username/ type set-up, as I have at least 2 situations where I rely heavily on that? As near as I can tell this is not covered in any of the Apache chroot information I've read. I don't really see the problem with /~username/ in a chroot environment. You can loopback mount if you need those homes somewhere else as well. Well.. Currently if I add a user, say user1... He gest an public_html directory added to his /home/user1 directory. If he set-up an index file of some kind in that directory the url http://myserver/~user1/ gives him that index file... How could I still provide ~/public_html directory in users 'home' and still have Apache serve it up from a chroot? OpenBSD places all of the user's public_html directories under the Apache chroot. I've found it no hassle to put a symlink in the user's directory, but then again I wasn't doing quotas. pgptklGpWdWS9.pgp Description: PGP signature