Intrusion Detection and Prevention - HELP!!!

I’ve been running a 13.2 system with the OSS Firewall as my router. I am very satisfied, by I see that someone is trying to connect as ‘root’ from different IP addresses. So I thought an IDPS would be the perfect solution. Unfortunately, I’ve looked at both Snort and Suricata; I think I prefer Suricata, but there is no official package.

Reading further, I see references that Apparmour is a IPDS. But I can’t find any information on how to use Apparmour as such; I see profiles for programs on a server, but they appear to be all local. I need a network IPDS that will help prevent sneak attacks or attempts to login.

I may be misunderstanding how Apparmour works, if it is indeed a network IPDS. Can someone help explain please?

Also, if you are using OSS as your firewall/router, how are you handling IPDS?

Tas

On 11/15/2015 12:16 PM, 70tas wrote:
>
> I’ve been running a 13.2 system with the OSS Firewall as my router. I
> am very satisfied, by I see that someone is trying to connect as ‘root’
> from different IP addresses. So I thought an IDPS would be the perfect
> solution. Unfortunately, I’ve looked at both Snort and Suricata; I
> think I prefer Suricata, but there is no official package.

Before doing that, run nmap on your machines IP and check the ports it
shows. If there are any services that are running on their default port
but can still work if you change them, change them! (ssh for example)

Also, while not a full IDS/IPS, iptables is very flexible and you can
use it to do a lot of fancy traffic management. This includes “port
knocking” as well as dropping packets from IPs after a certain amount of
bad traffic. Look into some fancy ssh iptables config files people have
posted online, they should give you a good start.

> Reading further, I see references that Apparmour is a IPDS. But I can’t
> find any information on how to use Apparmour as such; I see profiles
> for programs on a server, but they appear to be all local. I need a
> network IPDS that will help prevent sneak attacks or attempts to login.
>
> I may be misunderstanding how Apparmour works, if it is indeed a network
> IPDS. Can someone help explain please?

Apparmor blocks or allows programs access to resources (not just files),
it is basically a very granular control over permissions. To create an
apparmor profile for a program you run “aa-genprof /path/to/program”,
then once you finish with the generator, try to run the program. It will
likely fail because apparmor is blocking a lot of things it needs. At
this point run “aa-logprof” and follow the prompts. Then try to run the
program again and if it fails, repeat logprof step.

The issue with making your own profiles is that its hard to know what a
program actually needs access to.

> Also, if you are using OSS as your firewall/router, how are you handling
> IPDS?
>
> Tas
>
>

As I mentioned above, iptables is pretty good :slight_smile:

Another program I encourage you to use is wireshark. It will show you
just what type of traffic you are receiving on an interface so you can
see how people are trying to access.


openSUSE Leap (42.1) 64 bit
Plasma 5

If those connections are to the ssh server:

  1. disable root login
  2. use (if possible) only authentication via ssh keys protected with a passphrase

Should you be forced to use traditional PAM authentication (username + password), consider using some additional protection. I had the same requirements and ended up coding my anti-bruteforce PAM module:
https://code.launchpad.net/~lorenzodes/pamhblist/development

AFAIK AppArmor isn’t likely what you’re looking for. it’s not really an IDS/IPS but is more a system hardening system, applying security configuration by policy.

What is the attack vector?
If they’re trying to login through SSH, you can implement Fail2Ban (there are others) which track failed login attempts and when a threshold is reached the source IP address is blacklisted.

If you’re trying to set up IDS/IPS on a bastion server, then a proxy server like Snort can do what you want… like Fail2Ban, there are scripts to blacklist source IP addresses when a number of failed logins are logged.

Whichever solution you choose, I recommend you take a look at the architecture, the lower on the application and networking stack you can block, your machine will use less resources.

TSU

Thank you all for your answers. It does clear up the fact that Apparmor is not really an IDS/IPS.

So I think I may try my hand at Suricata, after I snap my router VM.

Thanks again.

Tas