Softpedia >News >Linux >Ubuntu Tips and Tricks
Softpedia Homepage   

Prevent Network Intruders with AIDE

How to set-up Advanced Intrusion Detection Environment.

Feb 9, 2007 15:05 GMT  ·  By
  

There's no such thing as absolute security on a computer connected to the Internet, regardless of the operating system it's running. There will always be a way to break-in on a computer, as long as it's connected to the Internet. And because unplugging the network cable isn't an option, taking all the security measures we can and keeping an eye open for possible intruders is the next best thing to keep off outsiders. So, after you've set a powerful firewall, updated all your software, stopped all useless services and set a long and complicated password, you can do one more thing: install an Intrusion Detection System (IDS). An IDS is a tool that helps preventing an intrusion by reporting which files have been modified. You might ask yourself, why is this tool useful? Well, once an intruder has penetrated your system, he will most likely try to make his presence as quiet as possible. One way to do this is by replacing common binaries like ls, netstat or ps with modified ones that won't list compromising files, won't show certain established connections and will hide various processes ran by the intruder. There are a few IDS tools available but this guide refers to AIDE (Advanced Intrusion Detection Environment).

Installing AIDE:

- First of all, you'll need to know that AIDE needs super user privileges to run so switch now to root so you won't have to run each command with 'sudo'. On a freshly installed Ubuntu or its variants, to log in as root, you'll have to open a terminal and type:

code
$ sudo passwd
You will be asked for your user's password and eventually, to enter twice the password for root.

- Next, switch to user root by running the following command and typing in the newly set password:

code
$ su -
- Install AIDE:
code
# apt-get install aide
- Create a new database file and run AIDE for the first time in order to generate its database and configuration file.
code
# touch /var/lib/aide/aide.db
# /etc/cron.daily/aide
On this first run, you'll notice that AIDE complains about not finding the aide.conf.autogenerated file but no worries, this file is actually going to be generated now. Moreover, the sent email will contain the warning Filedatabase must have one db_spec spesification but we'll fix this later.

Configuring AIDE

- The first configuration file is /etc/default/aide. Open it with your favorite text editor and add a valid email address to the MAILTO line. Now look for the line COMMAND= and replace update with check. Save and exit.

- Now, open the file /etc/aide/aide.conf and take a look through it. You'll notice a list of directories which are subject to scanning. Remove which directories you don't want AIDE to look into and add any eventual ones. For instance, you can add the /etc directory which holds the configuration files for all your system's applications. To do this, add the following line at the end of the file:

code
/etc ConfFiles
Every once in a while (weekly), it's recommended that you edit etc/default/aide, change the COMMAND= line from check to update so the database will be brought up to date and the emails won't be so long. The down side about this is that you'll have to copy the newly generated database over the old one by running this command as root:
code
# cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
After the database generation is complete, change the COMMAND directive back to check.

Moreover, for maximum security, the aide.db should be kept in a read-only environment, such as a CD so the eventual attacker won't be able to mess with it. However, if you decide to do this, you'll need to modify the aidde.conf file from the /etc directory and update the database= directive with the new location of the database file (eg. /media/cdrom/aide.db). Moreover, the database from the read-only environment must be overwritten each time the database is regenerated by changing command= to update.

Every time AIDE runs, it will compare the files against the latest database snapshot and send you an email with a list of files that have been modified since the last snapshot was made.