There's no such thing as absolute security on a computer connected to the Internet, regardless of the operating system it's running. There will always be a way to break-in on a computer, as long as it's connected to the Internet. And because unplugging the network cable isn't an option, taking all the security measures we can and keeping an eye open for possible intruders is the next best thing to keep off outsiders. So, after you've set a powerful firewall, updated all your software, stopped all useless services and set a long and complicated password, you can do one more thing: install an Intrusion Detection System (IDS). An IDS is a tool that helps preventing an intrusion by reporting which files have been modified. You might ask yourself, why is this tool useful? Well, once an intruder has penetrated your system, he will most likely try to make his presence as quiet as possible. One way to do this is by replacing common binaries like ls, netstat or ps with modified ones that won't list compromising files, won't show certain established connections and will hide various processes ran by the intruder. There are a few IDS tools available but this guide refers to AIDE (Advanced Intrusion Detection Environment).
Installing AIDE:
- First of all, you'll need to know that AIDE needs super user privileges to run so switch now to root so you won't have to run each command with 'sudo'. On a freshly installed Ubuntu or its variants, to log in as root, you'll have to open a terminal and type:
- Next, switch to user root by running the following command and typing in the newly set password:
# /etc/cron.daily/aide
Configuring AIDE
- The first configuration file is /etc/default/aide. Open it with your favorite text editor and add a valid email address to the MAILTO line. Now look for the line COMMAND= and replace update with check. Save and exit.
- Now, open the file /etc/aide/aide.conf and take a look through it. You'll notice a list of directories which are subject to scanning. Remove which directories you don't want AIDE to look into and add any eventual ones. For instance, you can add the /etc directory which holds the configuration files for all your system's applications. To do this, add the following line at the end of the file:
Moreover, for maximum security, the aide.db should be kept in a read-only environment, such as a CD so the eventual attacker won't be able to mess with it. However, if you decide to do this, you'll need to modify the aidde.conf file from the /etc directory and update the database= directive with the new location of the database file (eg. /media/cdrom/aide.db). Moreover, the database from the read-only environment must be overwritten each time the database is regenerated by changing command= to update.
Every time AIDE runs, it will compare the files against the latest database snapshot and send you an email with a list of files that have been modified since the last snapshot was made.