Product SiteDocumentation Site

10.3. Montar el descubrimiento de intrusión

Debian GNU/Linux includes tools for intrusion detection, which is the practice of detecting inappropriate or malicious activity on your local system, or other systems in your private network. This kind of defense is important if the system is very critical or you are truly paranoid. The most common approaches to intrusion detection are statistical anomaly detection and pattern-matching detection.
Siempre debe darse cuenta que para mejorar realmente el sistema de seguridad con la introducción de algunas de estas herramientas, usted necesitara tener un mecanismo de alerta+respuesta, pero no use el descubrimiento de intrusión si usted no va a alertar a nadie (i.e. no malgaste su tiempo configurando cosas que mas tarde no usara).
When a particular attack has been detected, most intrusion detection tools will either log the event with syslogd or send e-mail to the root user (the mail recipient is usually configurable). An administrator has to properly configure the tools so that false positives do not trigger alerts. Alerts may also indicate an ongoing attack and might not be useful, say, one day later, since the attack might have already succeeded. So be sure that there is a proper policy on handling alerts and that the technical mechanisms to implement this policy are in place.
An interesting source of information is http://www.cert.org/tech_tips/intruder_detection_checklist.html

10.3.1. Detección de intrusos basadas en la máquina

Network based intrusion detection tools monitor the traffic on a network segment and use this information as a data source. Specifically, the packets on the network are examined, and they are checked to see if they match a certain signature.
snort is a flexible packet sniffer or logger that detects attacks using an attack signature dictionary. It detects a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. snort also has real-time alerting capability. You can use snort for a range of hosts on your network as well as for your own host. This is a tool which should be installed on every router to keep an eye on your network. Just install it with apt-get install snort, follow the questions, and watch it log. For a little broader security framework, see http://www.prelude-ids.org.
Snort en Debian está habilitado con muchos chequeos de seguridad los cuales usted debe solicitar, sin embargo, usted debe personalizar el montaje para tomarlo dentro de las consideraciones de servicios particulares en donde usted avanza sobre su sistema. Usted también tiene que solicitarlo para recuperar los chequeos adicionales y asi especificar estos servicios.
There are other, simpler tools that can be used to detect network attacks. portsentry is an interesting package that can tip you off to port scans against your hosts. Other tools like ippl or iplogger will also detect some IP (TCP and ICMP) attacks, even if they do not provide the kind of advanced techniques snort does.
You can test any of these tools with the Debian package idswakeup, a shell script which generates false alarms, and includes many common attack signatures.

10.3.2. Detección de intrusos basadas en la máquina

Host based intrusion detection involves loading software on the system to be monitored which uses log files and/or the systems auditing programs as a data source. It looks for suspicious processes, monitors host access, and may even monitor changes to critical system files.
tiger is an older intrusion detection tool which has been ported to Debian since the Woody branch. tiger provides checks of common issues related to security break-ins, like password strength, file system problems, communicating processes, and other ways root might be compromised. This package includes new Debian-specific security checks including: MD5sums checks of installed files, locations of files not belonging to packages, and analysis of local listening processes. The default installation sets up tiger to run each day, generating a report that is sent to the superuser about possible compromises of the system.
Log analysis tools, such as logcheck can also be used to detect intrusion attempts. See Sección 4.13.1, “Uso y personalización de logcheck.
In addition, packages which monitor file system integrity (see Sección 4.17.3, “Integridad de su sistema de archivos”) can be quite useful in detecting anomalies in a secured environment. It is most likely that an effective intrusion will modify some files in the local file system in order to circumvent local security policy, install Trojans, or create users. Such events can be detected with file system integrity checkers.