Part 1: Concepts
Chapter 1: Concepts of Linux and Computer Security
What are the basic concepts of computer security? What makes for a secure network? How does intrusion detection tie into all of this? Chapter 1 explores these questions including the three aspects of security (Confidentiality, Integrity, Authenticity) as well as leading the reader through the reasoning behind the basic tenets of computer security.
Chapter 2: Concepts of Intrusion Detection.
This chapter explores the basic concepts of networking and intrusion detection. The chapter goes into detail to lay a solid foundation for the reader so that they can understand and apply more advanced concepts later in the book. The chapter also outlines several means of intrusion detection, including packet sniffing, intrusion signatures, searching for backdoors, analyzing firewall logs, analyzing computers for intruders, and other means. The chapter also covers some limitations of intrusion detection including attacks that come from places the administrator trusts within the network.
Part 2: System Security
Chapter 3: How to Chroot for fun and profit
Chapter 3 looks at the chroot command, what it does, and how it is commonly used. Specific examples are used to create chroot environments for Apache, BIND, and MySQL. The makejail command is examined to simplify the process of creating chroot environments.
Chapter 4: Checking system integrity
This chapter looks at AIDE, a free clone of the popular Tripwire file signature system. The chapter begins with an overview of AIDE installation and configuration as well as how to use it in a secure manner. This information is given both for a single host and for many hosts in an automated manner. The chapter discusses how to read the report and to how to investigate any anomalies that may turn up. This chapter also goes into more detail on the chkrootkit tool which scans a server for known hacker backdoors at the filesystem level.
Chapter 5: Working with Bastille linux and iptables
The chapter looks at the popular Bastille Linux security hardening tool. Bastille Linux enables even a novice administrator to perform many of the mundane tasks necessary to make a Linux system more secure. The chapter covers installation on Red Hat, Debian, and Mandrake Linux, and then go over each of the screens (with screenshots). While Bastille's screens contain explanations, the chapter expounds upon the sorts of attacks that Bastille's various options help to prevent. With the help of Bastille, the chapter configures an iptables firewall. Outside of the Bastille system, the chapter explains the iptables firewall and how it can log its output to a centralized syslog server. The chapter also shows how to run logsnorter on the logs so that they logs can be viewed with ACID.
Chapter 6: GrSecurity and Building a Custom kernel
The GrSecurity kernel patch can greatly enhance security of chroot environments and the Linux host in general. This chapter examines GrSecurity and shows how to implement the GrSec kernel patch to build your own customized kernel.
Part 3: Detecting network intrusions
Chapter 7: Detecting attacks on your network.
This chapter explains some of the basics of detecting when a network probe or network attack is underway. The chapter details the use of arpwatch to see when new hosts appear on the network as well as iptables (covered in more depth in chapter 5). The chapter explains that intrusion detection systems should be hearing everything on the network. Methods to do so such as switches that can be configured to send all traffic to a monitoring port, hubs, and network taps. The relative safety of switched versus shared networks is explained as is the possible attacks on switched networks.
Chapter 8: Working with TCPDump
Building on the foundation laid in the previous chapter, Chapter 7 shows the use of TCPDump as an important tool for the intrusion analyst and security administrator. A chapter on TCPDump is useful at this point in the book because it is possible to lead into more advanced concepts such as building rulesets by using TCPDump. TCPDump is simple to use for basic packet traces but powerful enough that it can be used in a live network for real world packet tracing and intrusion detection.
Chapter 9: Learning Snort.
Snort is a powerful intrusion detection system that is both scalable and robust. This chapter examines the basics of Snort including the preprocessors and signatures. The chapter includes how to install and configure snort as well as how to read the snort logs. This chapter goes in depth with snort by covering some of the more important attacks and how they are detected by using illustrations and example traffic. This portion of the chapter segues into a basic introduction on writing your own snort rules. Customizing Snort is important for any intrusion detection implementation. Therefore, how to write signatures for the analyst's network is included in this chapter as well. Further, many of the frequently asked questions and issues that arise when people install Snort are addressed as well.
Chapter 10: Using MySQL, ACID, and other tools with Snort
Much of the power of Snort comes in the ability of an administrator to use it in an enterprise environment. This chapter examines how to use Snort to log to a MySQL database as well as using ACID to look at the data. Items such as using multiple sensors to log to a central database are covered. Further, other tools that can be helpful for a intrusion detection system with Snort are examined.
Chapter 11: Testing the System
Hackers often install backdoors when they have compromised a system. nmap is one tool that enables an administrator to search hosts for these backdoors. nmap also enables the administrator to see what legitimate services are running on a server. This chapter looks at using nmap and what the major functions are used for. The chapter discusses running nmap on a frequent basis and comparing the results. Example code to compare nmap scans is provided. Another area examined within this chapter are tools such as hping2 and Nessus. These tools can be used to test your intrusion detection system to ensure that packets are being logged or "tripping the alarm," if you will.
Chapter 12: Using Application Scanning Tools
An important aspect of intrusion detection and security in general is application vulnerability scanning. Chapter 10 begins with a discussion of the theory behind application scanning including defining the need for application vulnerability scanning. The chapter includes a look at Nikto, a tool used to examine a web server and Nessus, a remote security scanner.
Chapter 13: Sorting through all the data!
Getting overwhelmed with data is possible with just one intrusion detection sensor. The problem rises exponentially as additional sensors are installed. This chapter examines methods of generating alerts when there is a major problem, either via syslog to a special file on a syslog server, or via email. The chapter discusses using and configuring the swatch tool to watch logs for critical events and alerting the administrator to those critical events.
Part 4: Incident Response
Chapter 14: You found a compromised host, now what?
The chapter examines incident response, the importance of preserving evidence, and the need to figure out what other hosts, systems, and networks were in the web of trust of the compromised server. The chapter talks about backing up the compromised server as well as how to dig through it for evidence. The possible ramifications for reporting versus not reporting the event to the local law enforcement or CERT are also discussed.
Chapter 15: How to not become compromised.
This chapter formulates a checklist of industry best practices for network and host security. In addition to methods learned from experience, many different sources will be cited whenever possible including