GeodSoft logo   GeodSoft

Ten Practical Security Steps
Intrusion Detection

8. Automatically audit systems for signs of intrusion.

Protecting your systems from break-in is only of limited value if you have no way of knowing if you've been broken into. If that's happened, you probably have permanent unwanted residents because when an intruder succeeds in cracking one of your systems, they will do what they can to ensure continued access.

Firewall logs as well as network intrusion detection systems can tell you if someone is trying to get in. Unfortunately today, someone is always trying to get in. Large sites may report hundreds or even thousands of probes a day and the smallest Internet connected networks typically get multiple probes a day. Individual PC users who install personal firewall systems on single machines, report with surprise that even they get probed, sometimes several times a day. By probes I mean port scans looking for open, unprotected ports. The potential intruders typically move on if all they find is blocked (firewalled) or closed (off) ports. Open ports are likely to lead to additional investigation where the intruder tries to determine if there is any vulnerable software to exploit.

This is like people checking your doors to see if they are locked. It happens so much now that there seems little point in being notified about it unless it is especially intense or prolonged.

Host based intrusion detection systems look for signs that someone has gotten in. They tend to look for several things including changes to key system files and executable programs and scripts. Some of the key files to look at are the system startup files, i.e. anything that executes when the system starts, the system schedulers that start things on a periodic basis and the user (/etc/passwd) and group files to determine if anyone has become an administrator or equivalent. They also look at executable programs and scripts that may have changed or been added. Those that run at startup or from the system scheduler are generally most important.

For an intrusion detection system to be of real value, it must be fully automated. If an operator or administrator must check something periodically, even daily, even if it takes less than a minute, they are of almost no use. Successful intrusions will be the exception and by the time one occurs, whoever does the checking will have stopped. To be useful, these systems must do nothing until suspicious activity is detected, and then they must do something that an administrator won't miss, such as dial a pager, put a message on the terminal screen or send an e-mail.

Tripwire is the best known intrusion detection system of this type. My reading suggests the commercial versions can be adequately automated. What's needed, can also be scripted in Perl with only a moderate amount of work on UNIX systems. Homegrown Intrusion Detection describes a do-it-yourself host based intrusion detection system that includes the automated file monitoring described here and also process monitoring. Sample scripts are included.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
How-To >
10 Security Steps >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.