Topic: Intrusion Detection Tools

[morpheus]

I have perused the contribs, but can't find any intrusion detection tools available like Snort/Suricata/Tripwire etc. Arpwatch is fine for alerting me, but I need a better tool to monitor changes.

Any ideas/pointers gladly welcomed.

[Jean-Philippe Pialasse]

For what it is worth you have https://wiki.contribs.org/Rkhunter


Long time ago there was a snort contrib, but it fails to have a maintainer. It could be nice to see someone porting it or suricat/ tripwire to sme9

[morpheus]

Is there a guide for making a contrib somewhere? I am a beginner with sme server, but have extensive programming experience, and writing documentation

[ReetP]

Is there a guide for making a contrib somewhere? I am a beginner with sme server, but have extensive programming experience, and writing documentation

As a wiki and Docs 'maintainer' you should know where to look

https://wiki.contribs.org/Category:Howto

Developer section

You really want a dedicated build box.

Either use SME:
https://wiki.contribs.org/Simple_Package_Modification

or CentOS 6:
https://wiki.contribs.org/Setting_up_RPM_Building_for_SME_Server

After that you can use anonymous CVS to pull contribs and have a look at what goes on inside.

They are basically standard RPMS, but with a kinky bit called createlinks to add all the SME related wizardry

If you need a hand then ask here in the Development forum, or the devinfo mailing list.

If you want a play on my build box then let me know and I can give you access to mess about (note I am no coder - just learned a bit by doing a lot of reading and asking questions)

B. Rgds
John

[morpheus]

thanks for pointers. I do have a test box at home to test out stuff before applying to the production server I maintain for ngo

[ReetP]

thanks for pointers. I do have a test box at home to test out stuff before applying to the production server I maintain for ngo

Cool. If you want a hand please ask - I am happy to help with stuff like this. I am no genius coder, but I can patch, and build an RPM etc.

There are a few gotchas that I can possibly help you with and save you a bit  of time Just shout. You can pick up my address off bugzilla and email me if required.

B. Rgds
John

[Jean-Philippe Pialasse]

or CentOS 6:
https://wiki.contribs.org/Setting_up_RPM_Building_for_SME_Server

only thing to add to John intervention , prefer CentOS 7 if you opt for this way (which I did).
You will be bale to build both for sme9 and sme10, and your buidl system will be supported much more longer !


I will also be happy to give a hand if you need, both for the production of the contrib or the configuration of the build system.

also you should use your test box with virtualisation, this way you will have both test VMs and build environment on the same hardware.

[morpheus]

At present I have 9.* running on my server. I will do a rebuild to 10 when I get a chance, add developer tools. I have experience with Debian not Centos. Will add all the required developer tools.

Thanks for the offers of help, appreciated.

[ReetP]

You can mock build for v10 on a v9 box (my build box is plain CentOS 6)

[Jean-Philippe Pialasse]

You can mock build for v10 on a v9 box (my build box is plain CentOS 6)

remains the 4 years more of tranquility if you install CentOs7 now

[ReetP]

remains the 4 years more of tranquility if you install CentOs7 now

systemd goodness ? No thanks..... I'd rather play Russian roulette with 6 bullets

[Jean-Philippe Pialasse]

systemd goodness ? No thanks..... I'd rather play Russian roulette with 6 bullets

forgot this one your allergy to systemd

well it does not itch taht bad for a buildsystem, and while you want to keep 3 more years without systemd, which I could understand, some other might prefer not to have to install a new buildsystem in 3 years if they can wait 7 years to have to do it.

[ReetP]

Yup, I understand. I need to undergo aversion therapy or something.

Or copy SME to Devuan or BSD

[Jean-Philippe Pialasse]

Or copy SME to Devuan or BSD

sound like a plan, speaking of therapy, how many are you in your head ?  This should be a whole team for this job

[CharlieBrady]

For what it is worth you have https://wiki.contribs.org/Rkhunter

Not a good idea...

http://www.openwall.com/lists/oss-security/2017/06/29/2

[Jean-Philippe Pialasse]

Not a good idea...

http://www.openwall.com/lists/oss-security/2017/06/29/2

indeed,

I have added a warning on the contribs, and I just build a new version with update disabled as default.

[CharlieBrady]

systemd goodness ?

e.g. running services which say:

User=7up

with root privileges?

http://www.openwall.com/lists/oss-security/2017/07/06/17

[CharlieBrady]

I have added a warning on the contribs, and I just build a new version with update disabled as default.

Good plan!

[ReetP]

e.g. running services which say:
User=7up
with root privileges?

Didn't want to mention that one

ROFLMAO

Never assume, and sanitise your inputs

Obligatory xkcd for Mr Poettering

https://www.xkcd.com/327/

[brianr]

https://www.xkcd.com/327/