What automated intrusion notification/detection setup is good for home desktop use?
A simple and effective general solution is to use logcheck.
sudo apt-get install logcheck
[edit /etc/logcheck/logcheck.conf to your liking]
logcheck periodically scans all the logs efficiently (starting where it left off last time), filters what it sees to eliminate anything considered normal, and optionally emails alerts with anything that doesn't match the normal/routine patterns.
The main idea is to watch-out for appearance of any serious entries in your log files, all of them, all the time, so you don't have to.
logcheck is highly configurable (man logcheck
). You may configure everything, including:
- frequency of checks
- which log files are checked
- what is considered normal vs not
- where to email the alerts (abnormal events) to
and more. Your ignore (normal/routine) patterns reside in multiple files under /etc/logcheck/ignore.d.* and you may customize them to your needs; mainly you may want to add your own patterns to ignore. The default Ubuntu package comes with an extensive set of files with ignore patterns for many services already, so there's not much to add unless your system is unusual in what it runs. There are 3 sets of pre-configured ignore file profiles: ignore.d.workstation, ignore.d.server, and ignore.d.paranoid which you can pick from.
The main idea behind logcheck is that the various services running on a system, already log abnormal events. E.g. sshd or pam already log authentication failures. So the main missing components are:
- filtering what's normal
- The alerting service
Both of which are provided by logcheck in a convenient package. You may combine logcheck with any other logging. For example iptables can be configured to syslog any network connection attempts that are not explicitly allowed by adding the rules:
iptables -A input -j LOG
iptables -A input -j DROP
immediately after all the allow rules.
I find logcheck to be much more helpful than logwatch (suggested in other answers) because it comes pre-packaged with a very large number of rules to ignore what's considered normal activity. The result is a much higher signal/noise ratio in the alerts it emails. YMMV.
Another advantage of logcheck is that it is orthogonal to any service that logs, so there's no duplication of function. Whenever you add a new service which uses syslog
to log events, abnormal or not, into any file under /var/log
you start getting alerts for it automatically.
HOWTO:
Since
logcheck
already comes preconfigured, two lines at the top of this answer essentially cover all you need to get started. Just install it, and go over the top configuration file:/etc/logcheck/logcheck.conf
to change your email address sologcheck
emails alerts to you.Here's a friendly reference going over the second step in more detail. Since Ubuntu is based on Debian, these instructions should work on Ubuntu too. Here is another good reference.
Once you install, the continuous improvement process starts. Over time, you refine your rules to ignore anything that you already know about and feel shouldn't be of concern. This refinement process is as simple as adding text lines to a file in your favorite text editor.
Each line in an ignore file is an extended regular expression (see
man 7 regex
), but you may use simple strings as long as they match the log line you want to ignore. Just remember that characters like*
,?
, '+',[]
,()
are special in a regular expression, so if they actually appear in the log lines, you would have to escape them with a backslash\
in the ignore files.In other words: if you get an alert you don't want to get, look at the log line that was emailed to you, and add a pattern that matches it, as one line to any ignore file of your choice. I suggest using
/etc/logcheck/ignore.d.<yourloglevel>/my-ignores
as your personal ignore file. Where<yourloglevel>
is one ofparanoid
,server
, orworkstation
(as you've already selected in the main config file:/etc/logcheck/logcheck.conf
). Look at the examples in other ignore files to see how to account for text that changes all the time like process-IDs, or time-stamps. There are lots of existing examples to learn from.
One last tip: logcheck
comes with a little useful utility called logcheck-test
which is very handy for testing new rules. man logcheck-test
for details.
If you don't have a lot of systems on your network, setting up an IDS like Snort is probably overkill (especially if you don't have any network services on your machine). I suggest starting by configuring logwatch to send yourself a report of what's going on on your system. Once you have that up, configure your syslog so that you get as much relevant information as possible.