Installing and Configuring Portsentry: IDS for the Uninitiated
So perhaps you have been following all those defacement mirrors and are worried about whether your machine is going be the next entry in the archives? This article is intended to act as a health supplement for your existing security needs and policies.
Now, like I just said, this article is like a health supplement, but you have to consume it along with your basic food intake. In other words have a basic security policy in place, otherwise you'll be wasting your time here.
In this article (and the one that will follow), we will discuss what an Intrusion detection actually is, what software you can use to combat them, and how to install not one protection package, but a couple of them.
What is an IDS?
An IDS is expected to detect attacks (like someone port scanning you), log the
attacker's traffic, help trace the origin of the attack and possibly even stop
the attack midstream.
To achieve this an IDS has to do a lot of things like analyzing the captured
packets for an attack, comparing them with a database of attack signatures,
performing integrity checks on file system (like if somebody has tampered with
your /etc/shadow file), watching processes etc.
There are vendor defined IDS models like network ids, host ids, procedure
based ids. Basically, enough options to confuse us!
In this article we will leave all that junk aside and focus on the
principles: installation, configuration and a bit about bypassing IDSs.
We will learn about all this in a series on IDSs comprising of two
articles/parts/whatevers :
Part 1 :Installing and Config. Portsentry (a simple an' sweet IDS)
Part 2 : Installing and Configuring Snort (relatively advanced IDS and
with more functionalities.)