Poor Man’s IDS… part 1 – setup

This is what I’ve cobbled together as a poor man’s IDS. I got the concept and original code (and name) from an article in a linux magazine (I think) many years ago. It probably did a lot more to introduce me to linux than it did to actually safeguard my systems, but it’s got some needed concepts for beginner sysadmin’s….

For real intrusion detection, there are several open source IDS packages available, including Snort, all of which will do a better job than this, but this does give you a sense of how things are going with your systems, particularly after a few weeks of learning the patterns. AND the backup works very well for me.

I’ll walk through the different programs and comment some of the finer points in the following posts.

You’ll need to create the user “backup” on the linux system, with a home directory of /home/backup, which is where a lot of the files get placed.  You’ll also need the /data directory.  One new note – the files in the data directory should be 664 so that cron and collector.pl can write to them appropriately.

Log: /home/backup/backup-ids.log

ErrorLog: /home/backup/backup-ids.err

NOTE:  I leverage several great utilities found on this website: https://www.rfxn.com/ to help secure my server.

NEEDS: Blat, OpenSSH, WinSCP

——————————————–
crontab
0    1    *   *   *    /usr/local/sbin/bfd
0   */2   *   *   *    /usr/local/sbin/collector.pl
20 */2   *   *   *    /usr/local/sbin/ids.sh

——————————————–
backup.sh – this script tars & gzips the /home/backup directory when called from the external data collector (below)

#!/bin/bash

## zip & send

tar -czvf /home/hostname.tar.gz /home/backup/*

ls -alR /home/backup > /home/dirlist.txt

## switched from email or scp deliver to scp pickup using ssh keys
## to revert, uncomment one of the delivery mechanisms below

#mail -s “hostname Backup Configs” -r backups@hostname.com -a /home/hostname.tar.gz admin@hostname.com < /home/dirlist.txt

#scp -i /home/user/.ssh/username /home/hostname.tar.gz admin@hostname.com:/share/Backups/files/configs

——————————————–
Windows based command script to execute backup.sh (above) and then pull the data.  I use OpenSSH and WinSCP as utilties.  ssh keys tied to backup user.

@echo off
set CYGWIN=binmode tty
set TERM=ansi
set USERNAME=backup
set HOME=c:\programs
set RSYNC_RSH=ssh.exe

set LOG=b:\backup-configs-hostname.log
set DATA=configs/hostname
set DRIVE1=
set MAP1=
set DRIVE2=
set MAP2=
set COMMAND1=ssh -i b:\scripts\backup -t backup@hostname.com sudo /usr/local/sbin/backup.sh
set COMMAND2=winscp /console /privatekey=b:\scripts\backup.ppk /script=b:\scripts\hostname.scp

rem net use %MAP1%
rem net use %MAP2%

echo Beginning backup of: %DATA% on %date% @ %time% > %LOG%
echo with command: %COMMAND1% >> %LOG%
echo – >> %LOG%
%COMMAND1% >> %LOG%
echo – >> %LOG%
echo with command: %COMMAND2% >> %LOG%
%COMMAND2% >> %LOG%
echo – >> %LOG%
echo Backup Complete >> %LOG%

blat %LOG% -t administrator@hostname.com -subject “backup: %DATA%” -f backup@hostname.com -server smtp.server.com -port 587 -u user@hostname.com -pw password

rem net use %DRIVE1% /delete
rem net use %DRIVE2% /delete

——————————————–
hostname.scp – winscp command file called from the windows based script above.

option batch abort
option confirm off
open scp://backup@hostname.com -hostkey=”SHA-2: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx”
option transfer binary
cd /home
lcd b:\files\hostnameconfigs
get hostname.tar.gz
close
exit

Leave a Reply

Your email address will not be published. Required fields are marked *