Create a Distributed Stealth Sensor Network
Keep your IDS sensors safe from attack, while still giving yourself access to their data.
Your IDS sensors are the early warning system that can both alert you to an attack and provide needed evidence for investigating a break-in after one has occurred. You should take extra care to protect them and the data that they collect. One way to do this is to run your IDS sensors in stealth mode.
To do this, simply don’t configure an IP address for the interface that your IDS software will be collecting data from. Putting the interface up, but without specifying an IP address, can do this.
For example:
#tcpdump -i eth1
tcpdump: bind: Network is down #ifconfig eth1 up promisc
#ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:DE:AD:BE:EF:00 UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0x1c80 #/usr/sbin/tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: listening on eth1
After you’ve put the interface up, just start your IDS [Hack #82] . Your IDS will run as normal, but since there is no way to directly access the machine, it is very difficult to attack it.
However, just like potential attackers, you will be unable to access the machine remotely. Therefore, if you want to manage the sensor remotely, you’ll need to put in a second ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.