Effective Server Intrusion Detection: Tools and Techniques for Small-Scale Operations


3 views

Every sysadmin knows server logs are goldmines for intrusion detection, but manual parsing is inefficient. Here's a Python script using regex to flag suspicious SSH attempts:

import re
from collections import defaultdict

def analyze_auth_log(log_path):
    failed_attempts = defaultdict(int)
    ip_pattern = re.compile(r'Failed password for .* from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
    
    with open(log_path) as f:
        for line in f:
            match = ip_pattern.search(line)
            if match:
                ip = match.group(1)
                failed_attempts[ip] += 1
    
    return {ip:count for ip, count in failed_attempts.items() if count > 5}

The FAT table manipulation case highlights why file monitoring is crucial. AIDE (Advanced Intrusion Detection Environment) is perfect for this:

# Sample AIDE configuration
/etc/aide.conf

# Basic directories to monitor
/etc p+i+l+u+g+s+b+acl+xattrs+sha512
/bin p+i+l+u+g+s+b+acl+xattrs+sha512
/sbin p+i+l+u+g+s+b+acl+xattrs+sha512
/usr/bin p+i+l+u+g+s+b+acl+xattrs+sha512

Unexpected network traffic often precedes breaches. This Bash one-liner identifies unusual outbound connections:

netstat -tulnp | grep -vE '(127.0.0.1|::1)' | awk '{print $4,$5,$7}' | sort | uniq -c | sort -n

Osquery provides SQL-powered introspection. This query detects processes with hidden TCP connections:

SELECT DISTINCT 
    processes.pid, 
    processes.name, 
    listening_ports.port, 
    processes.cmdline
FROM processes
JOIN listening_ports ON processes.pid = listening_ports.pid
WHERE listening_ports.address NOT LIKE '127.%'
AND listening_ports.address NOT LIKE '::1'
AND processes.name NOT IN ('sshd','nginx','mysql');

For real-time protection, Fail2Ban can block repeated intrusion attempts. Example jail.local configuration:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

To uncover FAT table manipulations like in your case, use low-level tools:

# Find hidden files by inode allocation
find / -type f -inum $(ls -i / | awk '{print $1}') 2>/dev/null

# Alternative method using debugfs (ext filesystems)
debugfs -R 'stat ' /dev/sdXN

While manually reviewing server logs is better than nothing, it's incredibly inefficient for detecting sophisticated intrusions. That FAT table manipulation case you mentioned perfectly illustrates how attackers can bypass traditional monitoring methods. Let's explore more systematic approaches.

For small teams, implement these overlapping detection methods:

# Example of setting up fail2ban basic protection
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Edit config to protect SSH
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 3
bantime = 86400

Tools like AIDE or OSSEC can detect unauthorized file changes:

# AIDE quick setup example
sudo apt install aide
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run daily checks via cron
0 0 * * * /usr/bin/aide --check

Machine learning tools like Wazuh or Elastic Security can establish baselines and alert on deviations:

# Wazuh agent installation
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list
sudo apt update
sudo apt install wazuh-agent

Suricata or Zeek can detect C2 communications and data exfiltration:

# Suricata quick rules example
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Malware CnC"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; threshold:type limit, track by_src, count 1, seconds 60; sid:2019381; rev:2;)

For AWS/GCP/Azure environments, leverage native tools:

# AWS GuardDuty CloudWatch event rule example
{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": ["8", "8.0"]
  }
}

Combine detection with automated containment:

# Example AWS Lambda response function
import boto3
def lambda_handler(event, context):
    ec2 = boto3.client('ec2')
    instance_id = event['detail']['resource']['instanceDetails']['instanceId']
    ec2.create_tags(Resources=[instance_id], Tags=[{'Key':'Compromised', 'Value':'True'}])
    ec2.modify_instance_attribute(InstanceId=instance_id, Groups=['sg-isolation'])

Integrate IOCs from sources like AlienVault OTX or MISP:

# Python script to check IPs against OTX
import OTXv2
otx = OTXv2.OTXv2("YOUR_API_KEY")
indicators = otx.get_indicator_details_by_section(ip="malicious_ip", section="general")
print(indicators['pulse_info']['pulses'])