How to protect CentOS servers from unauthorized access using an intrusion detection system (IDS)

How to use an intrusion detection system (IDS) to protect CentOS servers from unauthorized access

Introduction: As a server administrator, protecting the server from unauthorized access is a very important task. The Intrusion Detection System (IDS) can help us achieve this goal. This article will introduce how to install and configure Snort, a commonly used IDS tool, on a CentOS server to protect the server from unauthorized access.

1. Install Snort

1. Update server software package

Run the following command in the terminal to update the software package:

sudo yum update

2. Installing dependencies

Installing Snort requires some dependencies. Run the following command in the terminal to install these dependencies:

sudo yum install libpcap-devel pcre-devel libdnet-devel

3. Download and compile Snort

Download the latest Snort source code, and unzip the downloaded file:

wget https://www.snort.org/downloads/snort/snort-2.9.17.tar.gz
tar -xzf snort-2.9.17.tar.gz

Enter the decompressed directory, compile and install Snort:

cd snort-2.9.17
./configure --enable-sourcefire
make
sudo make install

2. Configure Snort

1. Create Snort configuration file

Run the following command in the terminal to create the Snort configuration file:

sudo cp /usr/local/src/snort-2.9.17/etc/*.conf* /usr/local/etc/
sudo cp /usr/local/src/snort-2.9.17/etc/*.map /usr/local/etc/

2. Edit the Snort configuration file

Use a text editor to open the Snort configuration file for editing:

sudo nano /usr/local/etc/snort.conf

In the configuration file, you can set the network interface you want to monitor, the location of the rule file, etc.

For example, you can edit the following to monitor all traffic on the eth0 interface:

# 配置监控的网络接口
config interface: eth0

# 配置规则文件的位置
include $RULE_PATH/rules/*.rules

In addition, other configurations of Snort can be adjusted according to actual needs.

3. Configuration Rule File

Snort uses rule files to detect and block potential intrusions. You can download the latest rule file from the Snort official website and place it in the rule file directory.

By default, the Snort rule file directory is /usr/local/etc/rules. You can view and modify the location of this directory in the Snort configuration file.

For example, you can edit the following to specify the rules file directory as /usr/local/etc/rules:

# 配置规则文件的位置
RULE_PATH /usr/local/etc/rules

4. Start Snort

In Run the following command in the terminal to start Snort:

sudo snort -A console -c /usr/local/etc/snort.conf -i eth0

This will start Snort in console mode and monitor traffic on the eth0 interface.

3. Use Snort to detect and prevent unauthorized access

1. Monitoring log

Snort will record what it detects in the Snort log file Any potential intrusion. You can view and modify the location of this log file in the Snort configuration file.

For example, you can edit the following to specify the log file location as /var/log/snort/alert.log:

# 配置日志文件的位置
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: alert
output alert_full: alert.log

# 配置日志文件的位置
config detection: search-method ac-split
config detection: ac-logdir /var/log/snort

2. Blocked IP

If you find that an IP address is undergoing unauthorized access, you can use Snort's blocking function to block further access to the IP address.

Run the following command in the terminal to block a certain IP address:

sudo snort -A console -c /usr/local/etc/snort.conf -i eth0 --block -O

3. Write a custom rule

If you have specific needs, you can Write custom Snort rules to detect and block specific intrusions.

For example, the following is a simple custom rule for detecting unauthorized access via SSH:

# 检测通过SSH进行的未经授权访问
alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"Unauthorized SSH Access"; flow:to_server,established; content:"SSH"; classtype:suspicious-login; sid:100001; rev:1;)

Open the rules file using a text editor and add the custom rule to the end of the file.

4. Rule update

Snort’s rule base is actively updated. Regularly updating rules ensures that your Snort always has the latest intrusion detection capabilities.

You can download the latest rule file from the Snort official website and place it in the rule file directory.

5. Conclusion

By using an intrusion detection system (IDS) such as Snort, we can protect CentOS servers from unauthorized access. This article takes the installation and configuration of Snort as an example to introduce in detail how to use IDS to monitor and prevent potential intrusions. By following the above steps and configuring it appropriately based on actual needs, we can enhance the security of the server and reduce potential risks.

Note: This article only briefly introduces how to use Snort as an intrusion detection system, rather than explaining its principles and all configuration options in detail. For a deeper understanding and further exploration, it is recommended to refer to Snort official documentation or other relevant materials.

I hope this article is helpful to you, and I wish your server is safe and worry-free!

The above is the detailed content of How to protect CentOS servers from unauthorized access using an intrusion detection system (IDS). For more information, please follow other related articles on the PHP Chinese website!