Detecting intruders with a Raspberry Pi IDS
False Alerts?
Not every attack has to be dangerous. The orange message ALERT: ET DNS Query to a *.pw domain – Likely Hostile warns users against accessing a web page with the pw top-level domain. A quick search shows that someone updated a Buttercup password manager via the buttercup.pw website (Figure 7). There is no immediate danger from this.
No machines running, but the IDS still reports something? No panic: How many smartphones, laptops, and smart home devices use your Fritz!Box? Every device on the network has an IP address, and every Suricata message contains that device's source and destination addresses. A quick look at the Fritz!Box subscriber list reveals which terminal this address belongs to. Granted: Once Suricata has annoyed you with the same message for about the hundredth time, you might want to remove this signature.
Security
An IDS does add a little more security, but the installation shown in this article is the beginning of any serious intrusion detection project. Some additions would still be required for robust enterprise use. The EveBox and M/Monit websites require HTTPS access with alert-free certificates. And you would need authentication, unless you want everyone to be able to view the logs.
Fritzdump expects the Fritz!Box password, but you would definitely not want this to be visible in the process list. It is better to store security-relevant information in variables or files with restrictive rights. And running Suricata with root privileges is questionable practice. You can change this in the run-as: section of the configuration file and use a dedicated IDS account instead.
A Raspberry Pi running Linux is not completely unprotected, but you would still want to enable a local firewall. Raspberry Pi OS offers the usual suspects: iptables, nftables, and firewalld. A firewall lets you restrict access to the required applications (SSH and HTTPS) and keep things within the boundaries of the local network. Finally, integration with an existing alerting system can be useful. If you lose sight of critical messages in the mass of files on the Rasp Pi, the IDS is not going to be a big help. Messages need to be displayed in good time on the admin's smartphone.
Conclusions
No IDS is capable of solving every imaginable security problem, but a good IDS is an important component for securing your network. Even on a low budget, a Raspberry Pi and the free Suricata software can handle intrusion detection, in conjunction with a compatible router like Fritz!Box.
Infos
- Suricata: https://suricata.io
- EveBox: https://evebox.org
- Fritzdump: https://github.com/ntop/ntopng/blob/dev/tools/fritzdump.sh
- M/Monit: https://mmonit.com
- M/Monit configuration for monitoring Suricata, EveBox, and Fritzdump: https://linuxnewmedia.thegood.cloud/s/5Rzx9tQW2FJ6N3Z
- Fail2Ban: https://www.fail2ban.org/wiki/index.php/Main_Page
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Kubuntu Focus Goes Ultra
The Kubuntu Focus team has upped the performance ante of its M2 and Zr laptops with the latest, greatest CPUs from Intel.
-
Linux Gamers May Soon See Less Mouse Lag in KDE Plasma
Gamers using KDE’s Plasma desktop have been suffering from a slight input delay in mouse movement that could lead to getting fragged.
-
Three Lines of Code Improve Linux Storage Performance
A developer changed three lines of code, giving Linux storage performance a 5% bump.
-
AUR Hit Again with Malicious Packages
Once again the Arch User Repository is plagued by a high volume of malicious packages.
-
Alpine Linux 3.24 Features Fresh Desktops and a Newer Kernel
If you're a fan of Alpine Linux, it's time to upgrade because the latest version has been released with KDE Plasma 6.6, Gnome 50, and Linux kernel 6.18 LTS.
-
EU Open Source Strategy Plays Key Role in Tech Sovereignty Package
Comprehensive measures adopted by the European Commission aim to reduce dependency on non-EU countries.
-
Linux Foundation Report Indicates AI Driving Tech Hiring
Within growing security and skills gaps, AI has been found to be a positive driving force behind tech hiring trends in Europe.
-
United Nations Open Source Portal Goes Live
A new open source portal seeks to coordinate and scale open source efforts across the United Nations system.
-
KDE Linux Drops AUR
KDE Linux developers have dropped the Arch User Repository from the build pipeline due to security concerns; other distributions should consider doing the same.
-
California May Exempt Linux from Its Age-Verification Law
After backlash from the Linux community, California may be backing off on its promise to force all operating systems to verify age, but one platform may still have to comply.
