Secure Your Linux Server with an Intrusion Detection SystemsteemCreated with Sketch.

in cybersecurity •  2 years ago

So you got your server up, the SSH secure, the firewall on, and some monitoring filters for certain services in case someone tries to gain access through one of them.

What else can be done to secure your system?


This is a continuation from 4 previous parts:

Security Tangent - Disable Unused Services

One thing is to reduce the amount of running services to only be those services you need running.

Login to your server via SSH, and type:

sudo netstat -tulpn

Now, if you have a minimal installation with only the base server components, and you followed my previous "Securing Your Linux Server" guides, you will not have any more to do here, as you will see something like:


If you see that, then everything is good. Nothing to be done.

If you have more programs, you will need to look into securing them individually. But all unused services should be disabled.

To uninstall a service that is no longer needed in Ubuntu, do:

sudo apt-get purge package_name

Then do sudo netstat -tulpn again. The service name you removed, is no longer there.

Please go do more research into removing specific applications if you are unsure about them.

Intrusion Detection

With a server setup, there are still ways for intruders to get in, despite the feature already installed. Vulnerabilities exist and unauthorized access can allow someone to make changes to your system or take it down. They could even hijack your system, and use it to launch attacks on others, such as DDoS attacks.

Linux can secure your system in away that ensures you can detect and track all changes. One popular tool is AIDE, Advanced Intrusion Detection Environment. This is what we are going to install for some base IDS security. There are other more complex and comprehensive tools, like Tripwire and OSSEC.

* Note: use root login to install. I tried with sudo and don't have access to certain areas to create the DB. Don't waste your time, use root from the start.

1. Installation

apt-get install -y aide

2. Verify

aide -v

3. Create the AIDE database

Newer versions of Ubuntu after 14.04 use a newer manager for AIDE, called aide-common.

If you're not sure, try the old way:

aide --init

and if you get the error:

Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/ for writing

then that means you are on the newer version.

Configuration files are in different places, and we need to use the executables from "aide-common" instead:


AIDE files are located at:

/etc/default/aide - The AIDE general configuration file.
/etc/aide/aide.conf - The AIDE rules configuration file.
/etc/cron.daily/aide - Daily AIDE cron scripts.

Init Command

Instead of aide --init, use:


This takes some time to run.

If you get asked:

Overwrite existing /var/lib/aide/ [Yn]?

Type y and hit enter.


However, if inputing the aideinit cmd gives you an error about not being installed or not a recognized command, then you need to install aide-common:

apt-get install -y aide-common

Now try aideinit and it will work. But again, it takes time.


When it completes, you should see:

Start timestamp: 2016-12-13 12:38:21 -0500
Verbose level: 6

Number of entries:      208403

The attributes of the (uncompressed) database(s):

  RMD160   : uyyN564Fdf446HHFHfh24Q/z6/4=
  TIGER    : 8G/Frmndfg76jhyN564Fdf4kRNQyqbB
  SHA256   : fgf564Fdf4fg5gfg4dfeDDGDG3sffGH5+D7q
  SHA512   : aRnSogD8PFdf4fg5Nysgs9oVf4yeuPaAMxHL
  CRC32    : 564Fdf==
  HAVAL    : LRdNysgs9oVf48PFdf4fg57/RJDFHRe
  GOST     : zF8JRIaCyQ577UcUzF8JRIyVVIz

End timestamp: 2016-12-13 12:44:52 -0500 (run time: 6m 31s)
Overwrite /var/lib/aide/aide.db [yN]?

The last line may not be there for you. If it is, type y and hit enter.

Jut check to make sure the db was created:

cd /var/lib/aide
ls -lt

and you should see:

aide.conf.autogenerated aide.db


4. Check aide

This is how to check the DB with the new "aide-common" package and command:

aide.wrapper --check

You can also do longer form as aide --config /var/lib/aide/aide.conf.autogenerated --check, or sudo /usr/bin/aide.wrapper -c /etc/aide/aide.conf --check, in case you have issues at some point these are alternatives.

It should give you the similar output from earlier with aideinit.

5. Create test file for AIDE to pick up

Just to make sure AIDE is working, create a dummy file:

touch /tmp/mytestfile.txt

Then check for changes:

aide.wrapper --check

You could see a lot of stuff after it finishes.

If you want to better manage what is displayed, instead of a limited scroll window, use aide.wrapper --check > /root/aidecheck.txt. Then open it with nano /root/aidecheck.txt.

If you are satisfied witht he results, then you can update the DB and forget about these changes:


6. Automate a schedule with a cron job

Create a file anywhere, for example:

nano /root/

Add the following, and change the email at least, and the "tmp" file locations and names if you wish:

#! /bin/sh
MYDATE=`date +%Y-%m-%d`
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/bin/aide.wrapper --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
/usr/bin/mail -s"$MYFILENAME `date`" < /tmp/$MYFILENAME

Make it executable:

chmod +x /root/

Edit crontab:

crontab -e

Add at the bottom:

00 01 * * * /root/

Then ctrl+x and save.

This shell script will run each day of the week (*), every month (*), each day of the month (*), at 1am. You can change any of the parameters for the interval. Please consult additional help to know how to modify each parameter.

Well that's all folks! You now have a basic intrusion detection system setup.

See you next time for more on securing a Linux server!

Thank you for your time and attention! I appreciate the knowledge reaching more people. Take care. Peace.


If you appreciate and value the content, please consider:

Upvoting, Sharing, and Resteeming below.

Follow me for more content to come!

2016-12-13, 7:36pm

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

This is on the agenda for The Kraken tonight. TY for posting previous posts. Boom Bip!


You're welcome, what's the Kraken other than the mythical monster?


My new refurbished workstation. It is where I'm learning Linux (Ubuntu) with VirtualBox VMs. Eventually I should get up to containers. A great way to learn a new OS and learn Blockchain

Great post! Thanks for sharing this!

This post has been ranked within the top 25 most undervalued posts in the first half of Dec 14. We estimate that this post is undervalued by $12.76 as compared to a scenario in which every voter had an equal say.

See the full rankings and details in The Daily Tribune: Dec 14 - Part I. You can also read about some of our methodology, data analysis and technical details in our initial post.

If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.