new | ask | show | jobs
diogenes_atx 7 hours ago  [ - ]

> you'd mostly care about exfiltration of data, so watching/actively managing exactly what network connections your computer/network can do, would give you upfront notification when it happens

If you have a list of good CLI utilities, you could run them in a bash script (e.g., network-monitor.sh), which would run in the background, and then redirect the output data to another file (e.g., network-monitor.txt). The key concept here is "baseline" -- you need to know what normal baseline network activity looks like, so that you can identify anomalous behavior. The way to establish a baseline is to gather a lot of data from the system.

The following are a few useful command line utilities to use for a host intrusion detection system (HIDS) using a simple network monitoring bash script. However, I am not sure exactly how to tweak the options. Also need to find a way to check for data exfiltration:

-list open ports and processes that own them: netstat -lnp

-show open network ports: lsof -i; netstat -an | grep -i listen; netstat -nap

Then it would be relatively easy to write a python script with regex tools to parse the network-monitor.txt file, establish a baseline, analyze the data for patterns and search for anomalous behavior.

Besides network monitoring, there are other command line utilities you can use to check the system for possible intrusion, which you could run in a separate bash script as part of your Host Intrusion Detection System (e.g., hids-users.sh):

-show members of root group: cat /etc/group | grep root

-show users logged in: w #if you are the only user, you should not see more than one account logged in

-search for all accounts with UID of 0: grep :0: /etc/passwd #ideally there should be only one UID of 0 on the system, but attacker can create more.

-check that daemons who never log in have * or !, meaning no passwd: cat /etc/shadow

-look for orphaned files, possible sign of attacker temp account deleted: find / -nouser -print

-search for new user accounts that are not part of regular build: sort -nk3 -t: /etc/passwd #sort numerically third column (UID), colon delim (-t:)

EDITS: several small changes for clarity and also in response to comment below

embedding-shape 6 hours ago  [ - ]

> tail your network-monitor.txt file to watch for anomalies in the network connections and check for any strange outflows of data

Don't do that, you can't rely on "watch for anomalies" with your human eyes.

Either you setup something that notifies you after the fact, or you outright block all incoming/outgoing connections until you approve them. Mentioned elsewhere I think in the thread, I think both OpenSnitch, Little Snitch and PiHole can help you with all of these things.

But don't assume you can "watch for anomalies", automation and/or gated access is probably the way to go.

gus_ 4 hours ago  [ - ]

indeed OpenSnitch helps, pihole I'm not so sure (maybe if the c2c servers are in a blocklist...):

https://www.reddit.com/r/linux_gaming/comments/1u34pe3/comme...

embedding-shape 2 hours ago  [ - ]

I though Pihole could act as a "whitelist-only" DNS server but maybe I'm wrong, that could be an additional layer.

diogenes_atx 6 hours ago  [ - ]

> you can't rely on "watch for anomalies" with your human eyes

Yes, I agree, that's a good call. I would not try to check for anomalies manually with meatware. I would parse the data with python regex tools to establish a baseline and search for anomalous patterns.

I edited my post to reflect the change you suggested.