What automated intrusion notification/detection setup is good for home desktop use?

I've been using Linux for quite a while now and I always feel the need to have a passive software / script setup which can alert me of any suspicious network activities like scans, failed login attempts, etc. on the fly via email or by visual/audio notifications.

I know how to look up through logs and stuff but for the most part it is a manual, time consuming process. I'm looking for something that is semi/fully automated with some good log parsing capabilities.

I'm aware of IDS systems for monitoring networks like Snort, etc. but they are an overkill for the average home user and a painful process to get up and running.

What is a good option for me as a home user?


A simple and effective general solution is to use logcheck.

sudo apt-get install logcheck
[edit /etc/logcheck/logcheck.conf to your liking]

logcheck periodically scans all the logs efficiently (starting where it left off last time), filters what it sees to eliminate anything considered normal, and optionally emails alerts with anything that doesn't match the normal/routine patterns.

The main idea is to watch-out for appearance of any serious entries in your log files, all of them, all the time, so you don't have to.

logcheck is highly configurable (man logcheck). You may configure everything, including:

  • frequency of checks
  • which log files are checked
  • what is considered normal vs not
  • where to email the alerts (abnormal events) to

and more. Your ignore (normal/routine) patterns reside in multiple files under /etc/logcheck/ignore.d.* and you may customize them to your needs; mainly you may want to add your own patterns to ignore. The default Ubuntu package comes with an extensive set of files with ignore patterns for many services already, so there's not much to add unless your system is unusual in what it runs. There are 3 sets of pre-configured ignore file profiles: ignore.d.workstation, ignore.d.server, and ignore.d.paranoid which you can pick from.

The main idea behind logcheck is that the various services running on a system, already log abnormal events. E.g. sshd or pam already log authentication failures. So the main missing components are:

  • filtering what's normal
  • The alerting service

Both of which are provided by logcheck in a convenient package. You may combine logcheck with any other logging. For example iptables can be configured to syslog any network connection attempts that are not explicitly allowed by adding the rules:

 iptables -A input -j LOG
 iptables -A input -j DROP

immediately after all the allow rules.

I find logcheck to be much more helpful than logwatch (suggested in other answers) because it comes pre-packaged with a very large number of rules to ignore what's considered normal activity. The result is a much higher signal/noise ratio in the alerts it emails. YMMV.

Another advantage of logcheck is that it is orthogonal to any service that logs, so there's no duplication of function. Whenever you add a new service which uses syslog to log events, abnormal or not, into any file under /var/log you start getting alerts for it automatically.

HOWTO:

Since logcheck already comes preconfigured, two lines at the top of this answer essentially cover all you need to get started. Just install it, and go over the top configuration file: /etc/logcheck/logcheck.conf to change your email address so logcheck emails alerts to you.

Here's a friendly reference going over the second step in more detail. Since Ubuntu is based on Debian, these instructions should work on Ubuntu too. Here is another good reference.

Once you install, the continuous improvement process starts. Over time, you refine your rules to ignore anything that you already know about and feel shouldn't be of concern. This refinement process is as simple as adding text lines to a file in your favorite text editor.

Each line in an ignore file is an extended regular expression (see man 7 regex), but you may use simple strings as long as they match the log line you want to ignore. Just remember that characters like *, ?, '+', [], () are special in a regular expression, so if they actually appear in the log lines, you would have to escape them with a backslash \ in the ignore files.

In other words: if you get an alert you don't want to get, look at the log line that was emailed to you, and add a pattern that matches it, as one line to any ignore file of your choice. I suggest using /etc/logcheck/ignore.d.<yourloglevel>/my-ignores as your personal ignore file. Where <yourloglevel> is one of paranoid, server, or workstation (as you've already selected in the main config file: /etc/logcheck/logcheck.conf). Look at the examples in other ignore files to see how to account for text that changes all the time like process-IDs, or time-stamps. There are lots of existing examples to learn from.

One last tip: logcheck comes with a little useful utility called logcheck-test which is very handy for testing new rules. man logcheck-test for details.


If you don't have a lot of systems on your network, setting up an IDS like Snort is probably overkill (especially if you don't have any network services on your machine). I suggest starting by configuring logwatch to send yourself a report of what's going on on your system. Once you have that up, configure your syslog so that you get as much relevant information as possible.


Intrusion detection is needed for sure when you run services (ftp, web, nfs, ssh etc) in your network. This is because they are exposed on the internet and due to :

  • miss-configuration
  • software vulnerabilities

they need daily monitoring by an experienced network administrator. If you run this services, you probably have already the minimum knowledge how to avoid this problems.

If you don't run any of this services, then your internet router firewall, has already blocked any incoming connection on ports. To scan your networks router

  • just visit https://www.grc.com/x/ne.dll?bh0bkyd2
  • click "proceed"
  • select "All ports" to check for any open ports

If you are all green, then you are all good.

Last but not least, probably your router has built-in Intrusion detection system (because 99% of all routers run a striped down linux server). For this, you must check the manual of your routers manufacturer.