How do you monitor your system for intrusion attempts?

In light of the recent bugs (PolicyKit) and many others, how should intermediate level users monitor their systems so at least they could issue a report or be aware somethings fishy in their network?

1 Like

There are a couple related earlier topics: Search results for 'intrusion' - Qubes OS Forum. Perhaps they might be useful.

Was gonna use Kibana and Elasticsearch + Wazuh

Suricata

It is good to use an mitm proxy (they may use exploits on your firefox and use https to establish a connection) and sniff the traffic with another machine for forensic examination.
You must “trust” your mitmproxy fake-cert :slight_smile:

But if you have lots of traffic it is only usable for post-mortem to find the exploits they used. (But… see at the bottom)

For plain network sniffing you can use openwrt and an old router with gbit vlan switch set to “monitor mode” (eg wr 1043nd v1.x, 2.x - TESTED), Archer C2 ?,
so the ingress and the exgress ethernet traffic gets directed to a separate network interface.
Here you attach a gbit ethernet interface (one for each direction) of your “monitoring computer” which is just an old PC with two gbit eth nics, enough RAM and a big enough SSD or better a fast spinning disc (wear!) to run tcpdump on both nics.
Then if there is an incident, you can dive into the traffic logs.
And then you see some strange https …

I used this setup to find strange problems with ipsec at line speed.

And you can install (new thing learned here, thanks!)
https://suricata.io/
on the sniffing PC with the two nics so it can monitor your LAN (at least the VLAN switch you are sniffing) and alert you on some strange things going on. And you also get the logs for later guru meditation on the strange tings.

https://suricata.readthedocs.io/en/latest/install.html

1 Like

So I would suggest to run suricata on the net-vm, with enough RAM and CPU cores.
And on the sniffer PC.

1 Like

This is my post related to monitoring traffic coming out of Qubes. As you will see from the discussion, it’s anything but straightforward.

1 Like

One would want to monitor all traffic, because evil code could evade your “secrets” to the internet or Their machines.
And on the other hand, your favorite government could inject some fake data into your internet connection (they might own the CA) and exploit your computer’s 0days. Your will not notice the 0day if they are clever and invest much time, but you can help to burn the 0day for good.

1 Like

Doesn’t it make sense to have one of those ad blocking filters which block any IP known to spam ?

The real evil people use google, crimosoft, amazon etc address space
as they rent servers to run host their hacking infrastructure on