Every day, companies (and individuals) around the world become victims of cyber attacks. The majority of attacks that take place are completely automated. Hackers find and share exploits that can be sought out by bots that scour the Internet looking for unpatched and vulnerable systems. In many cases, attacks happen by bots simply attempting brute force attacks which involves repeatedly trying a list of possible username & password combinations until it finds a pair that works. This attack can be easily mitigated by using strong passwords. Other attacks can be prevented by keeping your systems up to date. Otherwise, hackers are also made aware of newly discovered vulnerabilities, and write bots that seek out systems that have yet to be updated. So, make sure you apply all security patches as soon as they become available.
But, even if you keep your systems up to date, hackers can still wreak havoc on your systems and your business. They do so by eating up your systems' resources. When done to an excessive point, this can lead to systems & services becoming unavailable. For example, attackers can send millions of instantaneous requests to your web server which causes your CPU & memory to spike. If this happens for long periods of time, other vital system services fail to perform their duties and eventually stop working. This is known as a Dedicated Denial of Service (DDoS) attack which can be easily mitigated by detecting a high number of simultaneous requests/connections coming from the same IP address over a short period of time.
To help reduce the number of small businesses falling prey to hackers, and as part of our Pay-It-Forward program, we have decided to release a Lite version of our Symbient™ IDS (Intrusion Detection System) product. Symbient™ IDS is a utility that runs in the background and monitors your system for attempted hacks. The Lite version of Symbient IDS does this by monitoring log files and taking actions whenever suspicious activity is detected. As an example, Symbient™ IDS comes prepackaged with a rule that monitors log files for your email server. On Linux (Ubuntu), this file is located at /var/log/maillog. Once IDS has detected multiple failed login attempts coming from the same IP address over a predefined amount of time, Symbient™ IDS will add that IP address to your firewall (via iptables if on Linux), blocking further incoming connections from it for a period of time. After the ban-time period has expired, the IP address will be removed from the firewall and connections can recommence. If you want to block connections from that IP address indefinitely, you can set the ban-time to zero. Since the IP address is added to your firewall, not only will it prevent the hacker from attempting to penetrate your email server, but it will also prevent them from gaining access to any other services running on your system as well (such as a HTTP, FTP, SSH, etc).
Another example rule that comes prepackaged with Symbient™ IDS runs on web servers and detects requests for files that don't exist or shouldn't be accessed from the web. Hackers like to sniff out files that weren't meant to be web accessible because they can contain lots of valuable information. These files can include spreadsheets that contain sensitive customer information, product pricing, and even lists of usernames & passwords. In some cases, the files are meant to be there, but they're also supposed to be password protected but aren't. So, you can see why files like these are of interest to the bad guys. Just like with the email log rule above, this rule will add the IP address of the attacker (or bot) to your firewall, therefore blocking it from continuing to search for files it shouldn't have access to.
Symbient™ IDS can also be used for more than just preventing hackers from banging on your system's door. You can easily add your own rules that monitor other log files for whatever you so desire, and execute actions as necessary. For example, I have a rule that watches the log file of an application that connects to my home automation system. If something happens within that app that I need to know about, Symbient™ IDS detects it and publishes a message to a local instance of Symbient™ Spine™ (see here) where another app reads that message and triggers another device to respond. This is necessary because this particular app doesn't provide any way to directly notify other systems whenever it does something. It's a bit of a hack, but it does the job. It's also yet another way to utilize the Lite versions of our Symbient™ products for personal usage, even though they're developed & intended for small, medium, and large businesses.
Symbient™ IDS is extremely flexible, and is easy to configure & expand. You can create new filters and actions by copying those that come prepacked with the app, and modifying them to meet your own needs. Filters and rules are defined using regex (regular expressions) that are flexible enough to account for any type of use case. Actions specify external applications that are called whenever a filter/rule's criteria are met. This provides you with endless possibilities of what you can do with Symbient™ IDS.
To get started, simply click the link below that matches your environment to download a compressed file that contains the runtime executable, a sample configuration file, and sample filters & actions (including those mentioned above). Once downloaded, extract the files to your filesystem and edit your filters & actions to suit your needs. Then, all you have left to do is run the included executable ("SymbientIDS"). As the files listed in your filters are modified, Symbient™ IDS will detect those changes and will perform the actions you've specified.
Downloads:
Symbient™ IDS for Windows
Symbient™ IDS for Linux
If you have any questions or comments regarding Symbient™ IDS, feel free to shoot us a message on our contact page. We love hearing from you!
DISCLAIMER: THE SOFTWARE PROVIDED HEREIN IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED. TO THE MAXIMUM EXTENT PERMITTED BY LAW, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY (WHETHER BASED IN EQUITY, CONTRACT, NEGLIGENCE, OTHER TORTIOUS ACTION, STRICT LIABILITY, OR ANY OTHER THEORY OF LIABILITY) SHALL LUCUS LABS, ITS OFFICERS, DIRECTORS, EMPLOYEES, SUBSIDIARIES, OR AFFILIATED COMPANIES BE LIABLE FOR ANY LOSS OR DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, SPECIAL CONSEQUENTIAL, PUNITIVE, LOSS OF REVENUE, LOSS OF ANTICIPATED PROFITS, GOODWILL, DIMINUTION OF VALUE, BUSINESS INTERRUPTION COSTS, OR ANY OTHER INTANGIBLE LOSSES ARISING OUT OF, RELATED TO, OR IN CONNECTION WITH YOUR USE OF, OR RELIANCE UPON, THE SOFTWARE PROVIDED HEREIN (EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITIES OF SUCH DAMAGES). BY DOWNLOADING AND USING THE SOFTWARE PROVIDED HEREIN, YOU ASSUME ANY AND ALL RISK AND RESPONSIBILITY.