Software ↑     Config Download Install Modules Procmon Scriptlets Security Usage


As of version 2.0 the security policy of nabou has completely changed. Nabou uses RSA public key crypto for data entry signing.

A step-by-step description follows, which describes in detail how to protect a nabou database:

1. Create the keys

The very first thing you need to do, is to create a new key pair for your nabou installation. What does "key pair" actually mean?

The PRIVATE key, which is encrypted and only accessible for authorized users, since a passphrase is required to unlock it, will be used to cryptographically sign the database entries. The signature can later be verified using the PUBLIC key, which is not encrypted and thus nabou is able to run as cronjob without user interaction.

While a potential attacker is still able to access (and even modify) your IDS database, he is not able to create a new valid signature for the modified database entry, therefore you will notice that change.

So, you need to create a public and a private key. Use the following commandline:

 nabou --genkey 

it will ask you some questions, in most cases it is a good idea to accept the suggested defaults.

If everything goes well and no errors occur, then nabou will print out the BASE64 formatted keys to STDOUT. The output is ready for pasting into a nabou configfile. Just copy the output, open your nabou config using your favorite editor (I prefer emacs, but you might consider to use a more archaic one), and paste it into your configuration.

2. Initialize the database

Configure nabou as usual (see nabourc), turn on database protection, i.e: .. sign 1

and issue the following command:

 nabou --init [--config nabourc] 

which will ask you for the RSA passphrase for the private key. Enter the passphrase then. That's for database security.

3. Install a cronjob for your IDS

An example crontab entry for nabou would be:

 00 * * * * /usr/sbin/nabou --config /etc/nabourc > /dev/null 2>&1 
4. Maintenance

There might be some cases where you consider to update your nabou database. This can be after a software update you did or after some system administration tasks you did. Just issue the following command to update your database:

 nabou --update 

nabou will ask you for the passphrase for the encrypted public RSA key!

Beside RSA there are several ways for protecting files from being written. You can use a read-only mounted medium, or you can protect the files using chattr(1). The very best and most secure way is to use LIDS (http://www.lids.org). You can secure the complete nabou database directory and you might protect nabou and you config-file(s) as well:

 lidsadm -A -o /root/db -j READ
 lidsadm -A -o /root/bin/nabou -j READ
 lidsadm -A -o /etc/nabourc -j READ 

If LIDS is well configured, then only root logged in from a local console is able to turn off LIDS and thus to perform a nabou update. Remote users, and even root, are not able to turn it off, and because of this - not able to perform an update of nabou.

If you use such a setup, then you can be sure you will be informed, if someone nasty got root and installed a trojan horse or added a new UID 0 user account or something else.

However this all cannot protect you from malicious attackers who simply remove the database. Of course you will notice that something weird has happened on your system, but you will not know what. So you are strongly advised to protect the databases in a physical way. You could burn them on a cdrom or you could copy them to a remote server (which might be protected by a firewall).