Understanding Intrusion Detection System - Samhain

You never worry about your site security until after your site has been hacked for the first time. It is always a moment of truth, when you first realize how vulnerable you (your site & your data) truly are. You have probably dozens of scripts running on your server ranging from weblog software, comment form, maybe a CMS like Mambo or Joomla, not to mention your home-grown scripts. Have you ever had them audited? Do you always keep updating them whenever a new release is available? Do you run all your applications and scripts in chroot jail? Do you regularly check for rootkits? The answer to most of the above is probably no. The truth is that any of them can lead to your site and data being compromised. In this context an intrusion detection system can provide you early warning when something goes wrong so you can fight it. Let’s look at Samhain, a popular intrusion detection system.

Samhain is a multiplatform, open source software (GPL) for centralized file integrity checking & host-based intrusion detection on POSIX systems (Unix, Linux, Cygwin/Windows…). It has been designed to monitor multiple hosts with potentially different operating systems from a central location, although it can also be used as standalone application on a single host.

Samhain can be used standalone on a single host, but its particular strength is centralized monitoring and management. Samhain can be extended by writing modules. The client (or standalone) part is called samhain, while the server is referred to as yule. Both can run as daemon processes.

The bottom line is that intrusion detection systems (Samhain or otherwise) are as much a necessity for web servers as virus checkers for individual PC’s.