Folks, did a quick search on ossec, iotseeker and openvas…Nothing comes up so I don’t think this topic is old.
Came across a decent article on how to secure home IoT. In the article, it mentions existing tools that we could use to monitor which devices still have default passwords, what’s installed on your machine, etc. and receiving email alerts.
I haven’t tried openvas, vulnerability testing tool but that looks promising as well.
ossec is pretty cool. Installation is straight forward. It could monitor all machines, not just Linux, including routers. Some sample emails I’ve got so far. Please note you will need to modify your own rules to ignore certain email alerts, as they’re not issues, but it is still straight forward. Depending which alert you want to ignore, just find the rule # and tell it to not email alert.
OSSEC HIDS Notification.
2019 Jul 24 07:34:02
Received From: f***->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):
Integrity checksum changed for: '/etc/apt/apt.conf.d/01autoremove-kernels'
Size changed from '4629' to '3921'
Old md5sum was: 'd20ee7e6301fc83ad3d087b162a5659a'
New md5sum is : '04fcea2931463c9b9461eed3d35f4784'
Old sha1sum was: 'c9e2f9bd760406ac0fa41bb5e0396ebcdeeb4621'
New sha1sum is : 'd3c49ed29505995197dfdeb9775c0ab6225b0747'
It also monitors Windows machine.
OSSEC HIDS Notification.
2019 Jul 23 19:12:17
Received From: (windows) 192.x->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
2019 Jul 23 19:12:13 WinEvtLog: Security: AUDIT_SUCCESS(4907): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-S: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-S$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\winsxs\Temp\PendingRenames\2c89a271b441d501d120000018173c34.install.ins Handle ID: 0x161c Process Information: Process ID: 0x1718 Process Name: C:\Windows\servicing\TrustedInstaller.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI
The other day I received an email that ossec found trojan in an email. Luckily, ClamAV/Amavis took care of that.
Here’s the link to the article. https://www.giac.org/paper/gsec/39860/securing-home-iot-network/139835
Happy securing!!!