Re: Detecting break-ins

To: debian-security@lists.debian.org
Subject: Re: Detecting break-ins
From: "Noah L. Meyerhans" <frodo@morgul.net>
Date: Tue, 15 Jan 2002 15:34:19 -0500
Message-id: <[🔎] 20020115153419.N1098@morgul.net>
In-reply-to: <[🔎] 20020115200407.GC1815@zhadum.bjavor.d2g.com>; from jb3@freemail.hu on Tue, Jan 15, 2002 at 09:04:07PM +0100
References: <[🔎] 20020115200407.GC1815@zhadum.bjavor.d2g.com>

On Tue, Jan 15, 2002 at 09:04:07PM +0100, Balazs Javor wrote:
> Then there are more exotic stuff. High port UDP attampts,
> connection to port 113 etc.

High port UDP stuff is often just traceroutes.  113 is normal, as many
servers will attempt an auth lookup when you access them.

> Now the logs provided by the above packages often say something
> like 'connection attempt to ..' whichever port/service.
> The question is whether there is a way to know whether any of those
> attempts succeded. Or to put it more simply, how could one
> distinguish a failed attempt and a successful break-in?

Well, the first thing to as is "is there anything even listening on that
port?"  You can feel pretty safe about (for example) connection attempts
to your telnet daemon if you're not actually running a telling daemon to
begin with.

You should already have a pretty good idea about what services are
listening on various ports on your machine.  But just to be sure, try
running 'netstat -ulp' and 'netstat -tlp' as root to show which PIDs are
listening on which UDP and TCP ports, respectively.  Turn off what you
don't need by removing its entry from inetd.conf or by prevending init
from starting it from /etc/rc?.d

> (I know this is probably a very complex topic, but I would
> greatly appreciate some advise!)

Most of stuff that you see, really, is harmless.  A lot of it, as I said
above, isn't even necessarily a breakin attempt.  Assuming you're up to
date on the fixes from security.debian.org, you're safe from the worms
and script kiddies, which are the only things stupid enough to do
something that will show up in your logs.  

It's always good to set up a host based intrusion detection system like
tripwire (preferably the version in sid, rather than the ancient slow
version from potato).  And look in to something like LIDS or something
else that can verify the integrity of the in-memory kernel image.
Kernel based rootkits are very hard to detect.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html

Attachment: pgpq7JsIOE_ik.pgp
Description: PGP signature

Reply to:

References:
- Detecting break-ins
  - From: Balazs Javor <jb3@freemail.hu>

Prev by Date: Detecting break-ins
Next by Date: [Deb-SEC]oddball ssh remote passwd question
Previous by thread: Detecting break-ins
Next by thread: Re: Detecting break-ins
Index(es):
- Date
- Thread