Re: Detecting break-ins

To: Balazs Javor <jb3@freemail.hu>
Cc: debian-security@lists.debian.org
Subject: Re: Detecting break-ins
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Tue, 15 Jan 2002 13:12:32 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1020115130142.25991A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20020115200407.GC1815@zhadum.bjavor.d2g.com>

hi balaz

how much time and energy do you want to spend ???


- 1st passs..
	- update your box regularly per debians security patches

	- read debians security howto
	http://www.debian.org/doc/manuals/securing-debian-howto

- 2nd pass...
	- you;'re doing w/ snot/ippl/logcheck

	- logcheck already tells you whether it was successful
	attempts or not and how they tried it...

- 3rd pass...
	- add host and network IDS
	( tripwire, aide, etc...

	- if you wanna watch for network activity randomly...
	- run tcpdump, showtraf, trafshow, ncat, etc..etc..

- 4th pass... ( aka should be 1st pass )
	- clean up permissions and remove unused services
	etc..etc.. ( things might break..but than yu know to fix it )

	- lots of time can be spent here...

- 5th pass... 
	- if you find hackers in your box.. do you want to chase
	them down ???
		- you need to have logs saves everywhere...
		- you have to be prepared to interact live with them

- read your log files religiously...and understand what its says...

- backup your system
	- make a cd image of your whole system if you're paranoid
	BEFORE you go online

-- if a hacker gets in.... its too too late... ????

-- i try to spend my time at the prevention end...
   not trying to detect them... but there is only so much to do
   before somebody else ( anotehr boss ) wants yo to do something else
   instead

	- if you only use tripwire ... it typicaly runs
	once a day.... a [cr/h]acker can do miracles to your
	machine until tripwire runs

	- i want to know that the [cr/h]acker got into my
	systems with a few seconds....

	- and similarly... in a few seconds... i want a program
	to tell me what was changed ...

	- dont count on the eyes to tell you something is awry

	- than decide what to do with the box... watch them
	play with the box... or unplug it... and report it...


http://www.Linux-Sec.net
	- see the IDS section...

have fun
alvin


On Tue, 15 Jan 2002, Balazs Javor wrote:

> Hi,
> 
> Recently I've installed some IP logging deamons
> (snort, ippl along with logcheck) and I was amazed
> how many break-in attempts there are each day on my
> simple home box which isn't even adverised anywhere,
> as I only run a few services intended for friends and
> family (apache, wu-ftpd, exim).
> 
> I can see a lot of IIS related attempts, which obviously
> do not work, as well as some refused anonymous FTP connection
> attempts. For these I don't worry to much as they have failed.
> (I hope. I'm no expert, though.)
> Then there are more exotic stuff. High port UDP attampts,
> connection to port 113 etc.
> 
> Now the logs provided by the above packages often say something
> like 'connection attempt to ..' whichever port/service.
> The question is whether there is a way to know whether any of those
> attempts succeded. Or to put it more simply, how could one
> distinguish a failed attempt and a successful break-in?
> 
> (I know this is probably a very complex topic, but I would
> greatly appreciate some advise!)
> 
> Many thanks for your help in advance!
> best regards,
> Balazs
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Detecting break-ins
  - From: Balazs Javor <jb3@freemail.hu>

Prev by Date: Re: [Deb-SEC]oddball ssh remote passwd question
Next by Date: udp 32768
Previous by thread: Re: Detecting break-ins
Next by thread: Re: Detecting break-ins
Index(es):
- Date
- Thread