Re: Detecting break-ins
hi balaz
how much time and energy do you want to spend ???
- 1st passs..
- update your box regularly per debians security patches
- read debians security howto
http://www.debian.org/doc/manuals/securing-debian-howto
- 2nd pass...
- you;'re doing w/ snot/ippl/logcheck
- logcheck already tells you whether it was successful
attempts or not and how they tried it...
- 3rd pass...
- add host and network IDS
( tripwire, aide, etc...
- if you wanna watch for network activity randomly...
- run tcpdump, showtraf, trafshow, ncat, etc..etc..
- 4th pass... ( aka should be 1st pass )
- clean up permissions and remove unused services
etc..etc.. ( things might break..but than yu know to fix it )
- lots of time can be spent here...
- 5th pass...
- if you find hackers in your box.. do you want to chase
them down ???
- you need to have logs saves everywhere...
- you have to be prepared to interact live with them
- read your log files religiously...and understand what its says...
- backup your system
- make a cd image of your whole system if you're paranoid
BEFORE you go online
-- if a hacker gets in.... its too too late... ????
-- i try to spend my time at the prevention end...
not trying to detect them... but there is only so much to do
before somebody else ( anotehr boss ) wants yo to do something else
instead
- if you only use tripwire ... it typicaly runs
once a day.... a [cr/h]acker can do miracles to your
machine until tripwire runs
- i want to know that the [cr/h]acker got into my
systems with a few seconds....
- and similarly... in a few seconds... i want a program
to tell me what was changed ...
- dont count on the eyes to tell you something is awry
- than decide what to do with the box... watch them
play with the box... or unplug it... and report it...
http://www.Linux-Sec.net
- see the IDS section...
have fun
alvin
On Tue, 15 Jan 2002, Balazs Javor wrote:
> Hi,
>
> Recently I've installed some IP logging deamons
> (snort, ippl along with logcheck) and I was amazed
> how many break-in attempts there are each day on my
> simple home box which isn't even adverised anywhere,
> as I only run a few services intended for friends and
> family (apache, wu-ftpd, exim).
>
> I can see a lot of IIS related attempts, which obviously
> do not work, as well as some refused anonymous FTP connection
> attempts. For these I don't worry to much as they have failed.
> (I hope. I'm no expert, though.)
> Then there are more exotic stuff. High port UDP attampts,
> connection to port 113 etc.
>
> Now the logs provided by the above packages often say something
> like 'connection attempt to ..' whichever port/service.
> The question is whether there is a way to know whether any of those
> attempts succeded. Or to put it more simply, how could one
> distinguish a failed attempt and a successful break-in?
>
> (I know this is probably a very complex topic, but I would
> greatly appreciate some advise!)
>
> Many thanks for your help in advance!
> best regards,
> Balazs
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: