[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Detecting break-ins

hi balaz

how much time and energy do you want to spend ???

- 1st passs..
	- update your box regularly per debians security patches

	- read debians security howto

- 2nd pass...
	- you;'re doing w/ snot/ippl/logcheck

	- logcheck already tells you whether it was successful
	attempts or not and how they tried it...

- 3rd pass...
	- add host and network IDS
	( tripwire, aide, etc...

	- if you wanna watch for network activity randomly...
	- run tcpdump, showtraf, trafshow, ncat, etc..etc..

- 4th pass... ( aka should be 1st pass )
	- clean up permissions and remove unused services
	etc..etc.. ( things might break..but than yu know to fix it )

	- lots of time can be spent here...

- 5th pass... 
	- if you find hackers in your box.. do you want to chase
	them down ???
		- you need to have logs saves everywhere...
		- you have to be prepared to interact live with them

- read your log files religiously...and understand what its says...

- backup your system
	- make a cd image of your whole system if you're paranoid
	BEFORE you go online

-- if a hacker gets in.... its too too late... ????

-- i try to spend my time at the prevention end...
   not trying to detect them... but there is only so much to do
   before somebody else ( anotehr boss ) wants yo to do something else

	- if you only use tripwire ... it typicaly runs
	once a day.... a [cr/h]acker can do miracles to your
	machine until tripwire runs

	- i want to know that the [cr/h]acker got into my
	systems with a few seconds....

	- and similarly... in a few seconds... i want a program
	to tell me what was changed ...

	- dont count on the eyes to tell you something is awry

	- than decide what to do with the box... watch them
	play with the box... or unplug it... and report it...

	- see the IDS section...

have fun

On Tue, 15 Jan 2002, Balazs Javor wrote:

> Hi,
> Recently I've installed some IP logging deamons
> (snort, ippl along with logcheck) and I was amazed
> how many break-in attempts there are each day on my
> simple home box which isn't even adverised anywhere,
> as I only run a few services intended for friends and
> family (apache, wu-ftpd, exim).
> I can see a lot of IIS related attempts, which obviously
> do not work, as well as some refused anonymous FTP connection
> attempts. For these I don't worry to much as they have failed.
> (I hope. I'm no expert, though.)
> Then there are more exotic stuff. High port UDP attampts,
> connection to port 113 etc.
> Now the logs provided by the above packages often say something
> like 'connection attempt to ..' whichever port/service.
> The question is whether there is a way to know whether any of those
> attempts succeded. Or to put it more simply, how could one
> distinguish a failed attempt and a successful break-in?
> (I know this is probably a very complex topic, but I would
> greatly appreciate some advise!)
> Many thanks for your help in advance!
> best regards,
> Balazs
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: