Re: preparing for case of emergency
If you are physically present when an attack is happening and doing the following won't adversly affect any bussiness transactions, simply unplug the NIC until you can figure out what he did and secure the box. Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box.
Phil
-----Original Message-----
From: Klaus Koch <kkoch@kxsu.de>
To: debian-security@lists.debian.org
Date: Mon, 11 Feb 2002 11:26:57 +0100
Subject: preparing for case of emergency
hello!
I have done my best to make my firewall/router secure according to
several security howtos (in this place, many thanks to the authors of
the debian security howto). I think I am really getting into this
"security stuff" :)
I am running a not very busy website and ftp-server, so I can afford to
receive snort alarms in realtime via email to my internal account,
because there aren't many. Due to work, I spend a lot of time at this
account, so chances are high that I am present when an attack is done.
My question now is, what can I really do in realtime against an ongoing
attack? Are there any interesting reads, I wasn't able to find?
Many thanks for your help!
Klaus
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: