Re: hacked, then intrusion detection system
On Sat, Feb 03, 2001 at 07:02:08PM -0300, mgriffa@fibertel.com.ar wrote:
> Hi.
> I just realized that someone entered my debian box with
> cablemodem. I couldn't find anything in the logs, but the pump package was
> deleted.
> I replaced inetd for xinetd. took off services I didnt't use (It
> was left all default, as I installed in a rush), and now I'd like a good
> intrusion detection system.
> I'd like to hear about any advices about not security (too wide)
> but tools to run in cron and which may be usefull for this kind of
> situations.
Most of what I have read recommends a compete reinstall on a system that has
been breached. There may be back-doors you don't find. Take a look at -
http://www.cert.org/nav/recovering.html
Also set up a firewall to help prevent this in the future. There is a
book at -
http://www.openna.com/resources/articles/v1.3-xml/index.htm
that might be helpful to you. It is redhat based but many good tips.
You might want to start with the Security-HOWTO at -
www.linuxdoc.org
There are many programs like "tripwire", "snort" "portsentry" you might
want to take a look at.
You might want to think about getting an older box, 486, P100, along
those lines and set up a dedicated firewall for your other box(s).
hth,
kent
--
I'd really love ta wana help ya Flanders but... Homer Simpson
Reply to: