[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked, then intrusion detection system

Quoth mgriffa@fibertel.com.ar, 
> 	I just realized that someone entered my debian box with
> cablemodem. I couldn't find anything in the logs, but the pump package was
> deleted.
> 	I replaced inetd for xinetd. took off services I didnt't use (It
> was left all default, as I installed in a rush), and now I'd like a good
> intrusion detection system.
> 	I'd like to hear about any advices about not security (too wide)
> but tools to run in cron and which may be usefull for this kind of
> situations.

The other advise I have seen you get on the list to reinstall completely
if you have been compromised is worth listening to.

As for an intrustion detection system, one that is simple but effective
is AIDE. I'm not sure if debian packages are available, but it's easy to
compile yourself. It takes a snapshot of your system and will allow you
to determine if any files were changed. Just make sure you do something
like put it's database on a floppy so the intruder cant change it.

Less effective (because the md5 sums are kept on your own system and can
be changed by a particularly cluey and patient intruder) is debsums.



Damon Muller              | Did a large procession wave their torches
Criminologist/Linux Geek  | As my head fell in the basket,
http://killfilter.com     | And was everybody dancing on the casket...
PGP (GnuPG): A136E829     |                      - TBMG, "Dead"

Reply to: