Hi,
On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
Adam Hardy on 13/08/08 10:27, wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <adam.ant@cyberspaceroad.com>
wrote:
The question is, what do I replace chkrootkit with, especially if stuff
like rkhunter's not much better?
tripwire maybe?
apt-cache show tripwire Description: file and directory integrity
checker Tripwire is a tool that aids system administrators and users
in monitoring a designated set of files for any changes. Used with
system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage
control measures can be taken in a timely manner.
I don't have access to a floppy or cdrom drive - the server is hosted
somewhere at an ISP. I think any cracker would just re-run tripwire
if they found it installed.
The only suggestion so far is that I script a solution (or adapt existing ones).
Have you looked at harden-doc and its friends in archive. (Many are
virtual packages to lead you to the good tools) tripwire is just one of
the tools.
I do not think you need to have CDROM to be sure and your quick
scripting may not come close to tripwire which protect itself with
cryptographies.
Even for simple hush you do not need home made hush. Have you looked
at debsum? If a pakage is tampered, debsum gets updated and detectable.
Surely there's a package available that's made for people with 1 or 2
hosted servers that need a foolproof cracker alarm?
Are you saying package available is not good enough?
Looking through apt-cache search, there seem to be loads of nasty
packages available for people who might want to attack my server, but
not much that I can use to check whether I've been rooted.
I do not understand what is "nasty".
Anyway, all your answer is in harden-doc.
Also available on web as:
http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html