[ILUG-BOM] Linsniffer !

Devdas Bhagat dodobh@[EMAIL-PROTECTED]
Mon Jun 25 22:06:22 IST 2001


On Sat, 23 Jun 2001, Philip S Tellis spewed into the ether:
> Sometime on Jun 22, Benoy George assembled some asciibets to say:
> 
> > how can I find more details like who is this sniffer and when he
> > enter in to our m/c?
> 
> Well, for one, you need to install tripwire.  That will fingerprint all
> your binaries and store it in a database.  Then, back up that database
> on a separate machine/removable disk.  Tripwire will check all binaries
Ideally a WORM device like a CDROM.

> every night and mail you if there are any discrepancies, reporting what
Note that this is a cron job, and not a tripwire daemon.

> they are.  That way you will know if someone has tampered with your
> system, and what exactly has been changed.
> 
> You should also stop all not-required services, and instead redirect all
> requests on those ports to a logger that will log the entry and send a
> mail to you reporting.
Or just log connection attempts to syslog. man ipchains (or get
Bastille/another firewall script)

> That way, if anyone tries to scan your machine, you will get immediate
> notice of it.
Also check out portsentry

> You also need to check your log files regularly to see if anything
> unexpected is happening.  Typically, you'd do this every morning, but a
> better solution may be to get a log analyser that will provide your log
> files in an easy to read format, possibly over the web.  That way, you
I suggest email for reporting. Easier to handle. You might also check
out snort itself.

> can have one browser window always open to monitor what's happening.

<snip>
> A good system administrator needs to know how a cracker works, but not
> necessarily a hacker.  A good programmer should aspire to be a hacker.
Every good sysadmin is a programmer, and every good programmer is a
sysadmin, to some extent. Actually, even sysadmins should try to be
good hackers, that is a useful skill, and vice versa.

Devdas Bhagat
--
Do you like "TENDER VITTLES"?



More information about the Linuxers mailing list