[ILUG-BOM] Linsniffer !
Mon Jun 25 22:06:22 IST 2001
On Sat, 23 Jun 2001, Philip S Tellis spewed into the ether:
> Sometime on Jun 22, Benoy George assembled some asciibets to say:
> > how can I find more details like who is this sniffer and when he
> > enter in to our m/c?
> Well, for one, you need to install tripwire. That will fingerprint all
> your binaries and store it in a database. Then, back up that database
> on a separate machine/removable disk. Tripwire will check all binaries
Ideally a WORM device like a CDROM.
> every night and mail you if there are any discrepancies, reporting what
Note that this is a cron job, and not a tripwire daemon.
> they are. That way you will know if someone has tampered with your
> system, and what exactly has been changed.
> You should also stop all not-required services, and instead redirect all
> requests on those ports to a logger that will log the entry and send a
> mail to you reporting.
Or just log connection attempts to syslog. man ipchains (or get
Bastille/another firewall script)
> That way, if anyone tries to scan your machine, you will get immediate
> notice of it.
Also check out portsentry
> You also need to check your log files regularly to see if anything
> unexpected is happening. Typically, you'd do this every morning, but a
> better solution may be to get a log analyser that will provide your log
> files in an easy to read format, possibly over the web. That way, you
I suggest email for reporting. Easier to handle. You might also check
out snort itself.
> can have one browser window always open to monitor what's happening.
> A good system administrator needs to know how a cracker works, but not
> necessarily a hacker. A good programmer should aspire to be a hacker.
Every good sysadmin is a programmer, and every good programmer is a
sysadmin, to some extent. Actually, even sysadmins should try to be
good hackers, that is a useful skill, and vice versa.
Do you like "TENDER VITTLES"?
More information about the Linuxers