On Sat, 23 Jun 2001, Philip S Tellis spewed into the ether:
Sometime on Jun 22, Benoy George assembled some asciibets to say:
how can I find more details like who is this sniffer and when he enter in to our m/c?
Well, for one, you need to install tripwire. That will fingerprint all your binaries and store it in a database. Then, back up that database on a separate machine/removable disk. Tripwire will check all binaries
Ideally a WORM device like a CDROM.
every night and mail you if there are any discrepancies, reporting what
Note that this is a cron job, and not a tripwire daemon.
they are. That way you will know if someone has tampered with your system, and what exactly has been changed.
You should also stop all not-required services, and instead redirect all requests on those ports to a logger that will log the entry and send a mail to you reporting.
Or just log connection attempts to syslog. man ipchains (or get Bastille/another firewall script)
That way, if anyone tries to scan your machine, you will get immediate notice of it.
Also check out portsentry
You also need to check your log files regularly to see if anything unexpected is happening. Typically, you'd do this every morning, but a better solution may be to get a log analyser that will provide your log files in an easy to read format, possibly over the web. That way, you
I suggest email for reporting. Easier to handle. You might also check out snort itself.
can have one browser window always open to monitor what's happening.
<snip>
A good system administrator needs to know how a cracker works, but not necessarily a hacker. A good programmer should aspire to be a hacker.
Every good sysadmin is a programmer, and every good programmer is a sysadmin, to some extent. Actually, even sysadmins should try to be good hackers, that is a useful skill, and vice versa.
Devdas Bhagat -- Do you like "TENDER VITTLES"?