[techtalk] getting ports scanned...

curious curious at curious.org
Sun Oct 8 20:43:22 EST 2000


You might consider putting up an Intrusion Detecion System
www.snort.org is probably the best free one out there.. 
if you feel like tortureing yourself shadow is also nice (esp for
distributed sensors).. however shadow only looks at headers unless you
massivly alter the scripts.. 
http://www.nswc.navy.mil/ISSEC/CID/
consider setting the ids to watch for content that doesn't belong on given
port.. (ie. /bin/sh should NEVER show up on port 53)

Also hostbased intrusion detecion systems can be very useful in finding
out what was actualy done to a comprimised box.. 

http://sites.netscape.net/fcheck/
http://www.tripwiresecurity.com/

byond file checks there is LIDS
http://www.lids.org/
it puts a layer of security that even root can't access

note.. alot of these things take quite awhile to get working right.. so be
ready to invest some time.. though after it's done.. you'll have learned
ALOT about what is actualy going on (both the good and the bad)

best wishes,
Chris


 /"\  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
 \ /   ASCII Ribbon Campaign      curious at curious.org
  X   - NO HTML/RTF in e-mail     http://www.curious.org/
 / \  - NO Word docs in e-mail    "This quote is false." -anon

On Sun, 8 Oct 2000, K. Ziel wrote:

> Hi--
> 
> Now that I'm freshly over my DNS angst, I am logging everything that I deny in
> my firewall so that I know what's going on...
> 
> So, i've been scanned a lot the last few days, and while I htink that I built a
> pretty good firewall, I am want to know if someone has managed to infiltrate.
> 
> What should I look for in my process list to tell me if i've got friends in my
> home box?
> 
> I thot that perhaps I should log EVERYTHING, that way I know if someone
> got in on a port that i've allowed for say...web access.  that of course, leads
> to TOO much logging..
> 
> then, i thot perhaps a cron, checking if my /var/log/messages has been updated,
> and not quite sure how to do that....getting only the latest update to messages.
> 
> arg.
> 
> Kristin
> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
> 





More information about the Techtalk mailing list