Bruce is definitly right. Stop 'em before they get in. Hostsentry, portsentry and logcheck are three excellent programs for keeping track of what is going on. They are available free at http://psionic.com. I also added a script in syslog.conf to have /var/log/messages printed out on /dev/tty12. That makes keeping an eye on things very easy. -- mark wilson ---------------------------- visit this site and help someone who needs you today. http://www.thehungersite.com ----------------------------- this message sent using S.u.S.E. Linux Bruce wrote:
This approach is very dangerous. Yes, tripwire etc, but prevention first. DONT RELY ON THESE TOOLS. Most sites I have seen have not nailled down their firewalls (IPCHAINS etc) Lock everything out by default first. THEN allow each service in one by one. If you don't want logins directly, lock off telnet SSH etc. and allow specific users in only when they register their IP address with you. We do this using a browser and a perl script. Known users have known machines, otherwise no way.
On the otherside of the coin, we have several hundreds of intrusion attempts on our machines each day, mostly smb/samba and sunrpc
- everyone is logged - and specific hack users are simply DENYied from accessing anything at all!!
So playing an MP3 sound for each intrusion going to be very noisy!!! Bruce.
zentara wrote:
Can anyone suggest me a good and free software for detecting an
intrusion on my server? I was thinking of something that can be configured to send a sound when the attempt of intrusion is made and give a report of all login and attempts of logins on my server.
I just saw this package on freshmeat. It's a perl package that resds logs and plays an mp3 when an event is discovered. Good timing eh?
As I'm sure you're aware, failed root login attempts are logged in /var/log/messages, but I'm not sure about normal user logins.
Portscans can be detected with scanlogd, while general intrusion detection can be performed by tripwire (monitors files and checks to see if their contents have changed).
Hope that helps, Chris
__ _
-o)/ / (_)__ __ ____ __ Chris Reeves /\ /__/ / _ / // /\ / / ICQ# 22219005 __v __/_/_//_/_,_/ /_/_\
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq