I have a security concern to enquire about.
1. How can I find out if someone is 'trying to break' or has 'already breaked' in to my system, whether it is do harm or just to use my resources without my permission?
Nice question. Here's the answer: You need to know exactly how your system works, what process should run and which shouldn't. Make sure to monitor these settings with the appropriate tools and keep up-to-date about security concerns that are related to your hardware and software. If you don't know how to start it will take you a few years to reach that state. If you suspect that someone might have already broken into your system check the hints that made you think so and reinstall the system. Once an intruder has gotten root access it is extremely difficult to make sure that no backdoor is left to give access to the intruder. Sandy ~ What a useless answer. How about pointing this person in the right direction? For security concerns, start by installing tripwire, http://www.tripwire.org/ You can also check to see who is connected to your computer by typing "users" at your shell. See more than one root user logged in (unless you expect more) and you have problems. If you think your system has already been broken into, start by disconnecting the computer from the rest of the network. Check your logs under /var/logs/. No logs, then you may have been hacked. This, by no means, is an all conclusive list, however it is a good start. Good luck, ~James
James D. Parra wrote:
Nice question. Here's the answer: You need to know exactly how your system works, what process should run and which shouldn't. Make sure to monitor these settings with the appropriate tools and keep up-to-date about security concerns that are related to your hardware and software.
What a useless answer. How about pointing this person in the right direction?
Let's just assume my crystal ball is spitting out the answer he is looking for. Will you then please explain to him what all the megabytes worth of logfiles actually mean? He would probably look right at the answer and not recognize it. You need to have at least a working knowledge how your system is set up and what to look for in the logs. I tried not to be too snide, but it was difficult! Though I have to admit I could have given him at least some links to documentation sites where he could find further info. The question was just a bit too general to give a specific answer. Sandy
On Wednesday 20 April 2005 07:48 pm, Sandy Drobic wrote:
Let's just assume my crystal ball is spitting out the answer he is looking for. Will you then please explain to him what all the megabytes worth of logfiles actually mean? He would probably look right at the answer and not recognize it. You need to have at least a working knowledge how your system is set up and what to look for in the logs.
Is there somewhere a very detailed and explicit guide to reading log files for the complete beginner? It would be a great thing for me. -- Bob Rea mailto:gapetard@stsams.org http://www.petard.us http://www.petard.us/blog http://www.petard.us/gallery Time is the best teacher. Unfortunately it kills all its students.
On Thursday 21 April 2005 10:32 am, Bob Rea wrote:
On Wednesday 20 April 2005 07:48 pm, Sandy Drobic wrote:
Let's just assume my crystal ball is spitting out the answer he is looking for. Will you then please explain to him what all the megabytes worth of logfiles actually mean? He would probably look right at the answer and not recognize it. You need to have at least a working knowledge how your system is set up and what to look for in the logs.
Is there somewhere a very detailed and explicit guide to reading log files for the complete beginner? It would be a great thing for me. The Linux Documentation Project at http://www.tldp.org is a good place to start. Specificaly sections : http://www.tldp.org/HOWTO/HOWTO-INDEX/admin.html#ADMSECURITY http://www.tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETSECURITY
Sandy may have seemed a bit harsh, but his answer was the correct one. Some of the required knowledge must be built on a foundation of prior knowledge. The above site has a lot of information. I would also read through all of the SuSE documentation first. Their manuals are some of the better ones. Someone else mentioned Snort. I love this program, especialy with the SnortSam plugin. Again, however, a good base knowledge is needed to get the most out of it. <Mild Rant directed_to="NOT OP"> Such questions are common in the computer industry, but quite rare in most others. Most would understand that their doctor could not easily explain many of the intracacies of his job to a layman unless that person had spent a similar number of years gaining the needed base knowledge. Many new users to the Linux world tend to try things they would not have attempted in Windows. This leads to frustration and unfair comparisons between the two systems. Sorry ... I don't usualy do that. I was just asked by a client to explain part of a programs inner workings. It was quite frustrating. -- Louis Richards
On Thursday 21 April 2005 4:19 pm, Louis Richards wrote:
The Linux Documentation Project at http://www.tldp.org is a good place to start. Specificaly sections : http://www.tldp.org/HOWTO/HOWTO-INDEX/admin.html#ADMSECURITY http://www.tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETSECURITY <snip> Someone else mentioned Snort. I love this program, especialy with the SnortSam plugin. Again, however, a good base knowledge is needed to get the most out of it.
Louis Richards
Another security related package that is good for locking down a system is Bastille. Doesn't detect a break-in/crack but it could help prevent one. I loaded version 3.0.2-1.0 from the site http://www.bastille-linux.org/. Generic RPM for SUSE, RedHat, Mandrake, etc. Loaded fine, stepped through a few screens before cancelling out. Version 2.1.1 is on 9.2 and apparently is the same version on 9.3. I thought it was dropped for a couple of releases like 9.0 and 9.1 maybe? Bastille steps you through a security check on your machine with explanations of each step. Learning what it all means in relation to everything else is the fun part! Leave the defaults alone if you are new to Linux and learn what each step means before making changes. You could lock yourself out of your machine if you don't know what you are doing. Nothing a quick re-install couldn't cure though. Once you are thoroughly confused then of course ask for help here or at suse-security list. Stan
On Thu, 2005-04-21 at 01:18, James D. Parra wrote:
I have a security concern to enquire about.
1. How can I find out if someone is 'trying to break' or has 'already breaked' in to my system, whether it is do harm or just to use my resources without my permission?
As always, google is your friend ... Security is something with many many aspects to addres. I could say there's plethora of books on this subject, but while true one can to spent a fortune on Some pointers: A three part story from ibm on linux-security http://www-128.ibm.com/developerworks/linux/library/l-seclnx1.html A well written book from Gerhard Mourani on securing and optimising Red Hat, but many aspects are linux generally. The pdf of version 1.0 and 2.0 are free for download. (think twice before you say "print" ;-) http://www.openna.com/products/books.php Hans
On Thu, Apr 21, 2005 at 01:12:14PM +0200, Hans Witvliet wrote:
On Thu, 2005-04-21 at 01:18, James D. Parra wrote:
I have a security concern to enquire about.
1. How can I find out if someone is 'trying to break' or has 'already breaked' in to my system, whether it is do harm or just to use my resources without my permission?
I would say first off, grab the admin book that SUSE comes with and read the section on security. And read the section on YAST2. Next up, security is never a program, it's a policy. Like not downloading everything and installing it, only download from trusted sources, like SUSE. Next up, what type of configuration do you have? What daemons do you have running? You should shut down any daemons you aren't needing (PLEASE ask us on the list before you shut them down, some of those are needed by the system, you can shut off SSH, Apache, / HTTPD, and FTP is you aren't using it, but again, ask us before you do because I'm taking it that you're a newbie in Unix security). Next, the SUSE firewall should be running, check what you have it set up to do. What type of internet connection do you have? You may want to do something with chkrootkit which I believe Patrick has already linked you to before my reply. He is a fairly trustable source of information. o after you have some of these steps answered here, I'm sure you can find the problems. Make sure you always update SUSE with YAST when there are security flaws, set up the SUSE firewall, and in YAST go and edit the run levels options to shut off the daemons you dont' need running (AGAIN I CAN'T TELL YOU ENOUGH TIMES TO ASK BEFORE YOU SHUT THEM DOWN, SOME CAN DESTROY YOUR SYSTEM.) A A A A A A A A A
As always, google is your friend ...
Security is something with many many aspects to addres. I could say there's plethora of books on this subject, but while true one can to spent a fortune on
Some pointers: A three part story from ibm on linux-security http://www-128.ibm.com/developerworks/linux/library/l-seclnx1.html
A well written book from Gerhard Mourani on securing and optimising Red Hat, but many aspects are linux generally. The pdf of version 1.0 and 2.0 are free for download. (think twice before you say "print" ;-) http://www.openna.com/products/books.php
Hans
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (7)
-
Allen
-
Bob Rea
-
Hans Witvliet
-
James D. Parra
-
Louis Richards
-
Sandy Drobic
-
Stan Glasoe