Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am wanting to beef up my security. I already do regular who and w checks, but something tells me this really isn't much. I was wondering if these are even any way to check to see if you're being compromised. I don't know how a person would hide from them; I think they'd have to log in as SOMEBODY at some point...but I really am ignorant on security.
If someone has compromised your machine, they could replace the who command with their own version, which would report on everyone EXCEPT them.
So, yes, they could hide from you in that regard. Of course, you'd still find them if you kept a close eye on /etc/passwd and /etc/shadow..
Security is a journey, not a destination. There are many things you can do, and (depending on what your machine is used for) there are many things you need to do, and pretty much all of it is covered in this forum in one place or another. Look around, google a lot, and generally learn. When you have specific questions feel free to ask; someone'll answer.
It's also very common to see the files ((/var/log/wtmp and /var/log/utmp) that last and who use to display login info get wiped/replaced as well. Chkrootkit and I believe rkhunter both do checks for wtmp/utmp modification, so I would highly recommend one of those as well. Last time I used Mandriva it was still called Mandrake :-P but I found the msec tool was fairly effective at tightening system security, especially at higher security levels. Though it could be a bit of a pain at times and for some reason the great documentation they had disappeared as well.
Lastly, there is no real perfect all-in-one security solution. It's really a process that requires multiple levels (application hardening, system hardening, pro-active measures, consistent updating, vigilance). If you are interested in improving these areas, one of the best places to get started is unSpawn's security references thread at the top of the forum. Start at the more general hardening guides and work your way out from there.
Those were some really good tips, thanks guys. I'm thirsty for more. My friend tells me there is a book at the book store about intrusion detection which I plan on buying. I am willing to learn as much as possible.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.