I'd highly recommend AIDE. Basically AIDE creates a snapshot of your current files (and yes you can tailor what directories is looks at) and then compares the files to that shapshot. It will notify you of what files have changed. This won't prevent an attack, but it will give you a way to figure out what has been modified should you be compromised. Samhain is another program that does something similar.

I think these sorts of integrity checkers are as important as the rootkit detectors since a very significant number of compromises are through weak applications. PHP programs seem to be particularly vulnerable, so if you're serving PHP apps from a web server, you do need to keep an eye on them.

I'd say the thing you have to worry about most are not worms or viruses or malware. Those were designed for Window$ and just won't run on Linux, much like a '.exe' won't run on Linux (with a few exceptions ... yes a few, not many).

What you have to worry about more are hackers (or crackers or whatever (black hats)). Many have tried to get into my system. In fact, I have lots of logs of hacking attempts on my systems. And yes, there are many hack attempts on my system here. Not sure why. What do they want with my system. At my other house, I haven't gotten a single hack attempt in years, but here, every day I get a new one. And, unfortunately, nobody cares. You can report it to whomever you want, nobody will do anything about it. And that, I think, is the biggest problem of all.

I think, a good firewall is the best thing you can do for your system.

They want it to make it part of their botnet, which would allow them to spam, DOS, host files and all sorts of other nefarious activities. By turning your computer into a zombie they control, they can carry out their illegal activities and minimize the risk that they will be discovered. The idea that they want any of the information on your computer is a very outdated one.

In my opinion, a firewall is nice, but if you leave the system connected to the net, it is nowhere near enough.

Thank you, Hangdog42 and H_TeXMeX_H,

I appreciate your replies; I like to learn more about security:-)

Alright then, that makes sense. Thanks for the info. I'm always open to more suggestions and good programs to have around.

I use netstat, lsof, and socklist, primarily, but also use denyhosts, tcpwrappers, iptables (and ipf for my BSD boxes), modsecurity (for my public web server) and snort (deployed internally, externally, and on my public web server).

I'm really big on layered security but that's mainly because I'm employed as an IT security engineer.

I'm about to start experimenting with tarpits also.

Those tools (AIDE and Samhain) are HIDS, or host intrusion detection systems. And you're right, they won't prevent attacks, but only make them observable. NIDS, or network intrusion detection systems, sniff network traffic and alarm when certain patterns are observed. You can link NIDS with firewalls and have the firewall block alarmed traffic.

I rely on NIDS because HIDS are only installed on individual systems and will not be able to monitor other hosts. I've 10 hosts in my home and don't want to monitor 10 HIDS. NIDS can monitor network segments that contain 1 or 1,000,000 hosts. HIDS are best used on high-value targets (for instance, medical data or financial records). You can also use both in the same environment.

Thank you, unixfool! I appreciate the tips, and the link:-) I'm going to go application hunting now. Cool.

Try 'ps -eH u' too. It sorts it by parent process, ala 'pstree' . 'ps' has so many options, but after learning a few I don't even use 'top' anymore, plus it's greppable.

'netstat -anp' is nice too, and is probably more useful at first. If you see IP addresses that you want to look up more, then you do 'netstat -ap' to get their DNS names.

The 555 in 'find -uid 555 /' is different from 'chmod 755'. Honestly, I never figured out how the 755 numbers work, but the 555 is just the user id. You can do 'find -user [name] /' too, I believe, but in my example I had to do the uid since I did it _after_ I deleted the user, so there's no more record of their username, just the uid.

Now, that is very interesting. Thanks for the link

Unless I'm missing something (always a real possibility), I think your situation is covered by Samhain. I've never used it, but my understanding is that it can be set up to work in a client-server mode, where one centralized Samhain server can monitor multiple remote clients.

I'd also like to point people to the sticky in the Security forum. unSpawn has a very nice collection of security links.

Yeah, sorta like a syslog server or SEM. I'd thought about this. We have several setups of this nature in our enterprise environment. I didn't know that Samhain actually had native capability for this...it's a good thing to know.

Still, I'm more reliant on NIDS, as I'm more comfortable with them. HIDS are entirely different beasts.