SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'd highly recommend AIDE. Basically AIDE creates a snapshot of your current files (and yes you can tailor what directories is looks at) and then compares the files to that shapshot. It will notify you of what files have changed. This won't prevent an attack, but it will give you a way to figure out what has been modified should you be compromised. Samhain is another program that does something similar.
I think these sorts of integrity checkers are as important as the rootkit detectors since a very significant number of compromises are through weak applications. PHP programs seem to be particularly vulnerable, so if you're serving PHP apps from a web server, you do need to keep an eye on them.
I'd say the thing you have to worry about most are not worms or viruses or malware. Those were designed for Window$ and just won't run on Linux, much like a '.exe' won't run on Linux (with a few exceptions ... yes a few, not many).
What you have to worry about more are hackers (or crackers or whatever (black hats)). Many have tried to get into my system. In fact, I have lots of logs of hacking attempts on my systems. And yes, there are many hack attempts on my system here. Not sure why. What do they want with my system. At my other house, I haven't gotten a single hack attempt in years, but here, every day I get a new one. And, unfortunately, nobody cares. You can report it to whomever you want, nobody will do anything about it. And that, I think, is the biggest problem of all.
I think, a good firewall is the best thing you can do for your system.
They want it to make it part of their botnet, which would allow them to spam, DOS, host files and all sorts of other nefarious activities. By turning your computer into a zombie they control, they can carry out their illegal activities and minimize the risk that they will be discovered. The idea that they want any of the information on your computer is a very outdated one.
In my opinion, a firewall is nice, but if you leave the system connected to the net, it is nowhere near enough.
They want it to make it part of their botnet, which would allow them to spam, DOS, host files and all sorts of other nefarious activities. By turning your computer into a zombie they control, they can carry out their illegal activities and minimize the risk that they will be discovered. The idea that they want any of the information on your computer is a very outdated one.
In my opinion, a firewall is nice, but if you leave the system connected to the net, it is nowhere near enough.
Alright then, that makes sense. Thanks for the info. I'm always open to more suggestions and good programs to have around.
I currently use rkhunter and chkrootkit to scan for hacking attempts. Does anyone have another security utility that they employ? Just curious:-)
I use netstat, lsof, and socklist, primarily, but also use denyhosts, tcpwrappers, iptables (and ipf for my BSD boxes), modsecurity (for my public web server) and snort (deployed internally, externally, and on my public web server).
I'm really big on layered security but that's mainly because I'm employed as an IT security engineer.
I'm about to start experimenting with tarpits also.
I'd highly recommend AIDE. Basically AIDE creates a snapshot of your current files (and yes you can tailor what directories is looks at) and then compares the files to that shapshot. It will notify you of what files have changed. This won't prevent an attack, but it will give you a way to figure out what has been modified should you be compromised. Samhain is another program that does something similar.
I think these sorts of integrity checkers are as important as the rootkit detectors since a very significant number of compromises are through weak applications. PHP programs seem to be particularly vulnerable, so if you're serving PHP apps from a web server, you do need to keep an eye on them.
Those tools (AIDE and Samhain) are HIDS, or host intrusion detection systems. And you're right, they won't prevent attacks, but only make them observable. NIDS, or network intrusion detection systems, sniff network traffic and alarm when certain patterns are observed. You can link NIDS with firewalls and have the firewall block alarmed traffic.
I rely on NIDS because HIDS are only installed on individual systems and will not be able to monitor other hosts. I've 10 hosts in my home and don't want to monitor 10 HIDS. NIDS can monitor network segments that contain 1 or 1,000,000 hosts. HIDS are best used on high-value targets (for instance, medical data or financial records). You can also use both in the same environment.
I use netstat, lsof, and socklist, primarily, but also use denyhosts, tcpwrappers, iptables (and ipf for my BSD boxes), modsecurity (for my public web server) and snort (deployed internally, externally, and on my public web server).
I'm really big on layered security but that's mainly because I'm employed as an IT security engineer.
I'm about to start experimenting with tarpits also.
Thank you, unixfool! I appreciate the tips, and the link:-) I'm going to go application hunting now. Cool.
especially for arcanex. I learn new important command here:
'ps -e -u' I usually just do ps -A | grep something
'netstat -ap' I usually do netstat -an
'find -uid 555 /' this is completely new to me. is that 555 is same with 'chmod 755'?
and can i find files using the name of the user 'test' instead of number?
thank you very much...
Try 'ps -eH u' too. It sorts it by parent process, ala 'pstree' . 'ps' has so many options, but after learning a few I don't even use 'top' anymore, plus it's greppable.
'netstat -anp' is nice too, and is probably more useful at first. If you see IP addresses that you want to look up more, then you do 'netstat -ap' to get their DNS names.
The 555 in 'find -uid 555 /' is different from 'chmod 755'. Honestly, I never figured out how the 755 numbers work, but the 555 is just the user id. You can do 'find -user [name] /' too, I believe, but in my example I had to do the uid since I did it _after_ I deleted the user, so there's no more record of their username, just the uid.
I rely on NIDS because HIDS are only installed on individual systems and will not be able to monitor other hosts. I've 10 hosts in my home and don't want to monitor 10 HIDS.
Unless I'm missing something (always a real possibility), I think your situation is covered by Samhain. I've never used it, but my understanding is that it can be set up to work in a client-server mode, where one centralized Samhain server can monitor multiple remote clients.
I'd also like to point people to the sticky in the Security forum. unSpawn has a very nice collection of security links.
Unless I'm missing something (always a real possibility), I think your situation is covered by Samhain. I've never used it, but my understanding is that it can be set up to work in a client-server mode, where one centralized Samhain server can monitor multiple remote clients.
I'd also like to point people to the sticky in the Security forum. unSpawn has a very nice collection of security links.
Yeah, sorta like a syslog server or SEM. I'd thought about this. We have several setups of this nature in our enterprise environment. I didn't know that Samhain actually had native capability for this...it's a good thing to know.
Still, I'm more reliant on NIDS, as I'm more comfortable with them. HIDS are entirely different beasts.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.