How to tell if you need firewall or not?
 

Hi,

How do you tell if you have been attacked or someone have attempted to attack my machine? LIke reading logs and similar things? How do you do that? Any software that has this function? I want to know if someone have attemoted to hack my machine. Becasuse i don't really want to install a firewall for no reason. Yes i know some of you will say that you wiill be hacked 9 times out of 10, but still, i want to know how do you know if you've been scanned or attacked or similar things.


thnx

you shouldn't wait until you get attacked before you put up a firewall. generally it should be part of a general secure system.

But how do u tell if you've been attacked or not?

well, yeah check logs. unless you've put in place a general port logger, you won't be able to tell other than people attemplting to connect to specific services such a samba, or apache in which case it'd be in their logs, as you'd expect, like /var/log/samba/"hostname"

How to tell if you've been compromised...
 

The security faq at comp.os.linux.security has some good info on this. Section 5 of that document covers intrusion detection.

another good place for info is at http://www.linuxsecurity.com/

-trickykid

Re: How to tell if you need firewall or not?
 

You don't say what distribution you're running; use Google to search for "linux portsentry" and download the appropriate binary package for it. That will tell you all the port scans that come into your system. Many distributions already have the portsentry files on their CDs; it was there on my Mandrake 8.1 for example.

My rule of thumb is quite simple: if you connect to the Internet, you need a firewall. In order to use portsentry, I have to leave a couple of openings in my firewall so that the scanners can get through as far as portsentry, but it then locks them out so they don't get any further. After you run it for a month or so I think you'll agree on the need. I get about 3 hits a day, on average, and I'm locked down pretty tightly!

Ppl better install Snort instead of Portsentry if they want IDS capabilities.

The reason is simple, and I've posted this before, Portsentry only will tell you someone tries to connect in some way to a port, while Snort will report that too and it can examine the packets for known malicious payload as well, so if there are known exploits used you'll see it in the logging/reports.

Portsentry has got it's own blocking capabilities by route, by adding the IP to the fw script, or by using some custom script. Snort relies on 3rd party apps to do blocking (compile --with-flexresp).

The real difference is Portsentry may be misguided by sending custom "offending" packets to known blocked ports, using spoofed IP addresses; it will block those addresses off. Snort will only initiate blocking action if the packets payload matches criteria for malicious content.

Just my 2 cents

unSpawn has a good point; however I suspect that any intrustion detection system is better than none at all. I've also heard very good things about AIDE, but since it's based on the same strategy that portsentry uses it would be subject to the same objections...

Snort you could call something like a host or network based intrusion detection system (IDS), you would use it to detect anomalies in network traffic by filtering it against signatures taken from know (malicious) code or plain text.

Aide is, like Samhain or Tripwire, a system integrity checker, you would use it to detect anomalies in the files on your disks, by "diffing" signatures from the database against the current checksum. Aide luckily enuff has nothing in common with Portsentry :-]

Hope this clears it up a bit.