Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do you tell if you have been attacked or someone have attempted to attack my machine? LIke reading logs and similar things? How do you do that? Any software that has this function? I want to know if someone have attemoted to hack my machine. Becasuse i don't really want to install a firewall for no reason. Yes i know some of you will say that you wiill be hacked 9 times out of 10, but still, i want to know how do you know if you've been scanned or attacked or similar things.
well, yeah check logs. unless you've put in place a general port logger, you won't be able to tell other than people attemplting to connect to specific services such a samba, or apache in which case it'd be in their logs, as you'd expect, like /var/log/samba/"hostname"
How do you tell if you have been attacked or someone have attempted to attack my machine? ... i don't really want to install a firewall for no reason. Yes i know some of you will say that you wiill be hacked 9 times out of 10, but still, i want to know how do you know if you've been scanned or attacked or similar things.
You don't say what distribution you're running; use Google to search for "linux portsentry" and download the appropriate binary package for it. That will tell you all the port scans that come into your system. Many distributions already have the portsentry files on their CDs; it was there on my Mandrake 8.1 for example.
My rule of thumb is quite simple: if you connect to the Internet, you need a firewall. In order to use portsentry, I have to leave a couple of openings in my firewall so that the scanners can get through as far as portsentry, but it then locks them out so they don't get any further. After you run it for a month or so I think you'll agree on the need. I get about 3 hits a day, on average, and I'm locked down pretty tightly!
Ppl better install Snort instead of Portsentry if they want IDS capabilities.
The reason is simple, and I've posted this before, Portsentry only will tell you someone tries to connect in some way to a port, while Snort will report that too and it can examine the packets for known malicious payload as well, so if there are known exploits used you'll see it in the logging/reports.
Portsentry has got it's own blocking capabilities by route, by adding the IP to the fw script, or by using some custom script. Snort relies on 3rd party apps to do blocking (compile --with-flexresp).
The real difference is Portsentry may be misguided by sending custom "offending" packets to known blocked ports, using spoofed IP addresses; it will block those addresses off. Snort will only initiate blocking action if the packets payload matches criteria for malicious content.
unSpawn has a good point; however I suspect that any intrustion detection system is better than none at all. I've also heard very good things about AIDE, but since it's based on the same strategy that portsentry uses it would be subject to the same objections...
Snort you could call something like a host or network based intrusion detection system (IDS), you would use it to detect anomalies in network traffic by filtering it against signatures taken from know (malicious) code or plain text.
Aide is, like Samhain or Tripwire, a system integrity checker, you would use it to detect anomalies in the files on your disks, by "diffing" signatures from the database against the current checksum. Aide luckily enuff has nothing in common with Portsentry :-]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.