LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-26-2007, 01:18 PM   #16
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416

I'd highly recommend AIDE. Basically AIDE creates a snapshot of your current files (and yes you can tailor what directories is looks at) and then compares the files to that shapshot. It will notify you of what files have changed. This won't prevent an attack, but it will give you a way to figure out what has been modified should you be compromised. Samhain is another program that does something similar.

I think these sorts of integrity checkers are as important as the rootkit detectors since a very significant number of compromises are through weak applications. PHP programs seem to be particularly vulnerable, so if you're serving PHP apps from a web server, you do need to keep an eye on them.

Last edited by Hangdog42; 05-26-2007 at 01:21 PM.
 
Old 05-26-2007, 01:34 PM   #17
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
I'd say the thing you have to worry about most are not worms or viruses or malware. Those were designed for Window$ and just won't run on Linux, much like a '.exe' won't run on Linux (with a few exceptions ... yes a few, not many).

What you have to worry about more are hackers (or crackers or whatever (black hats)). Many have tried to get into my system. In fact, I have lots of logs of hacking attempts on my systems. And yes, there are many hack attempts on my system here. Not sure why. What do they want with my system. At my other house, I haven't gotten a single hack attempt in years, but here, every day I get a new one. And, unfortunately, nobody cares. You can report it to whomever you want, nobody will do anything about it. And that, I think, is the biggest problem of all.

I think, a good firewall is the best thing you can do for your system.
 
Old 05-26-2007, 01:44 PM   #18
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by H_TeXMeX_H
Not sure why. What do they want with my system.
They want it to make it part of their botnet, which would allow them to spam, DOS, host files and all sorts of other nefarious activities. By turning your computer into a zombie they control, they can carry out their illegal activities and minimize the risk that they will be discovered. The idea that they want any of the information on your computer is a very outdated one.

In my opinion, a firewall is nice, but if you leave the system connected to the net, it is nowhere near enough.
 
Old 05-26-2007, 02:42 PM   #19
hitest
LQ Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, Debian, BSDs
Posts: 5,245

Rep: Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242
Thank you, Hangdog42 and H_TeXMeX_H,

I appreciate your replies; I like to learn more about security:-)
 
Old 05-26-2007, 03:25 PM   #20
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Quote:
Originally Posted by Hangdog42
They want it to make it part of their botnet, which would allow them to spam, DOS, host files and all sorts of other nefarious activities. By turning your computer into a zombie they control, they can carry out their illegal activities and minimize the risk that they will be discovered. The idea that they want any of the information on your computer is a very outdated one.

In my opinion, a firewall is nice, but if you leave the system connected to the net, it is nowhere near enough.
Alright then, that makes sense. Thanks for the info. I'm always open to more suggestions and good programs to have around.
 
Old 05-26-2007, 07:42 PM   #21
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by hitest
I currently use rkhunter and chkrootkit to scan for hacking attempts. Does anyone have another security utility that they employ? Just curious:-)
I use netstat, lsof, and socklist, primarily, but also use denyhosts, tcpwrappers, iptables (and ipf for my BSD boxes), modsecurity (for my public web server) and snort (deployed internally, externally, and on my public web server).

I'm really big on layered security but that's mainly because I'm employed as an IT security engineer.

I'm about to start experimenting with tarpits also.

Last edited by unixfool; 05-26-2007 at 07:53 PM.
 
Old 05-26-2007, 07:50 PM   #22
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Hangdog42
I'd highly recommend AIDE. Basically AIDE creates a snapshot of your current files (and yes you can tailor what directories is looks at) and then compares the files to that shapshot. It will notify you of what files have changed. This won't prevent an attack, but it will give you a way to figure out what has been modified should you be compromised. Samhain is another program that does something similar.

I think these sorts of integrity checkers are as important as the rootkit detectors since a very significant number of compromises are through weak applications. PHP programs seem to be particularly vulnerable, so if you're serving PHP apps from a web server, you do need to keep an eye on them.
Those tools (AIDE and Samhain) are HIDS, or host intrusion detection systems. And you're right, they won't prevent attacks, but only make them observable. NIDS, or network intrusion detection systems, sniff network traffic and alarm when certain patterns are observed. You can link NIDS with firewalls and have the firewall block alarmed traffic.

I rely on NIDS because HIDS are only installed on individual systems and will not be able to monitor other hosts. I've 10 hosts in my home and don't want to monitor 10 HIDS. NIDS can monitor network segments that contain 1 or 1,000,000 hosts. HIDS are best used on high-value targets (for instance, medical data or financial records). You can also use both in the same environment.
 
Old 05-26-2007, 09:27 PM   #23
hitest
LQ Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, Debian, BSDs
Posts: 5,245

Rep: Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242
Smile

Quote:
Originally Posted by unixfool
I use netstat, lsof, and socklist, primarily, but also use denyhosts, tcpwrappers, iptables (and ipf for my BSD boxes), modsecurity (for my public web server) and snort (deployed internally, externally, and on my public web server).

I'm really big on layered security but that's mainly because I'm employed as an IT security engineer.

I'm about to start experimenting with tarpits also.
Thank you, unixfool! I appreciate the tips, and the link:-) I'm going to go application hunting now. Cool.
 
Old 05-26-2007, 10:15 PM   #24
arcanex
Member
 
Registered: Mar 2007
Posts: 41

Rep: Reputation: 15
Quote:
Originally Posted by shadowdancer
Thank you..thank you..

especially for arcanex. I learn new important command here:
'ps -e -u' I usually just do ps -A | grep something
'netstat -ap' I usually do netstat -an
'find -uid 555 /' this is completely new to me. is that 555 is same with 'chmod 755'?
and can i find files using the name of the user 'test' instead of number?

thank you very much...

Try 'ps -eH u' too. It sorts it by parent process, ala 'pstree' . 'ps' has so many options, but after learning a few I don't even use 'top' anymore, plus it's greppable.

'netstat -anp' is nice too, and is probably more useful at first. If you see IP addresses that you want to look up more, then you do 'netstat -ap' to get their DNS names.

The 555 in 'find -uid 555 /' is different from 'chmod 755'. Honestly, I never figured out how the 755 numbers work, but the 555 is just the user id. You can do 'find -user [name] /' too, I believe, but in my example I had to do the uid since I did it _after_ I deleted the user, so there's no more record of their username, just the uid.
 
Old 05-26-2007, 10:23 PM   #25
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Quote:
Originally Posted by unixfool
I'm about to start experimenting with tarpits also.
Now, that is very interesting. Thanks for the link
 
Old 05-27-2007, 08:41 AM   #26
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by unixfool
I rely on NIDS because HIDS are only installed on individual systems and will not be able to monitor other hosts. I've 10 hosts in my home and don't want to monitor 10 HIDS.
Unless I'm missing something (always a real possibility), I think your situation is covered by Samhain. I've never used it, but my understanding is that it can be set up to work in a client-server mode, where one centralized Samhain server can monitor multiple remote clients.

I'd also like to point people to the sticky in the Security forum. unSpawn has a very nice collection of security links.

Last edited by Hangdog42; 05-27-2007 at 08:44 AM.
 
Old 05-28-2007, 10:01 AM   #27
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Hangdog42
Unless I'm missing something (always a real possibility), I think your situation is covered by Samhain. I've never used it, but my understanding is that it can be set up to work in a client-server mode, where one centralized Samhain server can monitor multiple remote clients.

I'd also like to point people to the sticky in the Security forum. unSpawn has a very nice collection of security links.
Yeah, sorta like a syslog server or SEM. I'd thought about this. We have several setups of this nature in our enterprise environment. I didn't know that Samhain actually had native capability for this...it's a good thing to know.

Still, I'm more reliant on NIDS, as I'm more comfortable with them. HIDS are entirely different beasts.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
crossover office and virus / slackware cooljed Linux - Software 2 10-26-2005 07:19 PM
Virus spyware software with Slackware. dcc Linux - Security 1 03-03-2005 02:51 PM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 03:35 PM
Can slackware router get a virus? lord_emperor Linux - Software 7 06-30-2004 04:35 AM
slackware install/virus problem greenareyou Slackware 8 06-24-2003 08:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration