Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

ajt (2546)

ajt
  (email not shown publicly)
http://www.iredale.net/

UK based. Perl, XML/HTTP, SAP, Debian hacker.

  • CPAN: ATRICKETT [cpan.org]
  • PerlMonks: ajt [perlmonks.org]
  • Local LUG: AdamTrickett [lug.org.uk]
  • Debian Administration: ajt [debian-adm...ration.org]
  • LinkedIn: drajt [linkedin.com]

Journal of ajt (2546)

Wednesday January 26, 2005
08:35 AM

Tripwire, Snort et al...?

[ #22893 ]

Later this month we are going to replace a Windows NT AdvancedServer box with a Red Hat Linux Enterprise ES box. The machine is in our DMZ with an exposed port 80 to the Internet.

When the change takes place the Linux box will be my responsibility, I don't look after the current NT box. At the same time we'll also be exposing the box to the Interent with an inbound FTP enabled as well.

Officially I'm the web/Perl person, but I'm also the only really knowledgeable Linux admin here. I have passed from the "knowing a little but not how little", to the the "knowing a little more but now knowing how little that is" stage. My paranoia is starting to kick in.

What kind of tools are there for knowing if a machine has been got at? Which ones are worth installing... Where to start?

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Hello ajt,,
    Snort as a Intrusion Detection System it's very powerfull, he scans your DMZ in real time and produces pretty HTML (with snortsnarf for example),, but if your want to sniff all your network DMZ/LANs your do a better job with two or more IDS's (NIDS) one in DMZ and other in your lan, and join the results for a better analise
    In this area of IDS's you have another choise very good too, the AIDE.

    Tripwire is very nice too but for static contents, it takes a snapshot of your filesystem while out o
    • AIDE [cs.tut.fi] is what we've started using here. I've no experience with it because I'm no longer the sysadmin (hurrah!). But it seems to work ok for our (simple) needs. I suspect we're using it more to prevent mistakes than as an actual intrusion detection system though.

      -Dom

      • I Spotted that when I was looking round the Debian site. Though the work box is RHEL-ES3, I run Debian at home, and I have the same paranoid worries there too...

        I know there are lots of tools to choose from, it's knowing where to start that is the problem. Thanks for the suggestion, I'll investigate that too.

        --
        -- "It's not magic, it's work..."
    • Most helpful, and your English is fine.

      Will do some investigating...

      --
      -- "It's not magic, it's work..."
  • chkrootkit is rather handy.

    In theory, chkrootkit and tripwire can only really be trusted once you've booted from known-good media, and tripwire's database likewise should be on media you trust, such as a CD. This is because an attacker could manipulate the kernel to lie about what's on the disk, and hence tripwire et al would not be giving you a true picture of what's going on. Also an attacker could change tripwire's database if that's stored on the machine that's been compromised. In practice this is

    • Will checkout chkrootkit. It was easy to install on my Debian box at home, I'll have to try it at work tomorrow. I'm quite happy to build the tripwire or AIDE database and then burn it and the binary to CD, and run the application from CD. For home I just want to be safe, it's my money at stake, at work it's a lot more money, but also my job.

      Running Apache via a proxy is a good idea, the Apache use on the work system is light and very basic so it could be very easy to do.

      --
      -- "It's not magic, it's work..."