Hi David,
There are many things you can do to "try" to detect
intrusions on your systems. I say "try", because if
the attacker succeeded, he can do a lot of tricks
to hide himself. In my opinion, the three most
important things you need to do at a host level are:
-Watch your logs and send them as close to real time
as possible to an external system for analysis. I
think that most admins do not care about their logs
and they miss a lot of useful information. Having the
logs on
an external system make them harder to be deleted or
altered. *and yes, I mean httpd logs, mail logs,
syslogs, ids logs, etc.
-Monitor your system and kernel for anomalies. If you
see similar system calls having different results or
strange files or anything else "weird", you may need
to check for rootkits.
-Monitor your binaries and configuration files for
changes and store the baseline outside of each system.
Besides host-based detection, you may need to watch
your network traffic for weird ports (I like to bottom
20 concept -- the least accessed ports) and run an
NIDS to detect any know-attacks.
*Ok, now some propaganda. I think ossec is the only
system that does all the three aspects I mentioned
about host-based intrusion detection. It analyses
your logs in *real time (very closed to it at least),
it does rootkit detection and file integrity checking.
All these information is stored on an outside box and
the communication between the server and the "agents"
(which you install on every box you want to monitor)
is done with compression and encryption.
you can check it out here:
http://www.ossec.net
latest version:
http://www.ossec.net/files/ossec-hids-0.8-6.tar.gz
Paper I wrote about the log analysis and
intrusion detection. Maybe helpful too:
http://www.ossec.net/en/loganalysis.html
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
--- David Robert <david31900@rogers.com> escreveu:
Hello all,
I've been reading this list for some time and I
can't help but notice that
there is a lot of information and discussion about
securing systems, but
very little about how to detect if you *are*
compromised.
This one of my major concerns. I can advocate all
kinds of practices and
procedures, but eventually someone will get through.
So how can I tell?
Especially if they are trying not to leave traces?
Is there a few very simple, dumb things that
everyone should do in this
regard? If so, then I haven't heard them. If you
could list them, or point
me to some good resources, it would be much
appreciated.
Thanks,
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing
the application using
manual processes, or by using automated systems and
tools. Watchfire's
"Web Application Security: Automated Scanning or
Manual Penetration
Testing?" whitepaper examines a few vulnerability
detection methods -
specifically comparing and contrasting manual
penetration testing with
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
_______________________________________________________
Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular.
Registre seu aparelho agora!
http://br.mobile.yahoo.com/mailalertas/
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
