intrusion detected

[Brian Walker]

Greetings all,

I have been delving into computer security after realising how criminally 
negligent I had been in relying on the safety of linux rather than true 
security measures, I began to take the issue seriously:

most /var/log/auth.log 

showed numerous (recent) intrusion attemps from a few would-be crackers 
using ssh which was still open. I would like to do a number of things, some 
of which may be less than pristinely legal, but I wanted some ideas of 
reasonable action. I am using "Hardening Linux" whcih is aimed at RH and 
Suse users, as well as 2nd edition of "Anti-Hacker Toolkit" and a few other 
reference books. 

1. What is the Ubuntu equivalent of rpm -Va (as in the command rpm -Va > 
/tmp/rpmVa.log) when I seek to find out what/if any changes have been made? 
I am fairly certain no intrusion has occured, but want to check.
2. What tools would you recommend for hardening a Ubuntu box? 
3. Can these tools be automated to produce a regular report of intrusion 
attempts?

Getting to the less legal side, what I really want to do is identify the 
intruders, and EITHER report them to the admin (or alert the sysadmin as I 
suspect from looking at the results of scanning that they have hijacked 
another net) OR/AND hit them back. I see from nessus and nmap that they have 
left considerable ports open, and are running vulnerable services. 

Any thoughts?

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050808/ee90fd15/attachment.html>