intrusion detected
Matt Patterson
matt at v8zman.com
Mon Aug 8 03:18:50 UTC 2005
Hey Brian,
I don't know a whole lot about the hardening stuff, I simply run minimal
services, mostly on incorrect ports, maintain good passwords, and keep
up to date. For the majority of us I think that is good for the 5 nines
(99.999%) of hackers.
As for your plans of hitting them back, don't bother, you would just be
hitting some poor unsuspecting sap who already has the problem of a
computer that is operating way too slowly with three million pop ads.
Most of the breakin attempts you recieve will be from zombie machines
doing automated scans of ip space.
Your best approach is to locate the root domain or isp and send a quick
email with logs reporting that the computer has been compromised. The
ISP will pull them from the net, and the owner will be notified.
Matt
Brian Walker wrote:
> Greetings all,
>
> I have been delving into computer security after realising how
> criminally negligent I had been in relying on the safety of linux
> rather than true security measures, I began to take the issue seriously:
>
> most /var/log/auth.log
>
> showed numerous (recent) intrusion attemps from a few would-be
> crackers using ssh which was still open. I would like to do a number
> of things, some of which may be less than pristinely legal, but I
> wanted some ideas of reasonable action. I am using "Hardening Linux"
> whcih is aimed at RH and Suse users, as well as 2nd edition of
> "Anti-Hacker Toolkit" and a few other reference books.
>
> 1. What is the Ubuntu equivalent of rpm -Va (as in the command rpm -Va
> > /tmp/rpmVa.log) when I seek to find out what/if any changes have
> been made? I am fairly certain no intrusion has occured, but want to
> check.
> 2. What tools would you recommend for hardening a Ubuntu box?
> 3. Can these tools be automated to produce a regular report of
> intrusion attempts?
>
> Getting to the less legal side, what I really want to do is identify
> the intruders, and EITHER report them to the admin (or alert the
> sysadmin as I suspect from looking at the results of scanning that
> they have hijacked another net) OR/AND hit them back. I see from
> nessus and nmap that they have left considerable ports open, and are
> running vulnerable services.
>
> Any thoughts?
>
> Brian
More information about the ubuntu-users
mailing list