intrusion detected
Johann Spies
jspies at sun.ac.za
Mon Aug 8 13:14:26 UTC 2005
On Mon, Aug 08, 2005 at 12:41:54PM +1000, Serg Belokamen wrote:
> > 1. What is the Ubuntu equivalent of rpm -Va (as in the command rpm -Va >
> > /tmp/rpmVa.log) when I seek to find out what/if any changes have been made?
> > I am fairly certain no intrusion has occured, but want to check.
> Not sure.
> Good way of doing this though would be to generate MD5 sum of every
> pkg and then regularly scan and see if sums match. Obviousely keep
> that original file safe (not on same machine).
Or just use aide, keep your configuration and database on a readonly
floppy mounted. Aide will detect any changes to the files you
configured it to watch.
> > 2. What tools would you recommend for hardening a Ubuntu box?
> Bastille linux, manual checks, use some common auditing tools to see
> your self from outside and manual tuning, ... tripwire, snort,
> iptables, regular nmap scans via a script with emailed output, there
> are 1000's
As far as I know aide is a tripwire-replacement. You can also look at
other tools like 'tiger'.
There is a document "securing-debian-howto" which is part of the
harden-doc package.
> > 3. Can these tools be automated to produce a regular report of intrusion
> > attempts?
Aide and snort can provide you with a lot of information.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Ye lust, and have not; ye kill, and desire to have,
and cannot obtain; ye fight and war, yet ye have not,
because ye ask not." James 4:2
More information about the ubuntu-users
mailing list