intrusion detected

Johann Spies jspies at sun.ac.za
Mon Aug 8 13:14:26 UTC 2005


On Mon, Aug 08, 2005 at 12:41:54PM +1000, Serg Belokamen wrote:
> >  1. What is the Ubuntu equivalent of rpm -Va (as in the command rpm -Va >
> > /tmp/rpmVa.log) when I seek to find out what/if any changes have been made?
> > I am fairly certain no intrusion has occured, but want to check.
> Not sure.
> Good way of doing this though would be to generate MD5 sum of every
> pkg and then regularly scan and see if sums match. Obviousely keep
> that original file safe (not on same machine).

Or just use aide, keep your configuration and database on a readonly
floppy mounted.  Aide will detect any changes to the files you
configured it to watch.

> >  2. What tools would you recommend for hardening a Ubuntu box? 
> Bastille linux, manual checks, use some common auditing tools to see
> your self from outside and manual tuning, ... tripwire, snort,
> iptables, regular nmap scans via a script with emailed output, there
> are 1000's

As far as I know aide is a tripwire-replacement.  You can also look at
other tools like 'tiger'.

There is a document "securing-debian-howto" which is part of the
harden-doc package.

> >  3. Can these tools be automated to produce a regular report of intrusion
> > attempts?

Aide and snort can provide you with a lot of information.

Regards
Johann
-- 
Johann Spies          Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

     "Ye lust, and have not; ye kill, and desire to have, 
      and cannot obtain; ye fight and war, yet ye have not, 
      because ye ask not."            James 4:2 




More information about the ubuntu-users mailing list