Hi!
john schrieb:
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deliver really useful information to the admin. I've used
Hi,
If you run large nuber of hosts, i suggest samhain.
You have many features builtin (monitoring of files, system.map
altering, suid bits, appending only on log files etc.).
It works on client server model (a server who centralize hosts
integrity database).
Communications are secure (AES for ci
I really like OSSEC. It's licensed under GPL V3. The agent runs on
multiple platforms. It's easy to install, relatively easy to configure.
The agent is a self-contained HIDS, rootkit detector, log and file
monitor.
It can also decode Snort, Cisco PIX/ASA, IPTables, and a a whole lot of
other logs.
On Wed, 2009-06-03 at 08:53 -0700, john wrote:
> On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha wrote:
> > I'm surprised more people aren't running tripwire or other IDS.
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view
On Wed, Jun 3, 2009 at 5:53 PM, john wrote:
> I'd be interested to hear some recommendations for IDS to run on
> internet facing servers. Especially from the point of view of ease of
> installation, ease of maintenance, quality of the tool, and ability to
> have it deliver really useful informatio
Quoting Boyd Stephen Smith Jr. (b...@iguanasuicide.net):
> I inherited a tripwire installation at some point. It was one mail message
> per day (and if you didn't get that message you knew something was wrong).
>
> It required a bit of tuning to not report errors regularly, but once I spent
>
Remember, that a HIDS (host IDS) is just a detective control on the
host. It shows that you have been hacked, you will probably want a
good NIDS (network IDS) to see what attacks are being attempted over
the wire.
HIDS is good to quickly detect a compromise...
http://sourceforge.net/proj
In <2be970b50906030853t29dfb90atd60089611f98e...@mail.gmail.com>, john
wrote:
>On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha wrote:
>> I'm surprised more people aren't running tripwire or other IDS.
>
>I'd be interested to hear some recommendations for IDS to run on
>internet facing servers.
I i
On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha wrote:
> I'm surprised more people aren't running tripwire or other IDS.
I'd be interested to hear some recommendations for IDS to run on
internet facing servers. Especially from the point of view of ease of
installation, ease of maintenance, quality
I'm surprised more people aren't running tripwire or other IDS.
On Tue, Jun 2, 2009 at 1:37 PM, Guntram Trebs wrote:
> Hello,
>
> there are few chances of replacing sshd without being root. In your place i
> would install every server new.
>
> I think, he spied out passwords and maybe got root-Pa
Hello,
there are few chances of replacing sshd without being root. In your
place i would install every server new.
I think, he spied out passwords and maybe got root-Passwords in this
way. Possibly he has even accessed servers where you didn't find him and
left backdoors there. (manipulation
On Tue, Jun 2, 2009 at 6:42 PM, Wade Richards wrote:
> Don't obsess on root access. Any unauthorized use is a problem.
You are right of course. Right after I sent my message saying that
"perhaps the machine hasn't been exploited yet" I realised how wrong
such a view is. Someone gained access to
Although it's worse if an attacker has root, don't think that just because
the attacker doesn't have root, it's no big deal. If an attacker can run
(even as an ordinary user) unauthorized software on your machine, then
your machine may be part of a botnet. And having unauthorized user access
to a
On Mon, Jun 01, 2009 at 07:23:27AM -0400, Michael Stone wrote:
> Yes, that's a typical location for intruders to drop files. Easiest
> thing to do is reinstall after thinking about how the compromise may
> have occurred. (Did you update regularly, including kernel updates? Did
> all accounts
Izak Burger schrieb:
On Mon, Jun 1, 2009 at 12:26 PM, Vladislav Kurz
I agree, chances are the box hasn't been exploited just yet, but I
would be worried about just how he got that file there in the first
place. We know that directory is world writable, so it could have been
written by anythin
On Mon, Jun 1, 2009 at 12:26 PM, Vladislav Kurz
wrote:
> Well, this really looks suspicious. Look for unexpected processes running,
> open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances
> are that the attacker did not gain root yet. But he might have shell
> listening on s
On Mon, Jun 01, 2009 at 12:31:04PM +0100, Marcin Owsiany wrote:
Note that this seems to be a simple "expect(1)" script which runs a
shell. Not necessarily an indication of anything apart from a possible
attacker trying to exploit something using expect.
It's also an indication that the attacker
On Mon, Jun 01, 2009 at 12:26:49PM +0200, Vladislav Kurz wrote:
> On Monday 01 of June 2009, Johann Spies wrote:
> > spawn /bin/bash
> > interact
Note that this seems to be a simple "expect(1)" script which runs a
shell. Not necessarily an indication of anything apart from a possible
attacker tryi
On Mon, Jun 01, 2009 at 10:46:54AM +0200, Johann Spies wrote:
I am a bit worried that my computer have been compromised.
...
I think the last three lines are not problematic but in /dev/shm/r I found:
spawn /bin/bash
interact
Do I have reason to be worried?
Yes, that's a typical loc
On Monday 01 of June 2009, Johann Spies wrote:
> I am a bit worried that my computer have been compromised.
>
> Rkhunter reported:
>
> [10:35:47] Warning: Suspicious file types found in /dev:
> [10:35:47] /dev/shm/r: ASCII text
> [10:35:48] Checking for hidden
I am a bit worried that my computer have been compromised.
Rkhunter reported:
[10:35:47] Warning: Suspicious file types found in /dev:
[10:35:47] /dev/shm/r: ASCII text
[10:35:48] Checking for hidden files and directories [ Warning
]
[10:35:48] Warning: Hidden directory found
21 matches
Mail list logo
