What are the tell-tale signs that a Linux server has been hacked? Are there any tools that can generate and email an audit report on a scheduled basis?
- Keep a pristine copy of critical system files (such as ls, ps, netstat, md5sum) somewhere, with an md5sum of them, and compare them to the live versions regularly. Rootkits will invariably modify these files. Use these copies if you suspect the originals have been compromised.
- aide or tripwire will tell you of any files that have been modified – assuming their databases have not been tampered with.
- Configure syslog to send your logfiles to a remote log server where they can’t be tampered with by an intruder. Watch these remote logfiles for suspicious activity
- read your logs regularly – use logwatch or logcheck to synthesize the critical information.
- Know your servers. Know what kinds of activities and logs are normal.
Leave a comment
- SCP transfer only modified files
- How can I automate clearing and resetting a Linux user’s home directory to a default?
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?
active-directory amazon-ec2 apache apache2 backup bash centos cisco command-line debian dns email exchange firewall iis iis7 iptables linux macosx monitoring mysql networking nginx performance permissions php postfix raid security sql-server sql-server-2005 sql-server-2008 ssh ssl ubuntu unix virtualization vpn webserver windows windows-7 windows-server-2003 windows-server-2008 windows-server-2008-r2 windows-xp