From owner-freebsd-security Thu May 3 9:42:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id A8A5A37B423 for ; Thu, 3 May 2001 09:42:09 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA27778 for ; Thu, 3 May 2001 18:58:23 +0100 Message-Id: <200105031758.SAA27778@mailgate.kechara.net> Date: Thu, 03 May 2001 17:44:46 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: Security Monitors Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Generally I don't tend to rely (too) much on host-based security monitoring. Rather, I prefer the NIDS approach. (Network Intrusion Detection System). Every server here has some host based monitoring - logcheck, tripwire etc. - but the NIDS provides very high quality information that can be relied on (moreso) than host-based logs which can be tampered with. That is not to say the NIDS data cannot by tampered with, but chances are an attacker won't even know one is in place. As snort analyses packets as they travel through the network, even exploits that don't work are logged. Also 'pre-attack' signatures such as port scans, traceroutes, pings and so forth are also logged. In our particular case, we use snort and acid. (www.snort.org, http://www.cert.org/kb/acid/) hth, -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 03/05/2001 03:18:25, Glenn G wrote: >Good Morning All! I have a quick question regarding security >monitoring. We have a Linux server that was recently breeched >(completely my fault btw. Never got around to securing it up very >well.) > >To my point...FreeBSD has been much more secure in my limited experience >than most other OS's out there. I would however like to install more >monitoring software on the box so it will alert me if there has been an >attack. I have been looking at "mon", "bro", and "logcheck". Can >anyone give any recommendations? Experiences? > >Also, is it worthwhile to install "xinetd"? Again, any advice would be >awesome. > >Any help is greatly appreciated!!! ;-) > >Happy Day, >glenn > >PS - I am on the digest list so please be patient for any feedback from >me. :-) > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message