Date: Tue, 19 Dec 2000 12:09:54 -0800 From: Jonas Luster <JonasL@webex.com> To: freebsd-security@freebsd.org Subject: RE: Securing FreeBSD against hacking Message-ID: <15418A8C5748D411B03A0050DA649E55DB6E6C@mailserv2.webex.com>
next in thread | raw e-mail | index | archive | help
> I am running a FreeBSD 4.2-STABLE (recently upgraded machines) for > web (Apache-1.39)mail (Qmail-1.03 sendmail-8.11.1). > I have recently seen some activities on the web server that > make me very nervous (I know I am being very general) but my > concern is: > 1. How do I setup a dedicated machine to collect data and > connection attempts to my machines I guess you're referring to some kind of NIDS here, right? With FreeBSD and sn0rt (see ports/security) you can setup a pretty decent NIDS, all you need is some third part tool (I use a custom hacked python script, if you want it) to analyze sn0rts output and notify you in some way. Plug the sn0rt-box into the SPAN port on your switch and you're good. > 2. How to implement a notification systems to alert when critical > files on the server have been tampered with. HIDS, host based intrusion detection, is a lie in itself :). You can, however, deploy some kind of host based modification tracking, such as Aide (ports/aide) and have a script move the generated files to some other host for analysis (levaing them on the same host some kid has root on might just lead to him tampering with your database and not reveal any changes). Again a small script should notify you if something changes (hourly intervals?). > 3. How to find out if my machines are REALY CLEAN (some sort of > software auditing to determine if what is already in the machines > is a good benchmark for future security audits) If you were good in the first place :) you'll have some md5-sum- repository of you system files somewhere offsite. If not, well, you need to start by providing a clean environment to work in, e.g. move affected harddisk into a new machine and mount r/o to analyze its contents. If the clean machines OS is built from the same sources you can start to diff one against the other, for example. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15418A8C5748D411B03A0050DA649E55DB6E6C>