Monitoring your system

Security is an ongoing task - you can not expect to simply install some whizbang tools that will supposedly make your machines hacker-proof and then relax... At the least, you should:

1. Monitor your system logs

By default, syslog writes the various logs in /var/log.

On a Debian system, you should be monitoring auth.log, daemon.log, messages and setuid.changes. On a Redhat system, you should be monitoring messages and secure.

You should also look at daemon-specific log files, such as the web server error log file and the FTP transfer log file.

There are some useful tools, like swatch, that assist the log-file monitoring process.

2. Monitor last

Keep an eye on last for unusual entries, particularly users coming in from unusual sites or at strange hours.

3. Look out for modified binaries

Use your packaging tool or tripwire to spot any binaries or critical configuration files that have been deleted or replaced.

You should probably do this from a root/boot floppy, as the tripwire binary could have been replaced to always give false reports!

And finally...

Don't ever trust a security tool to give you 100% fool-proof evidence of a break-in. utmp files can be edited, security logs can be deleted or modified, ps and who can be replaced by trojan horses that will never show a malicious user or program.

Prev | Home | Next