PDA

Click to See Complete Forum and Search --> : intrusion detection

lymegreeen
09-08-2003, 06:03 PM
hi

where can i get an intrustion detection program? something that'll tell me whether any binaries or important files have been altered. i'm running a rh9 system.

it's a personal computer so do i really need it in the first place? i've been getting attacked a lot connecting from home. two of the computers i've run at home (both windows...) have given me problems. this made me turn to linux, but i'm still trying to learn it. i decided before i hop back online, i'd better protect my linux computer.

i've read the article on armoring linux and i think it was great. (this might get a little off topic) the only thing i'm wondering is how to turn services on and off. i know it's with the 's' and 'S', but i have several rc scripts, and the services show up in multiple files. is the rh9 a little different in this area?? also, i tried looking for the inetd.conf file, but all i can find is the xinetd.conf. are these two equivalent? basically, i'm having trouble following the guide as i can't find most of the files referenced in the article. if someone could clear some of this info for me it would be of great help.

thanx to anyone who can assist me.

--yeat :p
je_fro
09-08-2003, 06:23 PM
http://gnuthought.com/classes/linux/intrusion-detection.html

There are a lot of options for intrusion detection. chkrootkit is often used, although I hear that it's not too reliable.

Yeah, xinetd is equivalent to inetd in that it sits around listening for incoming connections.

Changing the S to an s in, for example /etc/rc2.d/S30syslog will disable the service. Many of these links do appear in different runlevels, rc2, rc3, rc4, etc... I don't have a redhat system to look at, so I can't be more specific.

Good Luck!
kshim5
09-08-2003, 06:43 PM
You can check freshmeat for a host of intrusion detection software

http://freshmeat.net/search/?q=intrusion+detection&section=projects
polle
09-09-2003, 03:28 AM
one I heard a lot of good things is tripwire:

http://www.tripwire.org
mrBen
09-09-2003, 03:47 AM
Also, check out SNORT (http://www.snort.org/)
madmaxx
09-09-2003, 05:22 AM
I prefer Advanced Intrusion Detection Environment, a free alternative to Tripwire. This checks out the integrity of files. In other words, it tells you if your system has been tempered with.

http://www.cs.tut.fi/~rammer/aide.html

Enjoy
lymegreeen
09-09-2003, 01:41 PM
Thanx everyone. I will look into what you guys said. I've also heard a lot of good things about Tripwire, but i was wondering what else was out there. Thanx.
Gertrude
09-11-2003, 10:42 PM
I second Snort.