[NTLUG:Discuss] Intrusion and Detection

[Steve]

Kenneth Loafman wrote:

> With all the packages like Tripwire and others that detect intrusion,
> are there any that are "better" than others?  What are your experiences?


Tripwire is the most well-known. It doesn't get particularly high marks 
for user friendliness though. There are others out there. However, since 
Tripwire is so well known, there is a lot of documentation out there on 
the Net to get you started (although amount of documentation is also due 
to its obscure nature).

It may be easier to use now. Give Tripwire a shot first. I don't use it 
all the time, but it didn't seem that bad in setting it up.

 



> My home system just got rooted via an ssh bug and my own personal
> detection system spotted it (ps did not work right), but the damage had
> been done.  Right now the the system is off the net, but I want to
> reopen the ssh port again so I can get to it from work.


What was the nature of the bug / which bug was it?


> Been doing some forensics and it looks like the work of a script-kiddie,
> even left the .tgz file and install scripts on the system.  Nasty stuff,
> but it does not look like he left a worm installed, just set it up to
> allow him to get back in.  That's secured now, no inbound connections
> available.


If he rooted you, you pretty much have to re-install. You don't know if 
he's a script-kiddie or not. Maybe he's an accomplished cracker and he 
just wants it to look like a script-kidde in hopes that you don't 
reinstall. Once you've been rooted, everything is suspect. Unless you 
have some way of comparing everything to a fresh system or you like 
looking through endless lines of code and config, you can't be sure.


Steve