hi balaz how much time and energy do you want to spend ???
- 1st passs.. - update your box regularly per debians security patches - read debians security howto http://www.debian.org/doc/manuals/securing-debian-howto - 2nd pass... - you;'re doing w/ snot/ippl/logcheck - logcheck already tells you whether it was successful attempts or not and how they tried it... - 3rd pass... - add host and network IDS ( tripwire, aide, etc... - if you wanna watch for network activity randomly... - run tcpdump, showtraf, trafshow, ncat, etc..etc.. - 4th pass... ( aka should be 1st pass ) - clean up permissions and remove unused services etc..etc.. ( things might break..but than yu know to fix it ) - lots of time can be spent here... - 5th pass... - if you find hackers in your box.. do you want to chase them down ??? - you need to have logs saves everywhere... - you have to be prepared to interact live with them - read your log files religiously...and understand what its says... - backup your system - make a cd image of your whole system if you're paranoid BEFORE you go online -- if a hacker gets in.... its too too late... ???? -- i try to spend my time at the prevention end... not trying to detect them... but there is only so much to do before somebody else ( anotehr boss ) wants yo to do something else instead - if you only use tripwire ... it typicaly runs once a day.... a [cr/h]acker can do miracles to your machine until tripwire runs - i want to know that the [cr/h]acker got into my systems with a few seconds.... - and similarly... in a few seconds... i want a program to tell me what was changed ... - dont count on the eyes to tell you something is awry - than decide what to do with the box... watch them play with the box... or unplug it... and report it... http://www.Linux-Sec.net - see the IDS section... have fun alvin On Tue, 15 Jan 2002, Balazs Javor wrote: > Hi, > > Recently I've installed some IP logging deamons > (snort, ippl along with logcheck) and I was amazed > how many break-in attempts there are each day on my > simple home box which isn't even adverised anywhere, > as I only run a few services intended for friends and > family (apache, wu-ftpd, exim). > > I can see a lot of IIS related attempts, which obviously > do not work, as well as some refused anonymous FTP connection > attempts. For these I don't worry to much as they have failed. > (I hope. I'm no expert, though.) > Then there are more exotic stuff. High port UDP attampts, > connection to port 113 etc. > > Now the logs provided by the above packages often say something > like 'connection attempt to ..' whichever port/service. > The question is whether there is a way to know whether any of those > attempts succeded. Or to put it more simply, how could one > distinguish a failed attempt and a successful break-in? > > (I know this is probably a very complex topic, but I would > greatly appreciate some advise!) > > Many thanks for your help in advance! > best regards, > Balazs > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >