If you are physically present when an attack is happening and doing the following won't adversly affect any bussiness transactions, simply unplug the NIC until you can figure out what he did and secure the box. Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box.
Phil -----Original Message----- From: Klaus Koch <[EMAIL PROTECTED]> To: [email protected] Date: Mon, 11 Feb 2002 11:26:57 +0100 Subject: preparing for case of emergency hello! I have done my best to make my firewall/router secure according to several security howtos (in this place, many thanks to the authors of the debian security howto). I think I am really getting into this "security stuff" :) I am running a not very busy website and ftp-server, so I can afford to receive snort alarms in realtime via email to my internal account, because there aren't many. Due to work, I spend a lot of time at this account, so chances are high that I am present when an attack is done. My question now is, what can I really do in realtime against an ongoing attack? Are there any interesting reads, I wasn't able to find? Many thanks for your help! Klaus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
