Matt wrote: > Kevin - > > kevin bailey wrote: >> 1. before attaching server to network install and configure tripwire. >> >> and could possibly put key executables on to CD-ROM and leave them in the >> server. > In todays same day exploits, using something like tripwire for H.I.D.S. > may not prove useful... By the time tripwire runs a check it may already > be too late, or the check may not return anything as the intruder could > have cleaned up their mess by then or altered tripwire itself. You may > want to consider something such as SAMHAIN that performs real-time > monitoring and will notify you immediately, as opposed to tripwire that > will notify only 1X/day (or however often you run it). > > Also consider an intrusion response plan - if Tripewire, or samhain, > alert you - what are you going to do? For example, we have decided that > upon an alert the entire network will be pretty much locked down, > disconnected from the WAN, or, at least, the compromised server is taken > off-line until the postmortem analysis is complete and the security > issue resolved (of course thats the 'nut shell' procedure, the real one > is pages upon pages). The faster you respond to the alert, the less > potential for malicious damage.
good point - the response should be documented. have a plan to switch to a hot-swap backup server - also backups are sent to a backup server via rdiff-backup. kev > > Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
