i used tripwire, which is a intrusion-detection system.
what it does is tell you if anything in the filesytem
changed. Possibly it does more but that is just what
I used it for--it certainly has some advanced features
that i did not bother with.
what are these changes: file size, datestamp, inode changes,
etc...you could not modify anything without tripping
tripwire. It has some configuration to take care
of cases when its ok to modify files (e.g, /tmp is ok,
/var/log/messages grows but cant be edited early
in file, etc....) and severity levels.
Then you can tell tripwire to alert you if anythings'
out of the ordinary (i scheduled tripwire in cron
and email me if anything changes).
personally I stopped using it since I did not
bother to fine-tune it well, and just put most of the filesystem
(such as /etc) in high-alert mode and never bothered
with severity levels..I just wanted it to notify
me if anything changed...I was ANNOYED because
it was emailing me almost every day for every minor
system change (i.e., change password) and i have
to reset it almost every day. I used it for probably
a year or 2 then i got tired of it and turned it off.
PROS: its ok...you'll get a warning that something changed,
its really sensitive. quite good. be sure
to configure your email alert address not in the
same box your're trying to protect.
CONS: a bitch to setup, and learn the configuration
language. The configuration setup is complicated.
jondz
On Thu, 2003-07-31 at 23:20, Dean Michael Berris wrote:
> there are active/passive IDS's like snort and portsentry, which could be
> configured to act accordingly when the system is being attacked.
> however, i have not yet been able to try them out so please take with a
> grain of salt.
>
> maybe the experienced pluggers could tell you more about them.
>
> http://www.snort.org
> http://linux.cudeso.be/linuxdoc/portsentry.php
>
> HTH. :)
>
> On Wed, 2003-07-30 at 12:51, [EMAIL PROTECTED] wrote:
> > has anyone tinkered with the ips (intrusion prevention system) capabilities of
> > linux? how is it?
> >
> > sammy
> >
> >
> > ______________________________________________________________________
> > --
> > Philippine Linux Users' Group (PLUG) Mailing List
> > [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
> > Official Website: http://plug.linux.org.ph
> > Searchable Archives: http://marc.free.net.ph
> > .
> > To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
> > .
> > Are you a Linux newbie? To join the newbie list, go to
> > http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
--
Hagibis Fan <[EMAIL PROTECTED]>
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
