If you have only one computer, then you spend a lot of effort to carefully review the system weaknesses and problems is entirely possible.
May be you don't really want this, but this may. However, in the real world, we need some good tools to help our monitoring system, and to warn us, tell us where the problem might occur, so we can easily and often. Intrusion detection may be a one of the problems we worry about. However, there are two things, fortunately Linux Admins have the choice of powerful tools. The best strategy is to use a tiered approach, the "old" programs, such as Snort, iptables, psad, and veteran and Apparmor, such as the fn SELinuxu, with powerful analysis tools, we can always stand at the forefront of technology. In modern, machine any user account may be used for evil. The author believes, will all focus on the protection of the root, just like other user accounts are not important, this is the Linux and UNIX security in a persistent and chronic weakness. A simple reinstall can replace the damaged system files, however, the data files? any intrusion has the potential to cause extensive damage. In fact, to spread spam, copy sensitive files, provide false music or movie file, launch attacks on other systems, there is no need to gain root access. New favorite IDS: PSADPsad is a port scan attack detector of acronym as a new tool, you can and iptables and Snort and so closely to show us all trying to enters the network of malicious intent. This is my preferred Linux intrusion detection system. It uses many tools, it can snort and fwsnort and iptables logs, means that you can even drill down to the application layer and do some content analysis. It can perform like Nmap packet as head of analysis, warn the user, and can even be configured to automatically block suspicious IP addresses. In fact, any intrusion detection system, a key aspect is to capture and analyze large amounts of data. If you do not, it can only be blindly fight, and can't really effectively adjust IDS. we can export the data to PSAD AfterGlow and Gnuplot, so you can know exactly who is attacking the firewall, but in a very friendly interface. Hale and hearty: Snort as a trustworthy man, as he grew older, more mature Snort also. It is a lightweight, easy-to-use tool, you can run independently or in conjunction with psad and iptables. We can from the Linux release version of the library to find and install it, compared to the last source install this should be a great progress. As to maintain its rule update problem is equally simple, because as a rule update Snort and management program, also at oinkmaster Linux distributions of the program library. Snort is easy to manage, although it has some configuration requirements. To start using it, the default configuration for most network system and does not apply, because it will all unneeded rules are also included. So the first thing to do is to remove all unneeded rules, otherwise it will damage property, and generate false warnings. Another key strategy is to run in stealth mode, that is to listen for Snort a does not have an IP address of network interfaces. In the not assigned IP address on the interface, such as ifconfigeth0up to the-I option to run Snort, snort-ieth0. There is also such a thing might happen: If your network administrator program is running in the system, it will show the "help" has not been configured port, therefore recommends or clear network management program. Snort can collect large amounts of data, so you need to add the BASE (basic analysis and security engine) in order to obtain a friendly visual analysis tool that older ACID (intrusion database analysis console). Simple and convenient: chkrootkit and rootkitRootkit utility chkrootkit and rootkitHunter is old rootkit detection program. Obviously, in a not writable external device at run time, they are more trusted tools, such as from a CD or write protect USB drive run-time. I like the SD card, it is because the write protection switch. These two programs can search known rooktkit, backdoor and local vulnerability exploits, and can be found in a limited number of suspicious activity. We need to run these tools of reason is that they can view the file system on/proc, ps and other important activities. Although they are not used for network, but it can quickly scan the PC. Versatile: TripwireTripwire is an intrusion detection and data integrity of the product, which allows users to build a performance optimization settings basic server status. It does not preclude a damage incident, but it can be the present state of the State and the ideal, compared to determine whether any accidental or deliberate changes. If any changes have been detected, it will be reduced to the minimum running obstacle. If you need to control on Linux or UNIX server changes, you have three options: open source Tripwire, Tripwire Server Edition, Enterprise Edition Tripwire. Although the three products have some things in common, but they have a large number of different aspects, making this product can meet the requirements of the different IT environments. If open source Tripwire for monitoring a small number of servers is suitable, because this situation is notNeed for centralized control and reporting; the server version of Tripwire for those only in Linux/UNIX/Windows platform requires the server to monitor and provide detailed reports and optimization centralized server management, IT is an ideal solution; while the Enterprise Edition Tripwire for UNIX/Linux/Windows servers, databases, network devices, desktops, and directory servers securely audit configuration of the IT organization is the best choice.
No comments:
Post a Comment