hi ya roberto
On Sat, 6 Dec 2003, Roberto Sanchez wrote:
> At the risk of starting a flamefest, what is a good IDS? I ask because
> the recent compromises have got me thinking. I have a couple of
> web/mail servers I am adminning at school, and I really have no way of
> knowing if they have been 0wn3d. I (poorly) check the logs every 2 to 4
> weeks, but that doesn't seem like enough.
>
> What does everyone else use? (BTW, my servers run stable.)
as they say ... start turning thingz off first ...
- tighten your box to minimize the chances of a breakin
as oppose to worrying about detecting the breakin
i say, if your ids does find an intruder .. game over ... too late ..
c ya
alvin
hardening your debian servers..
http://www.debian.org/doc/manuals/securing-debian-howto/
http://www.Linux-Sec.net/Harden/
- upload your html pages to your webserver from your
internal webserver ... ( your backup of the webserver )
- not worth it to backup /var/spool/mail/{users}
- use secure pop3, secure imap ...
- make sure [EMAIL PROTECTED] uses johnssh as
his pop3/imap/ssh login
- keep mail servers separate from web servers
- gazillion things to do ...
- which ids ...
- tripwire ... too much info ...to big
- aide .......
- save a copy offline of your binaries and libs
to a 2nd disk and diff them regularly/automatically
- send yourself an email if it doesnt match
and dont ignore those mails
( fix the false positive )
- reading logs is not worth the effort ... but if you like
- logcheck
- snort
http://www.Linux-Sec.net/Logger/
- on and on ..
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
