nixCraft

kasimani · #1 (**permalink**) 24-06-2009, 11:19 AM

I have doubt,
1: how Linux system security know the remote system doing some bad behavior (hack like activities),

2: In which file they maintain record, for bad systems for further considerations ?

nixcraft · #2 (**permalink**) 24-06-2009, 04:31 PM

You need to monitor log files for activities. For e.g. /var/log/secure has info about failed ssh login. Configure logwatch to monitor all log files ( Howto: Linux monitor logfiles ) to monitor log files.
Turn on SELinux.
Install and configure firewall. Read firewall logs.
Protect server console (see Tips To Protect Linux Servers Physical Console Access)
Install IDS ( See Debian / Ubuntu Linux Install Advanced Intrusion Detection Environment (AIDE) Software ). It will send email if attacker tried to install new binaries.
Install rootkits checking software
(See Linux Detecting / Checking Rootkits with Chkrootkit and rkhunter Software)
Encrypt transmitted data whenever possible – Do not use rservices or insecure protocol such as telnet / ftp etc. Use scp, ssh and other secure alternative.
Minimize software to minimize vulnerability - Only install required ports and applications. The simplest way to avoid vulnerabilities in software is to avoid installing that software.
Run different network services on separate systems - If possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software flaw in one network service.
Use and configure security tools to improve system robustness - Use firewall for host based firewalling and kernel protection, MAC etc for protection against vulnerable services. Configure log auditing for detecting problems.
Updating Software - You need to update both base system + kernel via yum.
Avoid weak and default passwords - Do not leave network ports open. Always follow close all, open required port policy using firewall. Do not expose internal hosts such as sql servers, backup servers to the Internet. Use nating / proxy to hide internal server IPs.
Do not run insecure and badly configured programs - For e.g. do not run apache, dns or mail server as a root user. Do not grant full system access to php or perl script. Restrict them to directories.
Delete all unwanted account - For e.g. laid-off employee may seek revenge
You need both host and firewall security.
Never ever assumed that you are not target - you can be targeted by both humans and automated worms and virus. All you can do is set tight permissions and make sure you are always prepared for attacks.
Always make a backup. Keep offsite backups on tape or dvd. RAID is not backup solution. Second hard disk on the same system is not a backup solution. Mirroring (to other server or disk) is not a backup. Backups are physically removed from the machine and stored where they can't be altered until they're needed for a restore. Always, check backup media and run dummy restore procedure. Use tools such as dump(, restore(, tar(1) etc. You can also use rsync, rsnapshot and other 3rd party apps.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
windows server 2003 as a host system for LINUX guest system VPS	h@foorsa.biz	Web servers	3	15-11-2008 10:13 AM
AIX /etc/security/user like file for Linux	ftengcheng	Getting started tutorials	4	25-03-2008 01:28 AM
hack	click007	Getting started tutorials	1	11-09-2007 09:07 AM
Which Linux network services pose a security threat?	chimu	Linux software	2	20-07-2006 06:59 PM
find out info. reg. files for each user in the system	ganes	Solaris/OpenSolaris	6	20-09-2005 06:49 PM

nixCraft

Linux Security: Find Out If Someone Is Trying To Hack My System

Linux Security: Find Out If Someone Is Trying To Hack My System

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads