Recent Changes - Search:

Softwares

.

LinuxServerIntrusionDetection

Main.LinuxServerIntrusionDetection History

Hide minor edits - Show changes to output

April 25, 2009, at 12:44 PM by 118.95.7.226 -
Added lines 1-3:
(:Google1:)
(:Googlemm:)
----
Changed lines 64-65 from:
to:
----
(:Googletxt:)
Added lines 44-54:
/ ext2 defaults,errors=remount-ro 0 1
none swap sw 0 0
/proc proc defaults 0 0
/boot ext2 ro,noauto,nouser,noexec,nosuid,nodev 0 2
/usr ext2 ro,nodev 0 2
/usr/local ext2 defaults 0 2
/var ext2 rw,nosuid,nodev 0 2
/tmp ext2 rw,nosuid,nodev 0 2
/home ext2 rw,nosuid,nodev 0 2
/mnt/floppy ext2 noauto
Changed lines 5-14 from:
#Failed log-in attempts

#Analyize system files, $HOME/ directory such as $HOME/.bashrc for modified $PATH entries, as well as changes in system configuration files in /etc

# suid and sgid files on the system

#Use last, lastcomm, and netstat commands

#system is compromised, you can use the command:
to:
*Failed log-in attempts

*Analyize system files, $HOME/ directory such as $HOME/.bashrc for modified $PATH entries, as well as changes in system configuration files in /etc

*suid and sgid files on the system

*Use last, lastcomm, and netstat commands

*system is compromised, you can use the command:
Changed lines 17-18 from:
#The RPM database will need to be archived
to:
*The RPM database will need to be archived
Changed lines 22-25 from:
#archive /bin/rpm executable also

#List of the most recently modified files with the following command.
to:
*archive /bin/rpm executable also

*List of the most recently modified files with the following command.
Changed lines 28-29 from:
#find all setuid and setgid programs on your system:
to:
*find all setuid and setgid programs on your system:
Changed lines 32-33 from:
# locate all world-writable files on your system,
to:
*locate all world-writable files on your system,
Changed lines 36-37 from:
#locate files on your system that do not have an owner, or group
to:
*locate files on your system that do not have an owner, or group
Changed lines 40-51 from:
#Use the nosuid option in /etc/fstab

#use nodev and noexec on user's home partitions, as well as /var, which prohibits execution of programs, and creation of character or block devices

#control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf

#/var/log/wtmp and /var/run/utmp files contain the login records for all users on your system, should also have 644 permissions
to:
*Use the nosuid option in /etc/fstab

*use nodev and noexec on user's home partitions, as well as /var, which prohibits execution of programs, and creation of character or block devices

*control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf

*/var/log/wtmp and /var/run/utmp files contain the login records for all users on your system, should also have 644 permissions
Changed lines 15-51 from:
root# rpm -Va
to:
root# rpm -Va

#The RPM database will need to be archived

/var/lib/rpm/fileindex.rpm and
/var/lib/rpm/packages.rpm

#archive /bin/rpm executable also

#List of the most recently modified files with the following command.

/usr/bin/find / -ctime -1 -print

#find all setuid and setgid programs on your system:

find / -type f -perm +6000 -ls

# locate all world-writable files on your system,

find / -perm -2 ! -type l -ls

#locate files on your system that do not have an owner, or group

find / -nouser -o -nogroup

#Use the nosuid option in /etc/fstab

#use nodev and noexec on user's home partitions, as well as /var, which prohibits execution of programs, and creation of character or block devices

#control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf

#/var/log/wtmp and /var/run/utmp files contain the login records for all users on your system, should also have 644 permissions



Added lines 1-15:
%red% Linux Server Intrusion Detection

%blue%Indications

#Failed log-in attempts

#Analyize system files, $HOME/ directory such as $HOME/.bashrc for modified $PATH entries, as well as changes in system configuration files in /etc

# suid and sgid files on the system

#Use last, lastcomm, and netstat commands

#system is compromised, you can use the command:

root# rpm -Va
Edit - History - Print - Recent Changes - Search
Page last modified on April 25, 2009, at 12:44 PM