Have you ever suspected or been notified that your Linux system is under attack? How do you determine whether your system has been compromised? This
document is intended to explain how an administrator can implement basic security incident investigation techniques.
r>
Background
As mentioned in the Intrusion
Detection Primer,the process of preventing and detecting security breaches by monitoring
user and application activity is known as intrusion detection. It is a
proactive process that requires the constant attention. In this
document I explain step-by-step how to monitor user and application
activity using standard Linux/Unix commands. This document is intended
to be read by novice Linux who are interested in security. Who are the intruders and where are they from? Intruders may be curious
teenagers, disgruntled employees, or even professional criminals from rival
companies. Attacks can originate from practically anywhere in the world via the
Internet or dialup lines. This fact makes intrusion investigation a difficult
task.
Types of Intrusion Detection
Intrusion detection can be broken down into five types. These types include
file integrity checking, log file monitoring, host based ID (intrusion
detection), network based ID, and administrator based monitoring.
Checking file Integrity: This is the process of checking files to
determine whether unauthorized changes to files have been made. Many times the
program Tripwire is used to automate this
process.
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
