|
|||||||
|
|||||||
 |
|
 |
|
|
*ATTACK DETECTION*Detecting attacks on a system requires that a system administrator actively monitor that system. It involves monitoring network traffic, system logs, user activity, and file integrity. Although this sounds like a great deal of work, there are many tools that automate these activities. System logs contain a variety of useful information about the system that often goes unchecked, such as system errors, failed login attempts, connection attempts, etc. Logcheck is a utility that watches such system logs for entries that match a given string. It can then take action such as e-mailing or paging the sysadmin with the details. Using packet sniffers, the sysadmin has the ability to view packets on the network and determine whether or not they are indicative of hacker activity. If a hacker at some point does gain entrance to a system with The appropriate privileges, he can modify files. In order to keep track of file integrity, the sysadmin will make sure that the MD5 checksum of the files hasn't changed. Another detection method is using utilities that monitor unused ports for connection attempts. This clues a sysadmin into possible hacker activity such as pinging or port scanning. Portsentry is such a tool that not only detects and logs connection attempts, it can also block that host from making future attempts. A good combination is to use logcheck to e-mail the sysadmin if there are new entries in the portsentry logs. This enables quick response for the sysadmin which can turn recovery into prevention. Some of the tools that can and should be used are: IDS utilities, including snort, etc. Sniffers, including tcpdump, trafwatch, ntop, snoop, etc. Port Scan Loggers, including portsentry, iplog, etc.
|
|
|
|
[Index] [Introduction] [Attack] [Detection / Recovery] [Prevention] [Conclusion] [Credits] |