|
*DETECTION/RECOVERY*
Detection and Recovery deals with a system administrator's ability to detect that a system has been hacked, and his ability to fix the system to make it secure again.
Attack Detection
- Consistently and frquently monitor system logs; use a utility such as logcheck to automate this task
- Use packet sniffers to watch packets on the network [ tcpdump in use ]
- Keep track of file integrity using md5 and/or tripwire
- Monitor unused ports for connection attempts; automate this task using a utility such as portsentry [ portsentry in use / denying hosts ]
Recovery
- Determine the extent of the damage done, i.e. find all back doors, trojans, altered files, installed files, etc.
- Remove all files that don't belong, restore files that have been changed
- Worst case, reinstall OS and applications
- If desired, investigate incident prior to recovery measures to determine source of hack
- Contact authorities
Detection Tools
- Tripwire
- TCPDump
- Portsentry
- Logcheck
- IPLog
- Snort
|
![[ tcpdump in use ]](../tcpdump.jpg){kind=link}
![[ portsentry in use / denying hosts ]](../portsentry.gif){kind=link}