wscreate
07-10-2002, 12:19 AM
My company operates Cpanel servers with Apache 1.3.26 and Redhat Linux 7.1.
Can you guys/gals with Apache/Linux tell me what types of security software you have on your servers?
So far as I know, this is what we have on each server ...
Portsentry
/etc/hosts.deny (Deny all for telnet/sshd)
/etc/hosts.allow (Allow access for known customers only)
Built in Background process killer (ircd, egg drop, psyBNC, etc.)
Are there any other programs that might detect a hack and email the administrator? I have heard of such a program, but would like to know if anyone can make a recommendation.
Thanks.
goldenplanet
07-10-2002, 04:18 AM
You've probably heard about Tripwire - it'll monitor your critical system files and alerts you if there has been detected any changes. Do a search for "tripwire" on http://rpmfind.net and pick a RedHat-specific version, or go to the source directly:
http://sourceforge.net/projects/tripwire
Best regards,
Anders C. Madsen
Golden Planet Support
RutRow
07-10-2002, 07:00 AM
Originally posted by wscreate
Are there any other programs that might detect a hack and email the administrator? I have heard of such a program, but would like to know if anyone can make a recommendation.
http://www.psionic.org/products/logsentry.html is a nice tool.
phpjames
07-10-2002, 07:47 AM
http://www.chkrootkit.org
wscreate
07-10-2002, 02:07 PM
Thanks for the suggestions. I will look at these today.
viGeek
07-10-2002, 04:01 PM
Bastille Linux & PSAD Detector
apollo
07-11-2002, 03:20 AM
checkout ipchains packet filter software (man ipchains)
wscreate
07-11-2002, 03:33 AM
Thanks again for the suggestions. I am investigating every suggestion. I checked out chkrootkit and tripwire today.
'Couldn't get tripwire to send emails to me after an "integrity check" even though I seemed to have it configured correctly. I will look at it again tomorrow.
"chkrootkit" is a pretty decent tool. I found some left over hacker files that I had missed after a recent attack!
I will try out the others in the next few days, including ipchains. I have heard a bit about ipchains and am looking forward to learning more about it.
phpjames
07-11-2002, 09:45 AM
Uh... leftover hacker files? Why not just completly restore and reinstall. Chkrootkit isn't a cleaner but rather a simple detector. I would be very cautious if your system is fully cleaned no matter how many suspicious files you get rid of. There only one way to know your not rooted, start from scratch and fix your mistakes. Good luck.
apollo
07-11-2002, 10:14 AM
definetely restore your system from scratch!
wscreate
07-11-2002, 11:38 AM
Getting started from scratch is not an option on this server. Restoring a server from default is definitely a way to go, but a bit extreme if you have customer software, etc.
