hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : monitor for illegal activity
Reply

Forum Jump

monitor for illegal activity

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 11-01-2000, 12:48 AM
Dexter Dexter is offline
Web Hosting Guru
 
Join Date: Jul 2000
Posts: 337
Exclamation

Just wondering what people do/use to monitor for illegal activity like users trying to hack/crack to gain root access to the server. Anyone actually monitor or you just wait till it's happened then fix it?

JFTR I have a server and within the last 2 weeks it's been hit twice. Mostly likely by the same person(s) as they same useraccounts have been created. It's quite agrivating as I thought I had this system locked up pretty darn tight. It would be nice to have some sort of monitoring system to warn me when someones on the system messing around...




Sponsored Links
  #2  
Old 11-01-2000, 01:11 AM
JTY JTY is offline
Community Guide
 
Join Date: Jun 2000
Location: Washington, USA
Posts: 5,991
Cool

Well there are a lot of security apps, tripwire is one of them, which you can find on http://freshmeat.net/

  #3  
Old 11-01-2000, 01:17 AM
ck ck is offline
WHT Addict
 
Join Date: Oct 2000
Posts: 159
Hi everyone,

Please correct me if I'm wrong, but my knowledge of Tripwire is that it only notifies you *after* a compromise was made. IMHO, its not very effective against detering intruders but more of letting you know when your server was hacked into?

I'm also looking for a program which (hopefully) features intelligent detection and subsequent banning of users suspected of illegal activites against the server.

Anybody care to suggest whether such programs exist?

Sponsored Links
  #4  
Old 11-01-2000, 02:00 AM
Travis Travis is offline
Web Hosting Guru
 
Join Date: Oct 2000
Posts: 337
Unfortunately, most of the time, there *isn't* a way to catch a user before they compromise a system.

Let's face it, it's not like these people are typing "give me root access" at the prompt. Most exploits these days involve buffer overflows or other bad input checking by software running with privileges. You can't effectively monitor for intrusions via these methods, at least before it happens. What you can do is make sure that you've plugged up all known holes in your system.

Further complicating things is that anyone with root access can cover their tracks quite effectively. Remember, all data on the local system can be tampered with when a box is compromised, including monitoring and reporting systems.

There are a few things you can do in the way of monitoring, of course. You can filter and watch logs for repeated password failures, dumb users trying to su to root, etc. But ultimately, you will probably not know somebody has compromised your box until they have. That's where it's a must to have solid recovery procedures, and competent staff that can identify the exploit used and plug it up.

  #5  
Old 11-01-2000, 10:37 AM
Chicken Chicken is offline
Web Hosting Master
 
Join Date: Jun 2000
Location: Southern California
Posts: 12,121
I get a whole slew of anonymous ftp logins (anonymous ftp is not enabled on any domain). Every IP address on the machine is tried. I think someone mentioned that this is pretty common.

__________________
HostHideout.com - Where professionals discuss web hosting.

• Chicken

  #6  
Old 11-01-2000, 03:45 PM
Travis Travis is offline
Web Hosting Guru
 
Join Date: Oct 2000
Posts: 337
I see it all the time. Easy fix: turn off anonymous logins, or better yet, FTP if you don't need it.

  #7  
Old 11-02-2000, 02:22 AM
Chicken Chicken is offline
Web Hosting Master
 
Join Date: Jun 2000
Location: Southern California
Posts: 12,121
Yep, these are attempts. I don't turn on anon. ftp.

__________________
HostHideout.com - Where professionals discuss web hosting.

• Chicken

  #8  
Old 11-02-2000, 10:45 PM
cbaker17 cbaker17 is offline
Web Hosting Master
 
Join Date: Jun 2000
Location: Wichita, Ks, USA
Posts: 1,984
Redhat

Red Hat is terrible about security.

The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.

__________________
affordablecolo.com carrier grade colocation at a affordable price!
Charles Baker - Company Operations
1-866-316-HOST

  #9  
Old 11-02-2000, 10:48 PM
Félix C.Courtemanche Félix C.Courtemanche is offline
Web Hosting Master
 
Join Date: May 2000
Posts: 587
Red Hat 6.2 and security freaks... go to http://www.openna.com/books/registration.htm and download a copy of the pdf of their book. It explains everything to do to secure a red hat system, including how to monitor logs, patch systems, monitor ports, everything.

It is very well written,... and IT'S FREE! (I love linux)

__________________
Félix C.Courtemanche · webmaster@can-host.com
Can-Host Networks · http://www.can-host.com
web«cp Control Panel · http://webcp.can-host.com

  #10  
Old 01-03-2001, 05:07 PM
inbuco inbuco is offline
Junior Guru Wannabe
 
Join Date: Jan 2001
Posts: 79
Red face

I use port sentry, works very well and it's free.

Here you go, http://www.psionic.com/abacus/portsentry/

I hope that this helps.

  #11  
Old 01-07-2001, 09:03 PM
Toons Toons is offline
WHT Addict
 
Join Date: Dec 2000
Location: Scotland
Posts: 134
In terms of monitoring users already on the servers (those that have telnet access), we use a modified version of bash, that logs all their commands directly to a file, which is then grepped once a day for various suspect words and anything interesting is mailed to the admins, we dont publicise the fact too much (not that we hide it either), so it hasnt put people off trying, but its certainly helped us catch several people trying various exploits, trying to DoS from our servers etc.

If anyone wants a copy, I can probably dig it out.

Regards,

Tony Lucas

__________________
Founder & SVP Product
Flexiant Ltd
Simplifying the Cloud - Designed for Service Providers
http://www.flexiant.com

  #12  
Old 01-07-2001, 09:08 PM
UnitedTec UnitedTec is offline
Junior Guru Wannabe
 
Join Date: Sep 2000
Posts: 99
I would love to have a copy. Please contact me about it.



  #13  
Old 01-08-2001, 12:21 AM
CRego3D CRego3D is offline
Web Hosting Master
 
Join Date: Sep 2000
Posts: 1,618
Please, me too that sounds like a terrific add-on

__________________
Carlos Rego
OnApp CVO

The Cloud Engine

  #14  
Old 01-08-2001, 04:06 AM
kunal kunal is offline
Web Hosting Master
 
Join Date: Aug 2000
Posts: 2,750
Could I have a copy to please?

__________________
The Php Support Desk
http://www.phpsupportdesk.com
Custom programming - kunal @ e-phoria.com
http://www.pingzine.com - Ping!Zine. the FREE, FRESH and EXCITING Web Hosting Magazine...

  #15  
Old 01-08-2001, 04:46 AM
Toons Toons is offline
WHT Addict
 
Join Date: Dec 2000
Location: Scotland
Posts: 134
Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.

Logs to /var/log/.bashlogs.

Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.

Regards,

Tony Lucas

__________________
Founder & SVP Product
Flexiant Ltd
Simplifying the Cloud - Designed for Service Providers
http://www.flexiant.com

Reply

Related posts from TheWhir.com
Title Type Date Posted
New Zealand Court Rules Warrants Used in 2012 Dotcom Mansion Raid Legal Web Hosting News 2014-02-19 12:06:55
Russia's Pirate Party Offers to Host NASA Website During Government Shutdown Web Hosting News 2013-10-08 11:06:09
ISPs Launch Copyright Alert System to Curb Infringement Web Hosting News 2013-02-27 16:14:36
Are You Already Hosting the Next Megaupload? with David Snead - HostingCon 2012 Web Hosting News 2012-07-16 14:51:49
Search Warrants Used in Raid Against Megaupload Suspect Found Illegal Web Hosting News 2012-06-28 15:11:49


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?