New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
For linux admin: How to monitor/detect intrusion?
greattomeetyou
Member
What kind of package or technique do you recommend to monitor/detect intrusion?
Thanks.
Comments
fail2ban
A brain.
Debian.
fail2ban.
AllowUsers IPADDRESS in ssh config / public key .
cat /var/log/secure | grep "Accepted"
https://github.com/zhangchuan/book/blob/master/securit/Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort.pdf
I'd also recommend sending logs remotely, e.g. rsyslog, to make it harder for an intruder to wipe logs.
A good backup strategy and configuration management (ansible, puppet, chef, etc) make it easier to blow away and resurrect a VM if there's a suspicion that it's been owned.
What's that?
Why da fugg would I know that? I'm not a linux admin.
P.S. In case your question is important to you: "$7" is always a good guideline.
The best solution as I personally seen in my experience user disabled and killed every task on VPS - the stupid way to protect or alternatively just shutdown VPS.
Huh? Are those words?
To watch it live:
tail -f /var/log/auth.log
To check back over it:
cat /var/log/auth.log | grep "Accepted"