(Taken Noah's advice and subscribed :) On Sun, 14 Jan 2001, Bradley M Alexander wrote:
> The problem with this is that you can't prove a negative. You can prove > that you _have_ been broken into, but you cannot prove that you _haven't_. > > The same is true for your machines. You can prove that they are not secure, > but you cannot prove with 100% assurance that they are secure. That is my main cause of concern. As it is, I see my machine and locate no breach of security, at least having checked all files that I would think would look as compromised. What if this guy is a really good hacker and knows how to cover his tracks? > I do agree that reporting a portscan is probably overkill. But you should > at least note where it is coming from and what they are scanning. Actually, I noted the ips, mailed the log file to another mail address on another machine (so that I know he doesn't tamper with the log files without me noticing), denied all access from these ips in the firewall setup and am now paying close attention to strange behaviour that comes up. > Or it is possible to use spoofed addresses from most modern portscanners. That would mean he would have to be in a machine near to mine right? (connection-wise, at least) Otherwise any response I sent would go to the true owner of the spoofed address. How could he tamper with all routing tables of the intermediate routers? > Tripwire version 2.2.1 for Linux has been released to GPL and is available > from their website, http://www.tripwiresecurity.com. there is no listing > there of version 2.3, so 2.2.1 seems to be the latest and greatest. > > There is also AIDE, the Advanced Intrusion Detection Environment, which is > also packaged. I'll give both a look. Although I got really interested to LIDS, which seems to offer a unique approach to security... In any case, thanks for the really valuable help. Konstantinos Margaritis
