Quoth [EMAIL PROTECTED], > I just realized that someone entered my debian box with > cablemodem. I couldn't find anything in the logs, but the pump package was > deleted. > I replaced inetd for xinetd. took off services I didnt't use (It > was left all default, as I installed in a rush), and now I'd like a good > intrusion detection system. > I'd like to hear about any advices about not security (too wide) > but tools to run in cron and which may be usefull for this kind of > situations.
The other advise I have seen you get on the list to reinstall completely if you have been compromised is worth listening to. As for an intrustion detection system, one that is simple but effective is AIDE. I'm not sure if debian packages are available, but it's easy to compile yourself. It takes a snapshot of your system and will allow you to determine if any files were changed. Just make sure you do something like put it's database on a floppy so the intruder cant change it. Less effective (because the md5 sums are kept on your own system and can be changed by a particularly cluey and patient intruder) is debsums. cheers, damon -- Damon Muller | Did a large procession wave their torches Criminologist/Linux Geek | As my head fell in the basket, http://killfilter.com | And was everybody dancing on the casket... PGP (GnuPG): A136E829 | - TBMG, "Dead"
