Another common practice is to install a packet sniffer. This will build a list of usernames and passwords for any telnet or ftp logins taking place on the same network segment as the compromised machine. In theory, other logins may be detected, such as IMAP, POP3 (email), windows networking etc. Again, if a watch is kept for this activity (signalled by a change in status of a network interface to promiscuous mode), an intrusion may be detected. (However, it would be possible for a hacker to monitor logins on the compromised machine ONLY without changing the interface status.)
LIDS - Linux Intrsion Detection System - is a series of kernel patches that enable module and mountpoint locking. LIDS is available from LIDS.org.
The Linux Security Audit Project was created to help coordinate and discuss the security and auditing of free software.
The NSA has a Secure Linux project which includes mandatory access control architecture.
Bastille Linux is a series of scripts which tighten up security on stock Linux systems, by changing permissions and disabling features. Taken to extreme, this will also prevent legitimate work and is more suitable for hardening a dedicated loghost or fileserver than a development system. Bastille is available from www.bastille-linux.org
Tripwire is a package which monitors checksums in a similar way to rkdet, but is designed to be run at discrete intervals such as once a day. It monitors many many more files. Tripwire may be found at www.tripwire.org
PortSentry is a program which logs (and optionally blocks) access to TCP and UDP services on the system. It will detect scans for exploitable services (old versions of imap, ftp) and scans for trojan horses (Back Orifice, Netbus etc.) PortSentry is available from www.psionic.com
ifstatus by David A Curry is a standalone program to check for promiscuous interfaces. Builds for Unix including Sun Solaris. ifstatus is available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/
dtk or "Deception Toolkit" is a kit of fake daemons and services designed to waste an intruders time. dtk is available from all.net/dtk/example.html
note: Many people see an "out of space" error. Please increase the allocation in rkdet.c prior to version 0.54.
#define MAXF 30 #define SIZES 3000 #define SIZEF 2000
Maintained by Andrew Daviel