Being capable of detecting an intrusion is as important as being able to stop it once it happens. It is important that you are able to detect the subtle signs left by an intruder during his attack of your system.
Suspicious signs of intrusion include at least the following:
User Indications
- Failed log-in attempts
- Log-ins to accounts that have not been used for an extended period of time
- Log-ins during hours other than non-working hours
- The presence of new user accounts that were not created by the system administrator
- Log-ins from strange places, as well as repeated failed attempts
- System Indications
- Modifications to system software and configuration files
- Gaps in system accounting that indicate that no activity has occurred for a long period of time
- Unusually slow system performance
- System crashes or reboots
- Short or incomplete logs
- Logs with incorrect permissions or ownership or with strange timestamps
- Missing logs
- Abnormal system performance
- Unfamiliar processes
- Unusual graphic displays or text messages.
File System Indications
- The presence of new, unfamiliar files or programs
- Changes in file permissions
- Unexplained changes in file size.
- Unfamiliar file names in directories
- Missing files
Network Indications
- Repeated probes of the available services on your machines
- Connections from unusual locations
- Repeated login attempts from remote hosts
- Arbitrary log data in log files, indicating attempt at creating either Denial of Service, or crash services
source: www.linuxsecurity.com
0