[plug] Methods for intruder detection
Alastair Irvine
alastair at plug.org.au
Mon Dec 14 14:52:27 AWST 2020
On Fri, 07 August, 2020 at 10:16:34PM +0800, ıuoʎ wrote:
> Hi Alastair.
[snip hardening commentary]
>
> By intrusion detection I didn't mean scanning the system for rootkits or
> even having complex rules to detect system changes,
> I was mostly thinking of having small targeted beacons that will send
> alerts whenever triggers.
> example of some I already have on my vps -
> - Get an email on every login (might be noisy for people but I don't often
> login to my vps, and even if I did I'll notice getting such e-mail when I
> haven't)
logwatch
> - Spread some canary files that will look sensitive but will send an e-mail
> once opened (this are very accurate as they will never be opened by someone
> who knows the system, but attacker will find it hard to avoid opening
> credit_cards_backup-2019.pdf especially if it's in the trash folder)
inotify
>
> *cmd.com <http://cmd.com> *seem to be an amazing solution.
> If you enable 2fa not only you get notifications when someone tries to run
> a command on the server, but you also prevent the execution
AppArmour or SELinux.
>
> I was wondering if there is anything similar who might be opensource.
> And any other tools who might fill a similar role of relatively low noise
> signals once intrusion did happen.
More information about the plug
mailing list