Security of Linux’s Network – Scan and syslog
The first thing that hackers will do before they invade computer systems is scan throught the network.If there are specified monitor software which could detect their accesses immediately,we could protect our system.In the worst situation,it seemed we had to shut down the system,however,it was useful.
The three common monitor tools are listed here:
1.klaxon: if we used klaxon to listen many ports,perhaps the system will be attacked by refusing access which lead heavy load to the inetd process.
2.courtney: sniff and tcpdump
3.scanlogd: if scanlogd detects 7 connection of super privilege in 3 seconds,or 5 times scan in 20 seconds, it will stop recording the connection log in order to avoid so many refusing messages being full of the system’s log.
As the name indicated,scanlogd only logs ports scans.It does not prevent them.You will only receive summaried informateion in the system’s log.
Obviously,the source address of port scans can be spoofed.Don’t take any action against the source of attacks unless other evidence is available.Sometimes IP addresses are shared between many people,this is the case for ISP shell servers,dynamics dialog pools, and corporate network bebind NAT(This action is also called masquerading).
Note:IDE and SATA harddisk device is the same except for the interface.
Nautilus is the GUI interface of gnome.
Strengthen system:
Strengthem system raise the security by checking the system’s granting overflowed.There are some strengthem system listed here: Bastillie,Openwall Linux, LIDS.
syslog process records the information into system’s logs by the lever of issues: emerg,alert,crit,err,warning,notice,info and debug.
/etc/syslog.conf is the configuration of syslog process.The formation of each line in /etc/syslog.conf is listed here:
facility.loglevel logtarget
for example:
daemon.notice /var/log/daemon.log
Note,logtarget could be configured as not only local path but also remote system’s log server which should add “@” before the logtarget strings.It is very useful when local system was crashed by hackers.Even everything of localhost was erased by hacker who want nobody snaping his trace,we can also find the log information in the remote log server.
In some case,user types the password text as the username, yes,this log issue would be recorded in the system’s log.How dangerous it is! Hackers could analyze the log file and detect these type log information string so that the password was acquired easily.How to prevent this? I think nobady except root is permited to read the system’s log.
These software are used to analyzing system’s log: Swatch,Logsurfer.