Generally I don't tend to rely (too) much on host-based security monitoring.
Rather, I prefer the NIDS approach. (Network Intrusion Detection System).
Every server here has some host based monitoring - logcheck, tripwire etc. -
but the NIDS provides very high quality information that can be relied on
(moreso) than host-based logs which can be tampered with. That is not to
say the NIDS data cannot by tampered with, but chances are an attacker
won't even know one is in place. As snort analyses packets as they travel
through the network, even exploits that don't work are logged. Also 'pre-attack'
signatures such as port scans, traceroutes, pings and so forth are also
logged.

In our particular case, we use snort and acid.
(www.snort.org, http://www.cert.org/kb/acid/)

 hth,

--
Lee Smallbone
Kechara Internet
leekechara.net
www.kechara.net 
Tel: (01243) 869 969
Fax: (01243) 866 685
03/05/2001 03:18:25, Glenn G <glenngeekazoid.com> wrote:
>Good Morning All!  I have a quick question regarding security
>monitoring.  We have a Linux server that was recently breeched
>(completely my fault btw.  Never got around to securing it up very
>well.)
>
>To my point...FreeBSD has been much more secure in my limited experience
>than most other OS's out there.  I would however like to install more
>monitoring software on the box so it will alert me if there has been an
>attack.  I have been looking at "mon", "bro", and "logcheck".  Can
>anyone give any recommendations?  Experiences?
>
>Also, is it worthwhile to install "xinetd"?  Again, any advice would be
>awesome.
>
>Any help is greatly appreciated!!!  ;-)
>
>Happy Day,
>glenn
>
>PS - I am on the digest list so please be patient for any feedback from
>me.  :-)
>
>
>To Unsubscribe: send mail to majordomoFreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]