Admin Digest: The Basics of Linux Network Security - page 4
Linux has a comprehensive set of subsystems to let the systems administrator know what is going on with his or her system. All manner of log files are generally kept in the /var/log directory. Most of the standard services log information to /var/log/syslog and /var/log/messages about users connecting to them or attempting to connect. There are also log files for such services as apache (/var/log/httpd/access_log), mail (/var/log/mail) and firewall (/var/log/firewall).
The main problem with logging events is that one tends to end up with too much data. So careful filtering and only logging important information is important.
There are some good tools out there that will make this work easier.
Ethereal is a packet sniffer. With it you can capture various types of packets over a given period of time. It also shows all manner of information about the packets. It's useful for watching packets coming into and going out of your machine. Generally it will detect traffic on your network segment.Another logging/intrusion detection type tool is called Tripwire. It takes a snapshot of your important system files and records their signature in a database. Various signature levels are available from mild to wild. You can also set the rules in a policy file to tell Tripwire what to check. After the database is initialized and signed Tripwire can be executed whenever you need to check the integrity of your system. The report will point out when your files are changed and the severity of the security risk. The Tripwire report is pretty easy to read and can be customized according to your file tracking needs. Why not set Tripwire up to run every day, early in the morning and have a report ready to look at, with your first cup of coffee?
A popular program for detecting access attempts (via the network) and port scans is Snort. The program produces files that log these types of activities and even gives some idea of where to find out more information. Of course, then you have the same problem as with other log files. It gets tough for a busy system administrator to review all the log files on a regular basis.