Wednesday, April 30, 2003

Locking out non-root users

To disable all user logins (except for root) without taking down
the system into maintenance mode create a file /etc/nologin.
The content of this file will be displayed when a user tries to log
in. Useful when doing service on the system which might affect
users.

Wednesday, April 09, 2003

How to monitor suspicious activity?

You can get the iplogger package, which will log every tcp connection made
to your machine. The lsof package is also useful for finding out if a
service is running on a port on your own machine. I believe lsof is
kernel version dependent, so you may have to expirement some....

example:
[bash]$ lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
sshd 32211 root 6u inet 0x0149ac0c 0t0 TCP *:ssh (LISTEN)

Also, if you are paranoid, I would suggest getting the tripwire package.
This will monitor your system for changed system files.