Wednesday, April 09, 2003

How to monitor suspicious activity?

You can get the iplogger package, which will log every tcp connection made
to your machine. The lsof package is also useful for finding out if a
service is running on a port on your own machine. I believe lsof is
kernel version dependent, so you may have to expirement some....

example:
[bash]$ lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
sshd 32211 root 6u inet 0x0149ac0c 0t0 TCP *:ssh (LISTEN)

Also, if you are paranoid, I would suggest getting the tripwire package.
This will monitor your system for changed system files.

No comments: