Results 1 to 4 of 4

Thread: Rootkit security monitoring in ISP

  1. #1
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206

    Rootkit security monitoring in ISP

    I have a few hundred Linux servers installed and i am trying to find the best solution for rootkit monitoring on these boxes. Maybe even something that allows for large scale deployments.

    I currently run rkhunter but its not enough there are loads of logs and i need something to help me raise red flags and to spot problems quickly.

    Any ideas?
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  2. #2
    Junior Member
    Join Date
    Aug 2010
    Posts
    1
    I'm not sure if it does everything you're looking for, but Tripwire is a tried and true solution.

  3. #3
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    I have been looking around a lot and i'm thinking OSSEC seems like a best option to me.
    And from their site:

    OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

    It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available here.


    If anyone has any other ideas i am all ears.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  4. #4
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    First and foremost, you need to prevent the intrusions (duh)


    Are you running SELinux containers? At least chroot environments for each public daemon?

    Use SUID and SGID (carefully) to allow things to read/write where needed without a direct path to root from the user.
    Real security doesn't come with an installer.

Similar Threads

  1. A guide to proactive network security
    By SDK in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: December 1st, 2004, 12:45 AM
  2. Hacked Red Hat 7.3
    By t3gilligan in forum *nix Security Discussions
    Replies: 18
    Last Post: February 28th, 2004, 02:31 AM
  3. Internet Security for the "newbies"
    By .:|Mymx|:. in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: May 24th, 2003, 10:37 AM
  4. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: September 25th, 2002, 08:53 PM
  5. Latest SANS Update
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: May 29th, 2002, 09:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •