I like to have as much control as possible, I like to be notified when something happens to my machines, any changes at all that might need my attention as fast as possible.
And I like to have it all in one secure place.
So I'm setting up my home server to be me eyes and ears on my network as well as outside of it.
This is the list of services I am going to install or have already installed to accomplish my goals
Snort - Network IDS
OSSEC - IDS/Monitoring
Nagios - Monitoring/Alert
ip personality - Mask/Spoof traffic characteristics to lure scanners
VMware - to jail services that I don't trust (like teamspeak)
Anything more that could be fun/useful?
Going to insert a wireless card later and monitor wireless net here as well ... just for fun x)
"Total control" List of apps
"Total control" List of apps
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
you might want to take a look at grsecurity:
http://www.grsecurity.net
it's actually a set of patches that provide a lot of extra kernel features in order to secure a system...
http://www.grsecurity.net
it's actually a set of patches that provide a lot of extra kernel features in order to secure a system...
have you thought
have you thought about creating a sha or md5 of your files on your file system. I wrote a python script that can accomplish this. For really large and a lot of files not sure how long it would take But if you just had a small or medium size directory that needed to be hashed to be compared against this may work.
just a thought I can send ya the app if ya like
Code: Select all
import hashlib
def md5_for_file(f, excludeLine="", includeLine=""):
m = hashlib.md5()
try:
fd = open(f, "rb")
except IOError:
print "Unable to open the file in readmode:", f
return
eachLine = fd.readline()
while eachLine:
if excludeLine and eachLine.startswith(excludeLine):
continue
m.update(eachLine)
eachLine = fd.readline()
m.update(includeLine)
fd.close()
return m.hexdigest()
def sha_for_file(f, excludeLine="", includeLine=""):
s = hashlib.sha224()
try:
fd = open(f, "rb")
except IOError:
print "Unable to open the file in readmode:", f
return
eachLine = fd.readline()
while eachLine:
if excludeLine and eachLine.startswith(excludeLine):
continue
s.update(eachLine)
eachLine = fd.readline()
s.update(includeLine)
fd.close()
return s.hexdigest()
def create():
for root, dirs, files in os.walk(entry.get()):
for name in files:
filepath = os.path.join(root, name)
textbox.insert(END, "%s %s" % (md5_for_file(filepath), filepath) +"\n")
def createsha():
for root, dirs, files in os.walk(entry.get()):
for name in files:
filepath = os.path.join(root, name)
textbox.insert(END, "%s %s" % (sha_for_file(filepath), filepath) +"\n")
Also
Also if you want a faster approach
just hash the directory structure
just hash the directory structure
Code: Select all
import md5
import sha
def create():
for root, dirs, files in os.walk(entry.get()):
for name in files:
filepath = os.path.join(root, name)
global value
value = md5.new(filepath).hexdigest()
textbox.insert(END, value +"\n")
def createsha():
for root, dirs, files in os.walk(entry.get()):
for name in files:
filepath = os.path.join(root, name)
global value
value = sha.new(filepath).hexdigest()
textbox.insert(END, value +"\n")
- Big-E
- Administrator
- Posts: 1332
- Joined: 16 May 2007, 16:00
- 16
- Location: IN UR ____ , ____ING UR _____ .
- Contact:
Well, Originally the author of OSSEC was using Tripwire but he had it deployed on about 120 servers, ranging from Linux to AIX systems. It simply did not scale and was horrible to manage. OSSEC is his solution to that problem, it does everything Tripwire does and more.shabs wrote:Don't know OSSEC's features but how about adding Tripwire as well?
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
I've used Tripwire for a while, and it is really not very comfy to use.
the point is that when you think your system was compromised and a rootkit might have been installed you can't trust anything on that system anymore, including tripwire....at least the latest generation of rootkits can trick tripwire.
so the best (and imo only) way is to analyze the whole HDD from another (clean) system.
the point is that when you think your system was compromised and a rootkit might have been installed you can't trust anything on that system anymore, including tripwire....at least the latest generation of rootkits can trick tripwire.
so the best (and imo only) way is to analyze the whole HDD from another (clean) system.