Re: [cobalt-security] How to locate SUID = root files?

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Jason,

> I don't have an answer but how do you recognise when you have been
> port-scanned?

I use a tool called Portsentry (www.psionic.com). It can detect, report and 
block portscans. However, the usage of portsentry is usually frowned upon by 
some very vocal list members here. 

Portsentry CAN be useful, but chances are that you lock yourself out of your 
server if Portsentry is configured to block portscans. So far this happened 
twice to me, but I use a dial-up connection without static IP to connect to 
the internet. So I just cut the connection, dial back in so that my office 
computer gets a new IP and then I remove the block of my old IP.

Portsenty is usually used in conjunction with Logwatch (from the same 
company). That particular tool checks the logfiles for fishy activity and 
reports them by email. Bound to a cronjob you can let it generate reports as 
often as you'd like to have them. Logwatch needs to be customized a little as 
the logfiles generated by RaQ3s are somewhat different from what it 
originally expects.

-- 


Mit freundlichen Grüßen / Best regards

Michael Stauber


 Stauber Multimedia Design ____ Phone:  +49-6471-923812
 Hauptstrasse 31 _________________ FAX:    +49-6471-923813
 D-56244 Goddert ____________________ michael@xxxxxxxxxxxxxx
 Germany
 SMD.NET _______ SOLARSPEED.NET _______ FORUMWORLD.COM