compromised Linux box

Ryan Simpkins plug at
Thu Apr 12 15:15:29 MDT 2007

On Thu, April 12, 2007 13:56, Dallin Jones wrote:
> I had a server of mine compromised earlier today, and it made me
> contemplate the measures and steps every one takes to ensure that
> their box doesn't get compromised and when it does happen, how do you
> know that it happened? In the meantime, I'll get back to the
> re-imaging of my server. (Thank goodness for working backups!!!)

Frequently run netstat to look for odd connections.

Frequently scan system logs (secure, messages, apache, syslog) for any odd entries.

Frequently look for strange/odd processes running.

Frequently update your system with the latest remote *and* local security patches.

Frequently change your passwords and enforce a strict password policy.

Frequently check news sources, bulletins and other sources of security information.


Run a good firewall.

Run a good IDS if you can.

Run a good tripwire config (or similar).

Run a good security scan now and then.


Never fully trust anyone or anything to act in the best interest of your security.

Never assume you are totally safe.

Never think that obscurity is a good security policy.

Never stop doing any of the above.

I'm sure you can think of some more ideas.


More information about the PLUG mailing list