Consider running any scanner detector or logger, in conjuction with some tools that trigger certain events on detection of scanning.
If you plan on deploying a web server with CGI's, I urge you to use a CGI vulnerability scanner, as it will save you from a lot of harm, as CGI
vulnerabilities impose a great threat. If you use poorly made CGI scripts, you'll undermine the safety of your web, no matter how hard you tried and worked on it.
Logging is one of the great advantages linux has to offer. Logging, by default includes reporting errors, reasons, users logged in, the duration of their login time, tracks of scanning and other valuable information. That can also be missused, but that's an issue too long to be discussed here.
System and kernel messages are handled by syslogd and klogd, and the output is located in the /var/log/messages file. A good thing to do is to
customize /etc/syslogd.conf to suit your needs, and to make the tracking of information easier. Typing 'man syslogd(8)' can bring you up to speed with syslogd and syslogd.conf. Just for an example, let's say you wanted to separate all warning and error messages in a different file, you'd do it by entering the following lines in /etc/syslogd.conf:
# all error and warning messages logged
*.warn; *.err /var/log/errmsg
Everything can be logged up to some point. Read, develop your ideas, and implement them. Log everything. Logging is good. :)
The downside is that the attacker can learn about your system from your logs, so think about that RAM disk mentioned at the begining, or a separate partition with restricted access. You could also encrypt that partition, but that could cause some problems if not done with care.
Don't underestimate the importance of logging. You can learn a lot about your system and network reading logs, and logs are sometimes your only hope in finding information about possible system intrusions that have occured to your system. You can find all sorts of logging utilities just lying around, waiting for you to pick them up and put them to good use.
So, you did a stealth scan and you think you can get away with it? Nope, quite wrong. In fact, most of your activites are being logged and carefully examined by someone right now as we speak. That my fellow readers is known as intrusion detection. Intrusion detetection is a real-time detection activity of intrusion attempts or any other information gathering activites. IDS's are an extremly useful tool for any sys admin, so grab one and play around. I'd suggest Snort, as it is very versatile.
How does an average IDS work? IDS commonly use rule-based systems, meaning that certain events trigger other events, as described in the rules they use. Naturally, many rules can be made: you can write your own, or download pre-set rules, and that's why I recommend getting Snort, as it is equipped with an enormous set of rules. An IDS listens to your network traffic, and upon noticing a suspicious activity (that's what rules are for) it takes approriate steps, or can do so by analyzing your logs (you did log everything, did ya?). Of course, this approach is not fault free, and many false alarms could be generated, but never the less...
IDS's are still being developed, and as such are not bug-free. Dealing with IDS's may mean a lot of hard work setting it up right, writing your own rules, and generally asking yourself are they really worth the effort. Well, they are. In conjunction with a decent firewall, IDS's, when set up properly, can prove to be a real time and nerve saver, not to mention boosting your system's security.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.