Solved

Hacked, Best monitoring for prevention/detection

Posted on 2008-11-03
4
283 Views
Last Modified: 2012-05-05
ok, One of our web servers got hacked this morning. A quick restore of the backup resolved the issue. They where able to get in because this server was not up2date. However, I want to be able to monitor/view attempts. I'm sure this is not the first time and I've never really worried about it much. Now I want to keep a very close eye on things. Our environment is mixed with windows/linux. What would you all suggest I could use to monitor all the servers?
0
Comment
Question by:cebrooks03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 2

Expert Comment

by:aaronblum
ID: 22870697
For the *nix boxes, you can generally look under /var/log/ for the security logs and scan for failed attempts.  You can potentially write a script to pull back that information to some central repository if that is what you need.

For Windows you can use the event log viewer to inspect for security events.  Instructions for doing this can be found here:
http://support.microsoft.com/kb/308427

More specific details would help in pinpointing a solution.

Hope this helps,
Good luck
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 22880990
Snort, plain and simple, you can see the what the actual attack is classified as. You'll want to setup a snort box with 2 nic's, one to administer snort with, the other to sniff traffic with. No need to IP the sniffing NIC, but you do need to send all the traffic comming into your web-servers to it. Cisco switches call this a span port, other switch makers call it port mirroring.
http://en.wikipedia.org/wiki/Port_mirroring
-rich
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 22881123
Snort can act as an IPS as well, intrusion prevention system, if you use it inline. When an attack packet is found, snort can drop the packer, or send a rst packet back to the attacker to drop the connection on the fly. It's best to start with just monitoring, then if you feel you've eliminated the false positives, you can move to an "inline" snort IPS system.
http://sourceforge.net/project/showfiles.php?group_id=78497
-rich
0
 
LVL 1

Author Comment

by:cebrooks03
ID: 22881198
Rich,

thank you. this is exactly what I needed.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question