Chapter 9. Testing and Monitoring

To keep your system secure, be proactive: test for security holes and monitor for unusual activity. If you don't keep watch for break-ins, you may wake up one day to find your systems totally hacked and owned, which is no party.

In this chapter we cover useful tools and techniques for testing and monitoring your system, in the following areas:

Logins and passwords

Testing password strength, locating accounts with no password, and tracking suspicious login activity

Filesystems

Searching them for weak security, and looking for rootkits

Networking

Looking for open ports, observing local network use, packet-sniffing, tracing network processes, and detecting intrusions

Logging

Reading your system logs, writing log entries from various languages, configuring syslogd, and rotating log files

We must emphasize that our discussion of network monitoring and intrusion detection is fairly basic. Our recipes will get you started, but these important topics are complex, with no easy, turnkey solutions. You may wish to investigate additional resources for these purposes, such as:

• Computer Incident Advisory Capability (CIAC) Network Monitoring Tools page: http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html

• Stanford Linear Accelerator (SLAC) Network Monitoring Tools page: http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

• National Institutes of Health "Network and Network Monitoring Software" page: http://www.alw.nih.gov/Security/prog-network.html

• Setting Up a Network Monitoring Console: http://com.pp.asu.edu/support/nmc/nmcdocs/nmc.html

• Insecure.org's top 50 security tools: http://www.insecure.org/tools.html