Re: Welcome to ids

Stephen Bannasch (stephen@concord.org)
Mon, 29 Jan 1996 11:26:52 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: jordan: "cheack out the new home page"
Previous message: Chester Ratcliffe: "Re: Intro; Question -Reply"
Maybe in reply to: Carol L. Scott: "Welcome to ids"
Next in thread: ACZ: "Introduction"

>From the introduction to the list:

>When joining the list I ask you to breifly introduce yourself, to give
>an outline of your interest in intrusion detection systems. Whether
>you are developing an intrusion detection system, or a system
>administrator or student who is currently investigating or developing
>a system. Additionally you might want to express some personal ideas
>that you have about what you think an intrusion detection system
>ideally, should be.

Noah Fields <noah@concord.org> and I administer internet services and
develop technology for a small non-proft educational research and
development group located in Concord Massachusetts USA.  Our work usually
involves the use of technology in education.  To learn more about the
professionial work of our group check out our web site at:

  http://www.concord.org

We recently have had several break-ins and are in the process of upgrading
our security systems.  I posted a message to comp.security.unix about a
fake libc.so a cracker had installed into our anonymous ftp directory tree.
It turns out that it contained login info sniffed from our ethernet.  In
my investigations I turned up a number of other sites comprimized by the
cracker(s).

A number of people responded to my post with very helpful messages.  I
asked about lists where discussions of security and break-ins are discussed
and was pointed here and to Bugtraq.  I plan to describe the attack in more
detail, summarize suggestions, and describe our responses and post this
back to the newsgroup.  If useful I'll post it here also.

[Moderators Note: I am sure many of the lists members would be interested
in futher information, so please do.]

We are running linux 1.2.13 and are now using tcpwrapper to severely limit
connections, and will be installing Tripwire to monitor changes in our
system.  I am looking for ways to collect and manage a number of different
logs so that problems can be discovered more quickly and easily in the
future.

--Stephen Bannasch
  Director of Technology, Concord Consortium
  37 Thoreau St., Concord, MA  01742, tel: 508 369 4367
  stephen@concord.org, http://www.concord.org

Next message: jordan: "cheack out the new home page"
Previous message: Chester Ratcliffe: "Re: Intro; Question -Reply"
Maybe in reply to: Carol L. Scott: "Welcome to ids"
Next in thread: ACZ: "Introduction"