Have you ever suspected or been notified that your Linux system is under attack? How do you determine whether your system has been compromised? This document is intended to explain how an administrator can implement basic security incident investigation techniques. r>


As mentioned in the Intrusion Detection Primer,the process of preventing and detecting security breaches by monitoring user and application activity is known as intrusion detection. It is a proactive process that requires the constant attention. In this document I explain step-by-step how to monitor user and application activity using standard Linux/Unix commands. This document is intended to be read by novice Linux who are interested in security.

Who are the intruders and where are they from? Intruders may be curious teenagers, disgruntled employees, or even professional criminals from rival companies. Attacks can originate from practically anywhere in the world via the Internet or dialup lines. This fact makes intrusion investigation a difficult task.

Types of Intrusion Detection

Intrusion detection can be broken down into five types. These types include file integrity checking, log file monitoring, host based ID (intrusion detection), network based ID, and administrator based monitoring.

Checking file Integrity: This is the process of checking files to determine whether unauthorized changes to files have been made. Many times the program Tripwire is used to automate this process.