Hi.
I mean any critical points of Linux, any files, or directory that must be monitoring to detect any suspicious activity.
For example:
/tmp
because many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack
/etc/passwd or /etc/shadow
because, sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date.
/etc/services
Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines
crontab or /etc/init.d
It's good to detect any persistence
If it has SSH running, then I would be monitoring /var/log/secure (or /var/log/auth.log) and alerting on brute force events. Or also have alerting on certain firewall logs. Example, when heartbleed came out, after patching I would set up log monitors for addresses attempting to exploit it.
So, what about else? Of course I missed many and would be happy if you helped
If you will share any blogs, article, etc, will be cool.
... View more