samhain (System cracked, a story)

Rich Braun richb at pioneer.ci.net
Mon May 26 23:09:13 EDT 2003


miah <jjohnson at sunrise-linux.com> wrote:
> ugh, tripwire *laugh*
>
> You should all really look at samhain
>
> http://la-samhna.de/

This brief little item posted here deserves its own subject thread here in the
BLU archive!  This is a truly useful piece of software, available under GPL,
easy to install.  I had never heard of it, but thanks to your note I grabbed a
copy of it this evening.

I got it running in something like 20 minutes.  It'll probably take a day or
two of tweaking to stamp out false alarms (by default it sends an alert
whenever ANY file in your system directories gets modified, you have to put
exceptions into its config file), but I'll give this package a hearty
endorsement upon first install.

It won't solve the problem of forever running on the security-patch treadmill,
but at least it gives you the peace of mind that if a cracker does manage to
get into your system, you're almost certain to find out about it in short
order.

A friend's system got hacked a couple of years ago by someone who installed a
password-sniffing daemon.  The friend found the log file but was uncertain
whether the cracker had come back in to view the passwords.  This necessitated
having everyone who used the system (he had a dozen friends' email accounts on
it) change their passwords both there and anywhere else they used the same
pwd.

Samhain will prevent installation of a stealth daemon like that.  A
sophisticated cracker could probably deinstall samhain and cover tracks, but
it would take a lot of effort and would only be worth doing if your system has
something truly important on it.  As a second line of defense for a home user
(first line is firewall and CERT vigilance, third line is Amanda backup),
samhain satisfies the need for easy installation and set/forget operation.

-rich




More information about the Discuss mailing list