TuxTraining

Defense in depth is one of the basic tenets of server administration. Up to date and secure installations, firewalls, limiting ssh access and strong passwords are the front line.

But what about ‘inside’ the server? One method of monitoring the content of a server is to scan for rootkits on a regular basis.

Perhaps I should clarify what I mean by defense. Scanning for rootkits will not stop them, it is not an active defense method but more of a passive defense method.

By saying that, I mean if your server has been compromised then a scan will not stop the rootkit and there is, to be blunt, not a lot you can do about it. By all means have a go but the general consensus is that if your server has been compromised then start again from fresh.

That seems dramatic. Well, yes it does and I don’t have the space to go into everything here but if someone has got past your defenses and placed a rootkit (as an example) on your server then you have little choice but to start again.

This article is about the scanning mechanism rather than how something may have entered your system. It is about checking the validity of the server content.

Scanning is easily done and can be automated so you spend less time with mundane and repetitive administration tasks.

from: http://www.usefuljaja.com/2007/6/scanning-for-rootkits

(more…)