Monitoring

Remember to look through the logs from time to time, particularly if you put in rules that are designed to detect attacks. Furthermore, just in case someone does break in, you might want to have a trusted internal host doing your syslogging for you.

tcpd, tripwire, courtney, and all the other tools don't do any good if they are not properly used and checked. The first thing an attacker does is look for these things. Time is what your firewall is buying you. However, time works for the attacker and against you. The best time to catch an attack is before the penetration occurs, when your network is being probed. To enter, an attacker must find your weaknesses. This way, you will have warning. It might not be much, though.

Get Special Edition Using Linux®, Sixth Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.