The sys admin's daily grind: Whowatch et al.
For no particular reason, Charly occasionally patrols his server farm and hunts down attackers. He has put together a neat toolbox for this job.
Every server with an IP address on the Internet will receive uninvited visits at some point. The usual scans and scripted carpet bombing simply bounce off my machines thanks to clever firewalling, port knocking , and additional tools like Fail2ban . To keep attackers from working around my defenses, I use two rootkit hunters: Rootkit Hunter  and Chkrootkit . The latter, unfortunately, accuses my DHCP server of packet sniffing:
eth0: PACKET SNIFFER(/usr/sbin/dhcpd)
This result is a known false positive, which I ignore. As an interim report, I can say that my varmint hunters have not seen any prey thus far.
Nevertheless, I occasionally go on patrol to see whether a server is behaving strangely. I like to use
whowatch  for this purpose. This tool launches in the terminal with a process list; the second column shows me the owner. In the third column, Whowatch tells me whether the user is local or logged on via SSH, Telnet, or in some other way. For remote users, this information is followed by the IP address, and for local users, just
I have two ways of navigating this information: I can use the arrow keys to select a line, press Enter, and see a tree view of the associated processes, as shown in Figure 1. Pressing O (owner) hides or displays the process owner; pressing D (details) creates a window with detailed information for the process.
My second option is to type T (tree view) to show all running processes. In this tree view, too, pressing D will display more information. Pressing L (list of signals) shows me the control signals that I can send to the process, such as
TERM, and in an emergency
KILL. I can display the overall system status, particularly in terms of memory management, by pressing S (sysinfo), which tells Whowatch to display the total load on the screen, in a style very much reminiscent of
top (Figure 2).
I have never found anything dangerous on my server patrols to date, but I do like that warm, safe, and cozy feeling.
Read full article as PDF:
Version 16 of the popular Linux desktop reveals new tools, edge-snapping, and performance improvements.
Symantec says Linux-Darlioz burrows in through PHP.
Dell renews its quest for the ultimate developer machine.
Innovative back door looks like normal SSH traffic.
One of CeBITs most successful forums opens the new year with a new name. The popular Open Source Forum continues in 2014 under the name Special Conference: Open Source. This year, the forum will be bigger and offer a wider range of possibilities for sponsors.
New release offers better graphics drivers and expands filesystem support.
New mail protocol will shut out the NSA and prevent snooping on metadata.
A new web application helps users visualize distributed denial-of-service attacks.
Ubuntu 13.10 takes a step toward convergence, with lots of mobility, but Mir only partly here.
Galileo board is targeted to embedded developers and educational institutions.