入侵检测（Intrusion detection）

Intrusion detection

For further improvement of your security you should store a checksum (a fingerprint) for all files. At regular intervals, but in any case before a backup, you examine the checksums of your files. If the checksums do not agree, the file was changed or deleted.

In order to compute and store the checksums, you open a shell and enter the following commands:

md5sum /usr/bin/md5sum

Create a checksum of the program md5sum. Write down the checksum.

mount /dev/hda4 /mnt/hda4

Mount the harddrive with your files.

find /mnt/hda4 -type f -exec ls -ail {} \; \-exec md5sum {} \; > /root/check1.dat

Create the file check1.dat with the checksums of all files.

md5sum /root/check1.dat

Create a checksum of the file. Write down the checksum.

If you want to check, which files have been changed enter these commands:

md5sum /usr/bin/md5sum

Create a checksum of the program md5sum. Compare the checksum with the checksum of step (1).

md5sum /root/check1.dat

Create a checksum of the file /root/check1.dat. Compare the checksum with the checksum of step (3).

mount /dev/hda4 /mnt/hda4

Mount the harddrive with your files.

find /mnt/hda4 -type f -exec ls -ail {} \; \-exec md5sum {} \; > /root/check2.dat

Create the file check2.dat with the actual checksums of the files.

diff /root/check1.dat /root/check2.dat > /root/diff.txt

Compare the two files check1.dat and check2.dat. The differences are written to the file diff.txt.

Open the file /root/diff.txt and check, if you know about the changed files. If not think why these files have been changed.

Delete the file /root/check1.dat

Rename the file /root/check2.dat as /root/check1.dat.

md5sum /root/check1.dat

Create a checksum of the new check1.dat-file. Write down the checksum.