|
|
|
|
|
|
by stephendicato
3778 days ago
|
|
|
> Although, Linode's email isn't what notified is, it was our intrusion detection system. Are you able to elaborate on this? I understand you may not want to name specific vendors/products in the name of operational security but it sounds like in this scenario whatever is in place actually did its job. |
|
|
* https://www.pagerduty.com/blog/security-monitoring-alerting-...
Most of this is still valid. There may be some differences as we've improved our configuration over time.
We use OSSEC for host-level intrusion detection. This fired off quite a few alerts as the malicious party began to log in as root on the serial console, amongst other things.
We also have supplemented it with other tools, such as an in-house wrapper around nmap, to alert us to hosts that don't match their expected network configuration. So when ports get opened incorrectly, someone is alerted usually within a minute.