Noticing Suspicious Activities

A good night watchman needs more than just the ability to monitor for change. She or he also needs to be able to spot suspicious activities and circumstances. A hole in the perimeter fence or unexplained bumps in the night need to be brought to someone’s attention. We can write programs to play this role.

Local Signs of Peril

It’s unfortunate, but learning to be good at spotting signs of suspicious activity often comes as a result of pain and the desire to avoid it in the future. After the first few security breaches, you’ll start to notice that intruders often follow certain patterns and leave behind telltale clues. Spotting these signs, once you know what they are, is often easy in Perl.


After each security breach, it is vitally important that you take a few moments to perform a postmortem of the incident. Document (to the best of your knowledge) where the intruders came in, what tools or holes they used, what they did, who else they attacked, what you did in response, and so on.

It is tempting to return to normal daily life and forget the break-in. If you can resist this temptation, you’ll find later that you’ve gained something from the incident, rather than just losing time and effort. The Nietzchean principle of “that which does not kill you makes you stronger” is often applicable in the system administration realm as well.

For instance, intruders, especially the less-sophisticated kind, often try to hide their activities by creating “hidden” ...

Get Perl for System Administration now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.