Answers to: Detecting A Compromised Host

Answers to: Detecting A Compromised Hosthttp://linuxexchange.org/questions/391/detecting-a-compromised-hostOkay so you have installed your distribution of choice and done all of the recommended hardening security steps such as encrypted paritions, configured your firewall (iptables/tcpwrappers), installed a file integrity checker/host intrusion detection system (tripwire, samhain, ossec). You also regularly check for rootkits using tools such as (rkhunter, chkrootkit) and audit/harden your machine following (lynsis / bastilles) recommendations. Only running services which are necessary and disable any which are surplus to requirements. Keeping up to date with security patches, maintaining good file system permissions and regularly reading your system logs. Although the above is not a fully comprehensive list, If you have implemented the above chances are your in pretty good shape. However my question is what additional steps do you take to protect/prevent your host/network from becoming compromised and more importantly if it was how quickly would you know about it? For example here is a few things that I personally do on my Linux boxes. <ul> <li>Create an MD5 hash of my currently running iptables check this every 15 minutes if it has changed something has been added/removed.</li> <li>I create separate partitions for various mount points such as (/var,/usr,/tmp,/boot,/home) etc and use mount options such as NOSUID, NOEXEC, READONLY. I then check every 15 minutes and compare the current mount options to ensure none of them have changed, If one of them suddenly writable I want to know about it. </li> <li>Monitor netstat's output for listening services and comparing this against a file which contains a list of known good services/ports which I have approved. If any new services start listening I will be informed and can check whether this is legitimate or a potential backdoor.</li> <li>Perform a daily scan of my local home network using nmap/ndiff to detect any foreign hosts or determine if any other hosts are listening for new services.</li> <li>Implement and check that critical files (/etc/passwd, /etc/shadow, /etc/group ...) are immutable (chattr +i).</li> </ul> The above checks can be performed regularly using a cronjob. Obviously if someone roots the box swiftly some of these checks are going to be useless if the attacker gets an opportunity to disable them. Although if you have more than one Linux box you can configure them to check on each other which adds an additional layer of protection. I am keen to know what the rest of the community does and any funky hurdles they place to trip an attacker up?enFri, 20 Jan 2017 15:53:07 -0000