Please note that LinuxExchange will be shutting down on December 31st, 2016. Visit this thread for additional information and to provide feedback.

Detecting A Compromised Host

2
1

Okay so you have installed your distribution of choice and done all of the recommended hardening security steps such as encrypted paritions, configured your firewall (iptables/tcpwrappers), installed a file integrity checker/host intrusion detection system (tripwire, samhain, ossec). You also regularly check for rootkits using tools such as (rkhunter, chkrootkit) and audit/harden your machine following (lynsis / bastilles) recommendations. Only running services which are necessary and disable any which are surplus to requirements. Keeping up to date with security patches, maintaining good file system permissions and regularly reading your system logs.

Although the above is not a fully comprehensive list, If you have implemented the above chances are your in pretty good shape. However my question is what additional steps do you take to protect/prevent your host/network from becoming compromised and more importantly if it was how quickly would you know about it?

For example here is a few things that I personally do on my Linux boxes.

  • Create an MD5 hash of my currently running iptables check this every 15 minutes if it has changed something has been added/removed.
  • I create separate partitions for various mount points such as (/var,/usr,/tmp,/boot,/home) etc and use mount options such as NOSUID, NOEXEC, READONLY. I then check every 15 minutes and compare the current mount options to ensure none of them have changed, If one of them suddenly writable I want to know about it.
  • Monitor netstat's output for listening services and comparing this against a file which contains a list of known good services/ports which I have approved. If any new services start listening I will be informed and can check whether this is legitimate or a potential backdoor.
  • Perform a daily scan of my local home network using nmap/ndiff to detect any foreign hosts or determine if any other hosts are listening for new services.
  • Implement and check that critical files (/etc/passwd, /etc/shadow, /etc/group ...) are immutable (chattr +i).

The above checks can be performed regularly using a cronjob. Obviously if someone roots the box swiftly some of these checks are going to be useless if the attacker gets an opportunity to disable them. Although if you have more than one Linux box you can configure them to check on each other which adds an additional layer of protection.

I am keen to know what the rest of the community does and any funky hurdles they place to trip an attacker up?

asked 08 May '10, 12:54

gjcwilliams's gravatar image

gjcwilliams
35729
accept rate: 37%



6 Answers:
oldestnewestmost voted
2

Load monitoring is useful. I've seen attacks come thru outdated installations of Wordpress and start up brute force kernel timing attacks. I noticed this because the cpu on the system was unusually busy. I wouldn't have noticed if I hadn't been graphing the output.

Rootkit checking are useful. Running log analysis on website logs is useful. I've seen file upload forms get circumvented such that PHP botnet scripts get uploaded (to an image upload folder).

Defense in Depth would also encourage application security assessment, not just OS monitoring. So running an application attack test (XSS, XSI, attacks etc), and application-level password audits are just as important. A wordpress login with a weak password is a super wide open door.

(Of course, the most important thing is backing up your system and testing your restore procedure. It might not be an attack that brings your site down, but an over-worked admin, an unexpected fire sprinkler shower, who knows what.)

link

answered 11 May '10, 06:38

memnoch_proxy's gravatar image

memnoch_proxy
1413
accept rate: 42%

0

I use ossec extensively. event log correlation, active response, file system integrity checking, along with hardening the host similar to how you describe in your post.

link

answered 11 May '10, 02:33

Aaron%201's gravatar image

Aaron 1
211
accept rate: 0%

1

I use Monit. In addition to checking if services are running it also can check checksums of binaries, init scripts, etcetera. Even better, it can prevent restarting compromised binaries. If an attacker manages to compromise your binaries, Monit will see it and alert you about it. It can also refuse to restart the service so the compromised binary doesn't run.

link

answered 09 May '10, 19:39

Sander%20Marechal's gravatar image

Sander Marechal
398116
accept rate: 29%

1

You could install an IDS like Snort and look for suspicious traffic to/from your different servers. There are a lot of signatures in place to detect malicious traffic, so this could perhaps give an indication of whether a system has been compromised or not.

link

answered 09 May '10, 16:57

feinom's gravatar image

feinom
2195
accept rate: 33%

1

This will stop any cracker from using your box, except the one who is aware of all these checks and ready to immidiately bypass all of them replacing with own scripts. Of course it will only work good if you have enabled email notifications so you can react fast. Otherwise this will not make any sense. You need to think about actions to do in such cases. Say, ifconfig eth0 down, a proven way to wipe out any cracker while you are sleeping or afk :)

Don't forget to regularly check for updates. Patching your kernel with grsecurity is a good way too.

link

answered 08 May '10, 14:07

Web31337's gravatar image

Web31337
317111
accept rate: 11%

I like the idea of automatically taking the interface down but only really practicle on home machines but not in production environments.

(12 May '10, 21:35) gjcwilliams

-100 what is a use of it in home environment may I ask? or the better stated question will be: what would you do if that server is highly important and failing to react immidiately will cause serious troubles? say, internet remains plugged and cracker will do whatever he wants while you are sleeping :) monitoring production server must interact with taking actions. swift actions. disabling internet of course should happen only in serious cases.

(13 May '10, 01:54) Web31337
2

Your post there is pretty conclusive.

Something that we find is that once an attacker has any sort of foothold (via a hosted site or whatever) then they tend to start sending spam.

We have scripts in place to monitor the number of emails sent per user per X minutes and the total number in the outbound queue and alert us if either trip the limits.

link

answered 08 May '10, 13:19

gregularexpressions's gravatar image

gregularexpr...
197117
accept rate: 50%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×90
×15
×8

Asked: 08 May '10, 12:54

Seen: 4,808 times

Last updated: 11 May '10, 06:38

Related questions

encrypting file or all data on hard drive

Best practices for geo-redundancy?

Nagios SCHEDULE_FORCED_HOST_CHECK not running

HOW TO USE ALL INODES IN MY SYSTEM

firewalls, anti-virus and spyware

Netbook alternative to Ubuntu?

How Linux gets installed

Pinging to IPv6 enabled machine?

What shells are available on the box ?

Avoid copying of data between user and kernel space and vice-versa

about | faq | privacy | contact

powered by OSQA