[NTLUG:Discuss] Intrusion and Detection

Chris Cox cjcox at acm.org
Fri Dec 21 11:42:40 CST 2001 

Tripwire is ok (beware of licening on it though).  Basically the idea
of doing checksums of critical system files is a good thing.
Unforntunately, anyone who is root on your system can do
ANYTHING... including thwarting your tripwire or whatever
IDS techniques you have in place.... remember ROOT can
do ANYTHING.

So... first you may want to look at:
http://www.linuxdoc.org/guides.html  
(look for Securing and Optimizing Redhat Linux... though most of it is 
good for
any distribution of Linux)
This document has good techniques including using the ext2  immutable
flag.

I've used snort (with snarf), but it is fairly primitive packet analyzer 
tool... I guess
it's pretty flexible... but it's a tool ONLY.

Second, realize that as an administrator of an internet host, you must
CONSTANTLY guard your perimeter (no part-time admins please!).
Someone has to stay abreast of issues... I recommend subscribing to
things like:

http://www.cert.org/contact_cert/certmaillist.html
and most defintitely the bugtraq mailing list:
http://www.securityfocus.com/cgi-bin/forums.pl

Most all problems will be seen on bugtraq before general news
flashes come out.

The technique used on your system is called a "root-kit".  These
kits have some of the BEST installation support I've ever seen.
They prompt you for needed information and tell you every step
of the way what its doing to the system (what is being trojaned),
what is succeeding and what is failing.

If you can't be a full time admin, then you probably should see
if you can develop a scheme where the ports are only exposed
during times where you know you will be on alert.  Otherwise,
I think it's time to shut down the external access point.

With that said, the NTLUG box does not have a DEDICATED
24hr. admin watching things.  But unlike you home system,
we realize that compromises will happen from time to time and
we try to to store your credit card info there :-)

So.... backup the system and make sure you can tolerate
doing a full system recovery every now and then when the
worst kind of compromises happen.

One last thing... throw the hacker a curve ball.  The reason that
platforms get hacked more often today is because of the
similarity of machine configurations.  If your ssh is a bit
different from everyone else's, that one minor roadblock will
prevent the semi-automated hacks from progressing and
frustrate the junior-level hacker who gets his jollies from
successful hack attempts (he'll just hack your neighbor
instead).

<note>
For all of you screaming at my use of "hacker", I'm afraid
I belong to the "let's not make up a new definition for
hacker" club.  I was a hacker in the eighties... doing things
I'd rather not talk about.... and I can tell you they are
still called hackers today... and they are some of the
best chaps you could ever hope to have work for you.
....just don't ever tick them off :-)   A "cracker" is something
you have with soup.
</note>

That's my best advice,
Chris

More information about the Discuss mailing list