|
|
Linux Intrusion Detection
From:
http://www.samag.com/extra/poster.htm
No matter
how security minded you are, no matter how many updates and patches
you apply, there's always a chance that someone will crack one of
your systems. It's an unpleasant reality, but it's a fact: no system
is 100% secure unless it's turned off, but how useful is that? Although
it's important to spend time on prevention, you must also have a
backup plan in the event that security is compromised. If one of
your systems is cracked, immediate detection and damage control
are essential to prevent an intruder from gaining access to other
systems and causing irreparable problems.
Some Common Exploits and Their Symptoms
One key to intrusion detection
is understanding the most common security exploits. This knowledge
will allow you to set up a checklist for periodic security checks
of your system. If you're running a DNS server, BIND is a favorite
target for attack. BIND has a number of security issues and should
be disabled if not needed. If you need BIND, be sure to check at
least monthly for updates and fixes. CGI scripts are another point
of vulnerability. If CGI can be avoided, it is probably best to
do so. Under no circumstances should an administrator leave sample
CGI scripts on a production server or run a Web server as root.
The list of CGI issues is too great to include here, but the SANS
Top Ten List of security threats contains useful tips about CGI
and other vulnerabilities. There's no standard for how often these
security audits should be performed, but careful administrators
continually check for signs of intrusion. A comprehensive check
should be performed at least monthly, if not more frequently. A
comprehensive check should minimally involve:
- Running through system logfiles thoroughly.
- Checking sensitive files like /etc/passwd ,
/etc/hosts.allow , and other commonly modified files.
- Examining the root user's history for suspicious
commands.
- Using a clean version of ps to check for unusual
processes.
- Running a tool like SAINT or SATAN to look for
network-related security flaws that could be a sign of intrusion.
Another part
of the monthly routine includes checking sites like BugTraq and
vendor Web sites for any available security patches and applying
them. Many vendors like SuSE or Red Hat also provide mailing lists
with updates about security flaws for packages on their systems.
Often, crackers will not be satisfied with simply breaking into
a system. They will want to return at a later date and may add user
accounts and change host access to facilitate entry. Here is a list,
although not exhaustive, of files to check for changes:
/etc/hosts /etc/hosts.equiv /etc/hosts.deny /etc/hosts.allow
/etc/passwd /etc/shadow Another sign of entry is a change in the root
user's path to include the /root/ directory, and binaries like ls
, ps , top , cp , mv , login , and others found in the /root/ directory.
Any change here is a sure sign that someone has "rooted" the box and
is trying to cover the tracks. You should also look for directories
called " ... ", unexpected binaries, such as " crack " or other common
cracker tools, and normal binaries in odd locations.
System Logs
System logs may also show
signs of attacks, successful or otherwise. Error logs may show repeated
attempts to mount filesystems remotely when that's not allowed,
numerous failed login attempts to existing accounts, or attempts
to guess user names and passwords. Unusual access times are also
a clue if your company CFO is usually a nine to fiver and is now
logging in at two in the morning, you might have a problem.
System logs exist to provide a diagnostic tool for your system's
health. Be sure to utilize them, but don't depend on them completely.
It's entirely possible that the intruder will know how to cover
his or her tracks in the system logs.
The /var/log/warn system log, for example, should show failed login
attempts. One failed login attempt is not usually cause for concern,
but 20 failed logins in short succession would be a good sign someone
is trying to break in. Additionally, /var/log/warn will indicate
other signs of abuse or intrusion.
To see who has logged in as the root user via su , check the /var/log/messages
system log. If the file has not been tampered with, users who have
succesfully changed to the root user will be logged in this file.
Remember that not all security concerns come from the outside of
your company or organization. If unauthorized users are logging
in as root, it's time to change the password and possibly take action
against the abusers. You may also want to check that authorized
users are not logging in via an insecure method and su 'ing to root,
since that presents a huge security concern.
Other files to check are /var/log/messages , /var/log/access_log
, and /var/log/error_log . The location and name of logfiles depends
on your vendor. It's imperative to know these files and keep close
watch on them.
System Performance
If you experience a marked
decrease in system performance, but you're not sure why, your system
may have been cracked. If you detect odd processes using top or
ps , then that's a sure sign. It is possible, however, that you
have processes running that are hidden from top and ps . Or, an
intruder may have replaced these items with binaries cloaking other
programs.
Host-Based vs. Network-Based
Intrusion Detection
There are two common types
of intrusion detection systems: network intrusion detection systems
(NIDS) and host-based intrusion detection systems (HIDS).
Network-based methods record communications packets and attempt
to identify attacks through information available through network
traffic. NIDS are easy to manage and fairly transparent to users.
However, NIDS solutions aren't scalable to very large networks and
generate more false positives than HIDS.
Host-based methods deploy a monitor on each system, which is a more
scalable solution than NIDS, but harder to manage. Intrusion is
easier to detect at the system level, and the accuracy rate is better
than with NIDS.
Intranet VPN Installation
Intranets connect trusted
locations and users within the same organization. Typical examples
are links from headquarters to branch offices, access for telecommuters,
and access for traveling employees. For intranet links, the VPN
should furnish the same access to corporate net as if the user or
branch office was physically connected. The security policy enforced
by an intranet VPN is usually the standard corporate policy, at
least once the remote user has been authenticated.
Intrusion Models
There are two intrusion models
that most intrusion detection systems look for, anomaly and misuse.
The anomaly model looks for behavior that is inconsistent with a
user or system's normal behavior. Anomalies might include a user
running processes at odd times or a process that is consuming far
more resources than usual. The misuse model is designed to find
activity corresponding to known system vulnerabilities.
Tools
Checking your system manually
is just one aspect of intrusion detection. Many tools can help monitor
system activity and system health. You may want to deploy one or
more of these tools to help prevent and detect attacks on your system.
- SATAN -- The Security Administrator's Tool for
Analyzing Networks allows systems administrators to find common
network-related security flaws. SATAN includes tutorials on the
security flaws that it recognizes, providing administrators with
information about the problem and how to correct it. SATAN collects
information available to anyone else on a network, and only reports
security flaws it does not exploit them. SATAN requires Perl to
run. A list of SATAN mirrors can be found at: http://www.cs.ruu.nl/cert-uu/satan.html
- SAINT -- The Security Administrator's Integrated
Network Tool is an updated version of SATAN. SAINT gathers information
about hosts and networks by examining network services ( ftp ,
NIS, NFS, statd , etc.) and reports available services and potential
security flaws. SAINT's results are viewable in any Web browser.
SAINT is available under the SATAN license at: http://www.wwdsi.com/saint/
- LIDS -- The Linux Intrusion Detection/Defense
System is concerned with the security of the Linux kernel. LIDS
is a kernel patch and admin tool. Features include a port scanner
in the kernel, protection of files and processes, intrusion response,
and email alerts. LIDS is GPL'ed software available at: http://www.lids.org/
- Abacus Project Tools -- The Abacus Project is
an intrusion protection suite of tools including the LogCheck
program, PortSentry, and HostSentry. LogCheck reads system logs
and sends emails on a periodic basis if security violations are
found. PortSentry is a port scan detector that automatically denies
access to attacking hosts in real time. PortSentry also notifies
systems administrators of attacks, but reacts automatically to
perceived attacks.
HostSentry is designed to spot compromised user accounts and unusual
login behavior. HostSentry maintains a dynamic database of "learned"
user activity and detects unusual behavior by comparing against
the database. The Abacus Project Tools are available at: http://sourceforge.net/projects/sentrytools/
- Check-ps -- The check-ps program looks for rootkit
versions of ps that cloak selected processes. Hidden processes
are a sure sign of intrusion, and check-ps helps administrators
detect an intrusion before too much damage is done. The check-ps
source code is available from:
http://checkps.alcom.co.uk/download.html
Conclusion
Remember, an ounce of prevention
is worth a pound of cure. Intrusion detection is a necessary part
of a healthy system, but it's no substitute for secure systems.
Make only the necessary services available on your systems and apply
security fixes as soon as possible.
Resources
SANS Institute Ten Most
Critical Internet Security Threats -- A listing of the most common/critical
security threats. This list gives systems administrators an idea
of what to look for and includes UNIX, Linux, and Windows NT vulnerabilities:
http://www.sans.org/topten.htm
Intrusion Detection FAQ -- Frequently asked questions about intrusion
detection. The FAQ answers a wide range of questions from basic
theory to incident handling and response: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion
Detection -- This paper discusses the flaws in current methods of
intrusion detection and provides examples of attacks that can subvert
popular intrusion detection systems: http://www.clark.net/~roesch/idspaper.html
Intrusion Detection Systems -- A comprehensive list of intrusion
detection systems: http://www.cerias.purdue.edu/coast/intrusion-detection/ids.html
CVE Cross-Reference -- A cross-reference of SAINT tutorials with
corresponding Common Vulnerabilities and Exposures references and
the SANS Top Ten security threats: http://www.wwdsi.com/cgi-bin/doc.pl?document=cve
CERT Coordination Center -- The CERT home page. CERT maintains a
list of advisories from 1988 to the present of security issues of
concern to systems administrators along with a number of other resources:
http://www.cert.org/
CIAC -- The Computer Incident Advisory Capability is responsible
for security for the Department of Energy. However, the CIAC site
lists security issues for a number of operating systems, including
Linux, *BSD, AIX, Cisco, HP-UX, and Windows NT. CIAC also lists
viruses and hoaxes and contains useful documents an<\h>d whitepapers:
http://ciac.llnl.gov/
Poster text provided by
Joe "Zonker" Brockmeier.
Joe "Zonker" Brockmeier has been using Linux since 1996 and writing
about it almost as long. He is the Senior Editor for User
Friendly Media and does a great deal of freelance writing and
editing for several publications including Sys Admin, Linux Magazine,
Enterprise Linux Magazine, and IBM developerWorks.
|
|
