Results 1 to 25 of 25
Thread: monitor for illegal activity
-
11-01-2000, 12:48 AM #1Web Hosting Guru
- Join Date
- Jul 2000
- Posts
- 337
Just wondering what people do/use to monitor for illegal activity like users trying to hack/crack to gain root access to the server. Anyone actually monitor or you just wait till it's happened then fix it?
JFTR I have a server and within the last 2 weeks it's been hit twice. Mostly likely by the same person(s) as they same useraccounts have been created. It's quite agrivating as I thought I had this system locked up pretty darn tight. It would be nice to have some sort of monitoring system to warn me when someones on the system messing around...
-
11-01-2000, 01:11 AM #2Web Hosting Master
- Join Date
- Jun 2000
- Location
- Washington, USA
- Posts
- 5,990
Well there are a lot of security apps, tripwire is one of them, which you can find on http://freshmeat.net/
-
11-01-2000, 01:17 AM #3WHT Addict
- Join Date
- Oct 2000
- Posts
- 159
Hi everyone,
Please correct me if I'm wrong, but my knowledge of Tripwire is that it only notifies you *after* a compromise was made. IMHO, its not very effective against detering intruders but more of letting you know when your server was hacked into?
I'm also looking for a program which (hopefully) features intelligent detection and subsequent banning of users suspected of illegal activites against the server.
Anybody care to suggest whether such programs exist?
-
11-01-2000, 02:00 AM #4Web Hosting Guru
- Join Date
- Oct 2000
- Posts
- 337
Unfortunately, most of the time, there *isn't* a way to catch a user before they compromise a system.
Let's face it, it's not like these people are typing "give me root access" at the prompt. Most exploits these days involve buffer overflows or other bad input checking by software running with privileges. You can't effectively monitor for intrusions via these methods, at least before it happens. What you can do is make sure that you've plugged up all known holes in your system.
Further complicating things is that anyone with root access can cover their tracks quite effectively. Remember, all data on the local system can be tampered with when a box is compromised, including monitoring and reporting systems.
There are a few things you can do in the way of monitoring, of course. You can filter and watch logs for repeated password failures, dumb users trying to su to root, etc. But ultimately, you will probably not know somebody has compromised your box until they have. That's where it's a must to have solid recovery procedures, and competent staff that can identify the exploit used and plug it up.
-
11-01-2000, 10:37 AM #5Web Hosting Master
- Join Date
- Jun 2000
- Location
- Southern California
- Posts
- 12,136
I get a whole slew of anonymous ftp logins (anonymous ftp is not enabled on any domain). Every IP address on the machine is tried. I think someone mentioned that this is pretty common.
-
11-01-2000, 03:45 PM #6Web Hosting Guru
- Join Date
- Oct 2000
- Posts
- 337
I see it all the time. Easy fix: turn off anonymous logins, or better yet, FTP if you don't need it.
-
11-02-2000, 02:22 AM #7Web Hosting Master
- Join Date
- Jun 2000
- Location
- Southern California
- Posts
- 12,136
Yep, these are attempts. I don't turn on anon. ftp.
-
11-02-2000, 10:45 PM #8Web Hosting Master
- Join Date
- Jun 2000
- Location
- Wichita, Ks, USA
- Posts
- 1,984
Redhat
Red Hat is terrible about security.
The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.affordablecolo.com carrier grade colocation at a affordable price!
Charles Baker - Company Operations
1-866-316-HOST
-
11-02-2000, 10:48 PM #9Web Hosting Master
- Join Date
- May 2000
- Posts
- 587
Red Hat 6.2 and security freaks... go to http://www.openna.com/books/registration.htm and download a copy of the pdf of their book. It explains everything to do to secure a red hat system, including how to monitor logs, patch systems, monitor ports, everything.
It is very well written,... and IT'S FREE! (I love linux)
Félix C.Courtemanche · webmaster@can-host.com
Can-Host Networks · http://www.can-host.com
web«cp Control Panel · http://webcp.can-host.com
-
01-03-2001, 05:07 PM #10Junior Guru Wannabe
- Join Date
- Jan 2001
- Posts
- 79
I use port sentry, works very well and it's free.
Here you go, http://www.psionic.com/abacus/portsentry/
I hope that this helps.
-
01-07-2001, 09:03 PM #11WHT Addict
- Join Date
- Dec 2000
- Location
- Scotland
- Posts
- 134
In terms of monitoring users already on the servers (those that have telnet access), we use a modified version of bash, that logs all their commands directly to a file, which is then grepped once a day for various suspect words and anything interesting is mailed to the admins, we dont publicise the fact too much (not that we hide it either), so it hasnt put people off trying, but its certainly helped us catch several people trying various exploits, trying to DoS from our servers etc.
If anyone wants a copy, I can probably dig it out.
Regards,
Tony LucasFounder & SVP Product
Flexiant Ltd
Simplifying the Cloud - Designed for Service Providers
http://www.flexiant.com
-
01-07-2001, 09:08 PM #12Junior Guru Wannabe
- Join Date
- Sep 2000
- Posts
- 99
I would love to have a copy. Please contact me about it.
-
01-08-2001, 12:21 AM #13Web Hosting Master
- Join Date
- Sep 2000
- Posts
- 1,631
Please, me too that sounds like a terrific add-on
-
01-08-2001, 04:06 AM #14Web Hosting Master
- Join Date
- Aug 2000
- Posts
- 2,750
Could I have a copy to please?
The Php Support Desk
http://www.phpsupportdesk.com
Custom programming - kunal @ e-phoria.com
http://www.pingzine.com - Ping!Zine. the FREE, FRESH and EXCITING Web Hosting Magazine...
-
01-08-2001, 04:46 AM #15WHT Addict
- Join Date
- Dec 2000
- Location
- Scotland
- Posts
- 134
Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.
Logs to /var/log/.bashlogs.
Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.
Regards,
Tony LucasFounder & SVP Product
Flexiant Ltd
Simplifying the Cloud - Designed for Service Providers
http://www.flexiant.com
-
01-08-2001, 05:03 AM #16Web Hosting Master
- Join Date
- Aug 2000
- Posts
- 2,750
Thanx
The Php Support Desk
http://www.phpsupportdesk.com
Custom programming - kunal @ e-phoria.com
http://www.pingzine.com - Ping!Zine. the FREE, FRESH and EXCITING Web Hosting Magazine...
-
01-09-2001, 01:39 PM #17Web Hosting Evangelist
- Join Date
- May 2000
- Posts
- 488
We've formed a virtual crimewatch community - all our sites participate...we put stickers on our servers letting everyone know it is a crimewatch server...so I seriously doubt hackers will come snooping around.
Oh yeah, and we use nessus
-
10-03-2001, 07:53 AM #18Web Hosting Master
- Join Date
- Dec 2000
- Location
- Lowlands
- Posts
- 718
Originally posted by Toons
Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.
Logs to /var/log/.bashlogs.
Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.
Regards,
Tony Lucas
Can you put it back up again for me please so I can download it?
Thank you.
-
10-03-2001, 09:20 AM #19Retired Moderator
- Join Date
- Sep 2000
- Location
- New York/USA
- Posts
- 1,691
Please be aware this thread is about 10 months old. I would suggest emailing Toons first. I'll leave it open since it might benefit other people...
-
10-03-2001, 09:25 AM #20Web Hosting Master
- Join Date
- Dec 2000
- Location
- Lowlands
- Posts
- 718
I know but maybe someone else has it for me.
-
10-03-2001, 03:40 PM #21Disabled
- Join Date
- Mar 2001
- Location
- Canada
- Posts
- 489
well
i dont know if what i say will be any help but
what i usually do is run iplog
but see my situation is different, becuase my server is a private box. My friend and I are the only ones that login, via sssh, the rest are denied with tcp wrappers. telnet is disabled, and only a couple people have ftp logins (ONLY)
So what i do is install iplog and run tail -f /var/log/iplog.log and monitor my server that way.........
If i see port scans, ftp attempts, i know what they are trying to do. Besides, i know how, i wont call them hackers, but "kiddies" think.
another thing you can do i suppose, is install ttysnoop, and from there, if anyone has a shell, you can watch their screen thru ttysnoop.. But i dont suggest running telnet, since there are remote root telnet exploits out there
-
10-03-2001, 09:50 PM #22Disabled
- Join Date
- Mar 2001
- Location
- Canada
- Posts
- 489
Re: Redhat
Originally posted by cbaker17
Red Hat is terrible about security.
The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.
i highly doubt it was REDHAT
????????????????????????????
-
10-03-2001, 10:24 PM #23Junior Guru
- Join Date
- Jul 2001
- Location
- Wrapped in CAT5.
- Posts
- 217
Standard security toolkit...
OK... for a Linux box, you're going to want the following standard things installed, config'd and running:
Portsentry: Already mentioned, this puppy monitors certain ports to see if someone is 'portscanning' your system. This typically happens in the 'front' or 'beginning' part of an attack. Portsentry can be configured to just log the attack, or actually block the offending host. Available at http://www.psionic.com/
Logcheck: A simple utility -- this runs at regular intervals, scans system logs, and emails suspicious activity to the admin. Good for catching an attack in progress. Also available at http://www.psionic.com/
Tripwire: Yes, you're correct. This only catches things after they happen. But as the folks at project 'Honey net' ( http://project.honeynet.org/ ) will tell you, it's good to have documentation to analyze after an attack. This can help you find weaknesses, and can tell you about files that have been affected.
For a truly secure system, or a firewall:
Harden your box/network using ipchains: There's no substitute for hardening your network by closing off un-needed ports or services. I'd also recommend turning off ICMP echo-replies.
Use Snort: The folks at Snort are a fun bunch. The tool they've built uses 'packet signatures' to detect attacks from a mile away. Check it out at http://www.snort.org
Use NAT/Reverse proxying using port-forwarding This makes it easier to lock down your entire network from one location. This might create a speed bottleneck, though -- so be sure to do a risk analysis before diving into this.
Check out HostSentry: This might be what you're looking for. Apparently, this will look for 'bad people trying to log in' by evaluating the normal pattern of logins that occur on a system. Also available at http://www.psionic.com/
Questions? Comments? Need advice for NT/2000? Drop me a line via email or PM.
-DanDan Esparza
CagedTornado web services
-
10-04-2001, 04:25 AM #24WHT Addict
- Join Date
- Aug 2001
- Posts
- 137
One thing I wanted to point out is the potential conflict between PortSentry and running a firewall (on the same box). I don't know if PortSentry does this by default (I don't personally use it), but in one configuration I've seen, the installation set up a cron to flush your 'ipchains' rules every hour.
The logic was that it can't do its job if the ports are blocked, but there are cases where you might want to monitor some ports, and block other specific ports (or hosts or protocols). It took a bit of troubleshooting to figure out why the firewall kept disappearing.
I don't recall if it also flushed the 'forward' chain, or if it affects 'iptables' or not, but it's something to keep in mind if you have problems similar to this.- Jman
-
10-04-2001, 01:41 PM #25Junior Guru
- Join Date
- Jul 2001
- Location
- Wrapped in CAT5.
- Posts
- 217
Never seen that behavior in Portsentry
I've never seen that behavior in Portsentry.
It blocks hosts permanently both through hosts.deny and ipchains.
If the ports are blocked, the job of securing the box (by monitoring portscans and taking action) is already done. Portsentry would be overkill.
DanDan Esparza
CagedTornado web services