Results 1 to 25 of 25
  1. #1

    Exclamation

    Just wondering what people do/use to monitor for illegal activity like users trying to hack/crack to gain root access to the server. Anyone actually monitor or you just wait till it's happened then fix it?

    JFTR I have a server and within the last 2 weeks it's been hit twice. Mostly likely by the same person(s) as they same useraccounts have been created. It's quite agrivating as I thought I had this system locked up pretty darn tight. It would be nice to have some sort of monitoring system to warn me when someones on the system messing around...


  2. #2
    Join Date
    Jun 2000
    Location
    Washington, USA
    Posts
    5,990

    Cool

    Well there are a lot of security apps, tripwire is one of them, which you can find on http://freshmeat.net/

  3. #3
    Hi everyone,

    Please correct me if I'm wrong, but my knowledge of Tripwire is that it only notifies you *after* a compromise was made. IMHO, its not very effective against detering intruders but more of letting you know when your server was hacked into?

    I'm also looking for a program which (hopefully) features intelligent detection and subsequent banning of users suspected of illegal activites against the server.

    Anybody care to suggest whether such programs exist?

  4. #4
    Join Date
    Oct 2000
    Posts
    337
    Unfortunately, most of the time, there *isn't* a way to catch a user before they compromise a system.

    Let's face it, it's not like these people are typing "give me root access" at the prompt. Most exploits these days involve buffer overflows or other bad input checking by software running with privileges. You can't effectively monitor for intrusions via these methods, at least before it happens. What you can do is make sure that you've plugged up all known holes in your system.

    Further complicating things is that anyone with root access can cover their tracks quite effectively. Remember, all data on the local system can be tampered with when a box is compromised, including monitoring and reporting systems.

    There are a few things you can do in the way of monitoring, of course. You can filter and watch logs for repeated password failures, dumb users trying to su to root, etc. But ultimately, you will probably not know somebody has compromised your box until they have. That's where it's a must to have solid recovery procedures, and competent staff that can identify the exploit used and plug it up.

  5. #5
    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    12,136
    I get a whole slew of anonymous ftp logins (anonymous ftp is not enabled on any domain). Every IP address on the machine is tried. I think someone mentioned that this is pretty common.
    HostHideout.com - Where professionals discuss web hosting.

    • Chicken

  6. #6
    Join Date
    Oct 2000
    Posts
    337
    I see it all the time. Easy fix: turn off anonymous logins, or better yet, FTP if you don't need it.

  7. #7
    Join Date
    Jun 2000
    Location
    Southern California
    Posts
    12,136
    Yep, these are attempts. I don't turn on anon. ftp.
    HostHideout.com - Where professionals discuss web hosting.

    • Chicken

  8. #8
    Join Date
    Jun 2000
    Location
    Wichita, Ks, USA
    Posts
    1,984

    Redhat

    Red Hat is terrible about security.

    The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.
    affordablecolo.com carrier grade colocation at a affordable price!
    Charles Baker - Company Operations
    1-866-316-HOST

  9. #9
    Red Hat 6.2 and security freaks... go to http://www.openna.com/books/registration.htm and download a copy of the pdf of their book. It explains everything to do to secure a red hat system, including how to monitor logs, patch systems, monitor ports, everything.

    It is very well written,... and IT'S FREE! (I love linux)
    Félix C.Courtemanche · webmaster@can-host.com
    Can-Host Networks · http://www.can-host.com
    web«cp Control Panel · http://webcp.can-host.com

  10. #10
    Join Date
    Jan 2001
    Posts
    79

    Red face

    I use port sentry, works very well and it's free.

    Here you go, http://www.psionic.com/abacus/portsentry/

    I hope that this helps.

  11. #11
    Join Date
    Dec 2000
    Location
    Scotland
    Posts
    134
    In terms of monitoring users already on the servers (those that have telnet access), we use a modified version of bash, that logs all their commands directly to a file, which is then grepped once a day for various suspect words and anything interesting is mailed to the admins, we dont publicise the fact too much (not that we hide it either), so it hasnt put people off trying, but its certainly helped us catch several people trying various exploits, trying to DoS from our servers etc.

    If anyone wants a copy, I can probably dig it out.

    Regards,

    Tony Lucas
    Founder & SVP Product
    Flexiant Ltd
    Simplifying the Cloud - Designed for Service Providers
    http://www.flexiant.com

  12. #12
    I would love to have a copy. Please contact me about it.



  13. #13
    Please, me too that sounds like a terrific add-on
    Carlos Rego
    OnApp CVO

    The Cloud Engine

  14. #14
    Could I have a copy to please?
    The Php Support Desk
    http://www.phpsupportdesk.com
    Custom programming - kunal @ e-phoria.com
    http://www.pingzine.com - Ping!Zine. the FREE, FRESH and EXCITING Web Hosting Magazine...

  15. #15
    Join Date
    Dec 2000
    Location
    Scotland
    Posts
    134
    Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.

    Logs to /var/log/.bashlogs.

    Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.

    Regards,

    Tony Lucas
    Founder & SVP Product
    Flexiant Ltd
    Simplifying the Cloud - Designed for Service Providers
    http://www.flexiant.com

  16. #16
    Thanx
    The Php Support Desk
    http://www.phpsupportdesk.com
    Custom programming - kunal @ e-phoria.com
    http://www.pingzine.com - Ping!Zine. the FREE, FRESH and EXCITING Web Hosting Magazine...

  17. #17
    Join Date
    May 2000
    Posts
    488
    We've formed a virtual crimewatch community - all our sites participate...we put stickers on our servers letting everyone know it is a crimewatch server...so I seriously doubt hackers will come snooping around.
    Oh yeah, and we use nessus

  18. #18
    Join Date
    Dec 2000
    Location
    Lowlands
    Posts
    718
    Originally posted by Toons
    Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.

    Logs to /var/log/.bashlogs.

    Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.

    Regards,

    Tony Lucas

    Can you put it back up again for me please so I can download it?
    Thank you.

  19. #19
    Join Date
    Sep 2000
    Location
    New York/USA
    Posts
    1,691
    Please be aware this thread is about 10 months old. I would suggest emailing Toons first. I'll leave it open since it might benefit other people...

  20. #20
    Join Date
    Dec 2000
    Location
    Lowlands
    Posts
    718
    I know but maybe someone else has it for me.

  21. #21
    Join Date
    Mar 2001
    Location
    Canada
    Posts
    489
    well
    i dont know if what i say will be any help but
    what i usually do is run iplog
    but see my situation is different, becuase my server is a private box. My friend and I are the only ones that login, via sssh, the rest are denied with tcp wrappers. telnet is disabled, and only a couple people have ftp logins (ONLY)

    So what i do is install iplog and run tail -f /var/log/iplog.log and monitor my server that way.........
    If i see port scans, ftp attempts, i know what they are trying to do. Besides, i know how, i wont call them hackers, but "kiddies" think.

    another thing you can do i suppose, is install ttysnoop, and from there, if anyone has a shell, you can watch their screen thru ttysnoop.. But i dont suggest running telnet, since there are remote root telnet exploits out there

  22. #22
    Join Date
    Mar 2001
    Location
    Canada
    Posts
    489

    Re: Redhat

    Originally posted by cbaker17
    Red Hat is terrible about security.

    The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.
    if there are no services running
    i highly doubt it was REDHAT
    ????????????????????????????

  23. #23
    Join Date
    Jul 2001
    Location
    Wrapped in CAT5.
    Posts
    217

    Lightbulb Standard security toolkit...

    OK... for a Linux box, you're going to want the following standard things installed, config'd and running:

    Portsentry: Already mentioned, this puppy monitors certain ports to see if someone is 'portscanning' your system. This typically happens in the 'front' or 'beginning' part of an attack. Portsentry can be configured to just log the attack, or actually block the offending host. Available at http://www.psionic.com/

    Logcheck: A simple utility -- this runs at regular intervals, scans system logs, and emails suspicious activity to the admin. Good for catching an attack in progress. Also available at http://www.psionic.com/

    Tripwire: Yes, you're correct. This only catches things after they happen. But as the folks at project 'Honey net' ( http://project.honeynet.org/ ) will tell you, it's good to have documentation to analyze after an attack. This can help you find weaknesses, and can tell you about files that have been affected.

    For a truly secure system, or a firewall:
    Harden your box/network using ipchains: There's no substitute for hardening your network by closing off un-needed ports or services. I'd also recommend turning off ICMP echo-replies.

    Use Snort: The folks at Snort are a fun bunch. The tool they've built uses 'packet signatures' to detect attacks from a mile away. Check it out at http://www.snort.org

    Use NAT/Reverse proxying using port-forwarding This makes it easier to lock down your entire network from one location. This might create a speed bottleneck, though -- so be sure to do a risk analysis before diving into this.

    Check out HostSentry: This might be what you're looking for. Apparently, this will look for 'bad people trying to log in' by evaluating the normal pattern of logins that occur on a system. Also available at http://www.psionic.com/


    Questions? Comments? Need advice for NT/2000? Drop me a line via email or PM.

    -Dan
    Dan Esparza
    CagedTornado web services

  24. #24
    One thing I wanted to point out is the potential conflict between PortSentry and running a firewall (on the same box). I don't know if PortSentry does this by default (I don't personally use it), but in one configuration I've seen, the installation set up a cron to flush your 'ipchains' rules every hour.

    The logic was that it can't do its job if the ports are blocked, but there are cases where you might want to monitor some ports, and block other specific ports (or hosts or protocols). It took a bit of troubleshooting to figure out why the firewall kept disappearing.

    I don't recall if it also flushed the 'forward' chain, or if it affects 'iptables' or not, but it's something to keep in mind if you have problems similar to this.
    - Jman

  25. #25
    Join Date
    Jul 2001
    Location
    Wrapped in CAT5.
    Posts
    217

    Lightbulb Never seen that behavior in Portsentry

    I've never seen that behavior in Portsentry.

    It blocks hosts permanently both through hosts.deny and ipchains.

    If the ports are blocked, the job of securing the box (by monitoring portscans and taking action) is already done. Portsentry would be overkill.

    Dan
    Dan Esparza
    CagedTornado web services

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •