Linux Intrusion Detection
No matter how security minded you are, no matter how many updates and patches
you apply, there's always a chance that someone will crack one of your systems.
It's an unpleasant reality, but it's a fact: no system is 100% secure unless
it's turned off, but how useful is that? Although it's important to spend time
on prevention, you must also have a backup plan in the event that security is
compromised. If one of your systems is cracked, immediate detection and damage
control are essential to prevent an intruder from gaining access to other systems
and causing irreparable problems.
Some Common Exploits and Their Symptoms
One key to intrusion detection is understanding the most common security exploits. This knowledge will allow you to set up a checklist for periodic security checks of your system. If you're running a DNS server, BIND is a favorite target for attack. BIND has a number of security issues and should be disabled if not needed. If you need BIND, be sure to check at least monthly for updates and fixes. CGI scripts are another point of vulnerability. If CGI can be avoided, it is probably best to do so. Under no circumstances should an administrator leave sample CGI scripts on a production server or run a Web server as root. The list of CGI issues is too great to include here, but the SANS Top Ten List of security threats contains useful tips about CGI and other vulnerabilities. There's no standard for how often these security audits should be performed, but careful administrators continually check for signs of intrusion. A comprehensive check should be performed at least monthly, if not more frequently.
A comprehensive check should minimally involve:
- Running through system logfiles thoroughly.
- Checking sensitive files like
/etc/passwd, /etc/hosts.allow, and other commonly modified files.
- Examining the root user's history for suspicious commands.
- Using a clean version of
ps to check for unusual processes.
- Running a tool like SAINT or SATAN to look for network-related security flaws that could be a sign of intrusion.
Another part of the monthly routine includes checking sites like BugTraq and vendor Web sites for any available security patches and applying them. Many vendors like SuSE or Red Hat also provide mailing lists with updates about security flaws for packages on their systems.
Often, crackers will not be satisfied with simply breaking into a system. They will want to return at a later date and may add user accounts and change host access to facilitate entry. Here is a list, although not exhaustive, of files to check for changes:
/etc/hosts
/etc/hosts.equiv
/etc/hosts.deny
/etc/hosts.allow
/etc/passwd
/etc/shadow
Another sign of entry is a change in the root user's path to include the /root/ directory, and binaries like ls, ps, top, cp, mv, login, and others found in the /root/ directory. Any change here is a sure sign that someone has "rooted" the box and is trying to cover the tracks. You should also look for directories called "...", unexpected binaries, such as "crack" or other common cracker tools, and normal binaries in odd locations.
System Logs
System logs may also show signs of attacks, successful or otherwise. Error logs may show repeated attempts to mount filesystems remotely when that's not allowed, numerous failed login attempts to existing accounts, or attempts to guess user names and passwords. Unusual access times are also a clue if your company CFO is usually a nine to fiver and is now logging in at two in the morning, you might have a problem.
System logs exist to provide a diagnostic tool for your system's health. Be sure to utilize them, but don't depend on them completely. It's entirely possible that the intruder will know how to cover his or her tracks in the system logs.
The /var/log/warn system log, for example, should show failed login attempts. One failed login attempt is not usually cause for concern, but 20 failed logins in short succession would be a good sign someone is trying to break in. Additionally, /var/log/warn will indicate other signs of abuse or intrusion.
To see who has logged in as the root user via su, check the /var/log/messages system log. If the file has not been tampered with, users who have succesfully changed to the root user will be logged in this file. Remember that not all security concerns come from the outside of your company or organization. If unauthorized users are logging in as root, it's time to change the password and possibly take action against the abusers. You may also want to check that authorized users are not logging in via an insecure method and su'ing to root, since that presents a huge security concern.
Other files to check are /var/log/messages, /var/log/access_log, and /var/log/error_log. The location and name of logfiles depends on your vendor. It's imperative to know these files and keep close watch on them.
System Performance
If you experience a marked decrease in system performance, but you're not sure why, your system may have been cracked. If you detect odd processes using top or ps, then that's a sure sign. It is possible, however, that you have processes running that are hidden from top and ps. Or, an intruder may have replaced these items with binaries cloaking other programs.
Host-Based vs. Network-Based Intrusion Detection
There are two common types of intrusion detection systems: network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS).
Network-based methods record communications packets and attempt to identify attacks through information available through network traffic. NIDS are easy to manage and fairly transparent to users. However, NIDS solutions aren't scalable to very large networks and generate more false positives than HIDS.
Host-based methods deploy a monitor on each system, which is a more scalable solution than NIDS, but harder to manage. Intrusion is easier to detect at the system level, and the accuracy rate is better than with NIDS.
Intranet VPN Installation
Intranets connect trusted locations and users within the same organization. Typical examples are links from headquarters to branch offices, access for telecommuters, and access for traveling employees. For intranet links, the VPN should furnish the same access to corporate net as if the user or branch office was physically connected. The security policy enforced by an intranet VPN is usually the standard corporate policy, at least once the remote user has been authenticated.
Intrusion Models
There are two intrusion models that most intrusion detection systems look for, anomaly and misuse. The anomaly model looks for behavior that is inconsistent with a user or system's normal behavior. Anomalies might include a user running processes at odd times or a process that is consuming far more resources than usual. The misuse model is designed to find activity corresponding to known system vulnerabilities.
Tools
Checking your system manually is just one aspect of intrusion detection. Many tools can help monitor system activity and system health. You may want to deploy one or more of these tools to help prevent and detect attacks on your system.
SATAN -- The Security Administrator's Tool for Analyzing Networks allows systems administrators to find common network-related security flaws. SATAN includes tutorials on the security flaws that it recognizes, providing administrators with information about the problem and how to correct it. SATAN collects information available to anyone else on a network, and only reports security flaws it does not exploit them. SATAN requires Perl to run. A list of SATAN mirrors can be found at:
http://www.cs.ruu.nl/cert-uu/satan.html
SAINT -- The Security Administrator's Integrated Network Tool is an updated version of SATAN. SAINT gathers information about hosts and networks by examining network services (ftp, NIS, NFS, statd, etc.) and reports available services and potential security flaws. SAINT's results are viewable in any Web browser. SAINT is available under the SATAN license at: http://www.wwdsi.com/saint/
LIDS -- The Linux Intrusion Detection/Defense System is concerned with the security of the Linux kernel. LIDS is a kernel patch and admin tool. Features include a port scanner in the kernel, protection of files and processes, intrusion response, and email alerts. LIDS is GPL'ed software available at: http://www.lids.org/
Abacus Project Tools -- The Abacus Project is an intrusion protection suite of tools including the LogCheck program, PortSentry, and HostSentry. LogCheck reads system logs and sends emails on a periodic basis if security violations are found.
PortSentry is a port scan detector that automatically denies access to attacking hosts in real time. PortSentry also notifies systems administrators of attacks, but reacts automatically to perceived attacks.
HostSentry is designed to spot compromised user accounts and unusual login behavior.
HostSentry maintains a dynamic database of "learned" user activity and detects
unusual behavior by comparing against the database. The Abacus Project Tools
are available at: http://sourceforge.net/projects/sentrytools/
Check-ps -- The check-ps program looks for rootkit versions of ps that cloak selected processes. Hidden processes are a sure sign of intrusion, and check-ps helps administrators detect an intrusion before too much damage is done. The check-ps source code is available from: http://checkps.alcom.co.uk/download.html
Conclusion
Remember, an ounce of prevention is worth a pound of cure. Intrusion detection is a necessary part of a healthy system, but it's no substitute for secure systems. Make only the necessary services available on your systems and apply security fixes as soon as possible.
Resources
SANS Institute Ten Most Critical Internet Security Threats -- A listing of the most common/critical security threats. This list gives systems administrators an idea of what to look for and includes UNIX, Linux, and Windows NT vulnerabilities: http://www.sans.org/topten.htm
Intrusion Detection FAQ -- Frequently asked questions about intrusion detection. The FAQ answers a wide range of questions from basic theory to incident handling and response:
http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection -- This paper discusses the flaws in current methods of intrusion detection and provides examples of attacks that can subvert popular intrusion detection systems: http://www.clark.net/~roesch/idspaper.html
Intrusion Detection Systems -- A comprehensive list of intrusion detection systems:
http://www.cerias.purdue.edu/coast/intrusion-detection/ids.html
CVE Cross-Reference -- A cross-reference of SAINT tutorials with corresponding Common Vulnerabilities and Exposures references and the SANS Top Ten security threats: http://www.wwdsi.com/cgi-bin/doc.pl?document=cve
CERT Coordination Center -- The CERT home page. CERT maintains a list of advisories from 1988 to the present of security issues of concern to systems administrators along with a number of other resources: http://www.cert.org/
CIAC -- The Computer Incident Advisory Capability is responsible for security for the Department of Energy. However, the CIAC site lists security issues for a number of operating systems, including Linux, *BSD, AIX, Cisco, HP-UX, and Windows NT. CIAC also lists viruses and hoaxes and contains useful documents an<\h>d whitepapers: http://ciac.llnl.gov/
Poster text provided by Joe "Zonker" Brockmeier.
Joe "Zonker" Brockmeier has been using Linux since 1996 and writing about it almost as long. He is the Senior Editor for User Friendly Media and does a great deal of freelance writing and editing for several publications including Sys Admin, Linux Magazine, Enterprise Linux Magazine, and IBM developerWorks.
|
