Recent Changes - Search:

Softwares

.

LinuxServerIntrusionDetection


Linux Server Intrusion Detection

Indications

  • Failed log-in attempts
  • Analyize system files, $HOME/ directory such as $HOME/.bashrc for modified $PATH entries, as well as changes in system configuration files in /etc
  • suid and sgid files on the system
  • Use last, lastcomm, and netstat commands
  • system is compromised, you can use the command:
                        root# rpm -Va
  • The RPM database will need to be archived
                  /var/lib/rpm/fileindex.rpm and 
                  /var/lib/rpm/packages.rpm
  • archive /bin/rpm executable also
  • List of the most recently modified files with the following command.
                 /usr/bin/find / -ctime -1 -print
  • find all setuid and setgid programs on your system:
                find / -type f -perm +6000 -ls
  • locate all world-writable files on your system,
               find / -perm -2 ! -type l -ls
  • locate files on your system that do not have an owner, or group
              find / -nouser -o -nogroup
  • Use the nosuid option in /etc/fstab
  • use nodev and noexec on user's home partitions, as well as /var, which prohibits execution of programs, and creation of character or block devices
  /            ext2   defaults,errors=remount-ro           0 1
  none         swap   sw                                   0 0
  /proc        proc   defaults                             0 0
  /boot        ext2   ro,noauto,nouser,noexec,nosuid,nodev 0 2
  /usr         ext2   ro,nodev                             0 2
  /usr/local   ext2   defaults                             0 2
  /var         ext2   rw,nosuid,nodev                      0 2
  /tmp         ext2   rw,nosuid,nodev                      0 2
  /home        ext2   rw,nosuid,nodev                      0 2
  /mnt/floppy  ext2   noauto                  
  • control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf
  • /var/log/wtmp and /var/run/utmp files contain the login records for all users on your system, should also have 644 permissions

Edit - History - Print - Recent Changes - Search
Page last modified on April 25, 2009, at 12:44 PM