Linux Server Intrusion Detection
Indications
- Failed log-in attempts
- Analyize system files, $HOME/ directory such as $HOME/.bashrc for modified $PATH entries, as well as changes in system configuration files in /etc
- suid and sgid files on the system
- Use last, lastcomm, and netstat commands
- system is compromised, you can use the command:
root# rpm -Va
- The RPM database will need to be archived
/var/lib/rpm/fileindex.rpm and
/var/lib/rpm/packages.rpm
- archive /bin/rpm executable also
- List of the most recently modified files with the following command.
/usr/bin/find / -ctime -1 -print
- find all setuid and setgid programs on your system:
find / -type f -perm +6000 -ls
- locate all world-writable files on your system,
find / -perm -2 ! -type l -ls
- locate files on your system that do not have an owner, or group
find / -nouser -o -nogroup
- Use the nosuid option in /etc/fstab
- use nodev and noexec on user's home partitions, as well as /var, which prohibits execution of programs, and creation of character or block devices
/ ext2 defaults,errors=remount-ro 0 1
none swap sw 0 0
/proc proc defaults 0 0
/boot ext2 ro,noauto,nouser,noexec,nosuid,nodev 0 2
/usr ext2 ro,nodev 0 2
/usr/local ext2 defaults 0 2
/var ext2 rw,nosuid,nodev 0 2
/tmp ext2 rw,nosuid,nodev 0 2
/home ext2 rw,nosuid,nodev 0 2
/mnt/floppy ext2 noauto
- control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf
- /var/log/wtmp and /var/run/utmp files contain the login records for all users on your system, should also have 644 permissions
