Intrusion Detection and Recovery

Detecting Possible Intrusions:

Monitoring Log files: logwatch : config file: /etc/log.d/logwatch.conf                                                                                                                                              logs should sent to remote and saved to local.

Monitor Network Traffic:

Intrusion Detection Systems                                                                                                                                     Tripwire: Host based IDS, analyzes local station.

Snort: Monitor network for unusual activity.

iptables: For detecting any unauthorized access  attempts and network scan.

Drop any attempts to connect other TCP ports:

iptables -I INPUT -p tcp –syn –dport 80 -j ACCEPT

iptables -A INPUT -p tcp –syn -j –log-prefix “Attempt connection ”
iptables -A INPUT -p tcp –syn -j DROP

Repeated unusual attempts then network capture is done by:
tcpdump ‘dst port not 80 and tcp-syn’ -w tcpaccess.log

Monitoring Open Ports:

netstat: from the local system,

netstat –tulpn : which services listening for connection to your system

netstat –tupn : shows active connection

namp: from remote system

nmapfe : GUI frontend

nmap –P0 :scan a host

namp –sV : scan subnet

Detecting Modified files:

Md5sum: compare listings at

Find / -type –f –perm +ugo+x –exec /usr/bin/md5sum {} \; > /root/exec.md5

Fingerprints can be taken and compared it with baselines

Below command print an alert for any entries in execs.md5 whose md5sums subsequently changed.

Sed `s/\//\/path\/to\/image\//` executables.md5 | mdsum –check

cmp: compare byte by byte

aide: file integrity checker

Store database of file attributes like size, ownership, permissions, md5sum for all specified files on system


Files installed as part of an RPM packages have information including size, ownership, permissions and md5sum stored in /var/lib/rpm/* RPM database.

These properties can be compared with current fileson systems with rpm –V.

Rpm –root /mnt/sysimage –define ‘-bpath /mnt/backup/rpm’ -Va

Creating Disk Image:

Dd if=/dev/sda1 of=/test/sda1.img conv=noerror, sync

Create second copy as well:

Dd if-/dev/sda of=/test/sda bs=1k conv=noerror, sync

Partition Image can be mounted for analysis:

mount –o loop sda1.img /mnt/test2-sda1/

Network traffic monitoring and recording tools: tcpdump, snort

Monitoring open file with lsof, fuser

Regular checks with listening ports and files compared to a known baseline

Strict Inbound and outbound firewall rules

How to Detect and defeat Root Kits?

Restrict access to gcc,

chattr +i on important files, chattr +a on logs, mounting /user as read only

Root Kit detector: chkrootkit

Loadable kernel module (LKM) root kits:

Direct and unlimited access of kernel’s memory space.

TOOLS to detect and defeat LKM Root kits:

Linux Intrusion detection system (LIDS) can be used, it implements mandatory access control, User Mode linux(UML) is based on running virtual machine for each service, SELinux