Intrusion Detection and Recovery

Detecting Possible Intrusions:

Monitoring Log files: logwatch : config file: /etc/log.d/logwatch.conf                                                                                                                                              logs should sent to remote and saved to local.

Monitor Network Traffic:

Intrusion Detection Systems                                                                                                                                     Tripwire: Host based IDS, analyzes local station.

Snort: Monitor network for unusual activity.

iptables: For detecting any unauthorized access  attempts and network scan.

Drop any attempts to connect other TCP ports:

iptables -I INPUT -p tcp –syn –dport 80 -j ACCEPT

iptables -A INPUT -p tcp –syn -j –log-prefix “Attempt connection ”
iptables -A INPUT -p tcp –syn -j DROP

Repeated unusual attempts then network capture is done by:
tcpdump ‘dst port not 80 and tcp-syn’ -w tcpaccess.log

Monitoring Open Ports:

netstat: from the local system,

netstat –tulpn : which services listening for connection to your system

netstat –tupn : shows active connection

namp: from remote system

nmapfe : GUI frontend

nmap –P0 server.example.com :scan a host

namp –sV 192.168.0.0/24 : scan subnet

Detecting Modified files:

Md5sum: compare listings at rhn.redhat.com

Find / -type –f –perm +ugo+x –exec /usr/bin/md5sum {} \; > /root/exec.md5

Fingerprints can be taken and compared it with baselines

Below command print an alert for any entries in execs.md5 whose md5sums subsequently changed.

Sed `s/\//\/path\/to\/image\//` executables.md5 | mdsum –check

cmp: compare byte by byte

aide: file integrity checker

Store database of file attributes like size, ownership, permissions, md5sum for all specified files on system

rpm:

Files installed as part of an RPM packages have information including size, ownership, permissions and md5sum stored in /var/lib/rpm/* RPM database.

These properties can be compared with current fileson systems with rpm –V.

Rpm –root /mnt/sysimage –define ‘-bpath /mnt/backup/rpm’ -Va

Creating Disk Image:

Dd if=/dev/sda1 of=/test/sda1.img conv=noerror, sync

Create second copy as well:

Dd if-/dev/sda of=/test/sda bs=1k conv=noerror, sync

Partition Image can be mounted for analysis:

mount –o loop sda1.img /mnt/test2-sda1/

Network traffic monitoring and recording tools: tcpdump, snort

Monitoring open file with lsof, fuser

Regular checks with listening ports and files compared to a known baseline

Strict Inbound and outbound firewall rules

How to Detect and defeat Root Kits?

Restrict access to gcc,

chattr +i on important files, chattr +a on logs, mounting /user as read only

Root Kit detector: chkrootkit

Loadable kernel module (LKM) root kits:

Direct and unlimited access of kernel’s memory space.

TOOLS to detect and defeat LKM Root kits:

Linux Intrusion detection system (LIDS) can be used, it implements mandatory access control, User Mode linux(UML) is based on running virtual machine for each service, SELinux