Gallery

Lock up your servers!

Posted on 29 Jun 2006 at 12:18

Ian Wrigley and Simon Brock discuss how to keep your systems safe and secure from attacks

Keeping safe

Scanning your machines for vulnerabilities is a good line of defence, but another aspect of your security precautions must be to know when one of your machines has been hacked. Sometimes, of course, it's easy to tell; for example, if all your data has gone and your website is replaced by a big black screen with "You've been Haxx0r3d", that's a strong clue. However, many - perhaps most - attackers are far more discreet nowadays, because their intention is either to copy information secretly or to use your machine as a staging point for hacking others, so they won't want you to know they've been there.

Some basic techniques you can use include running commands such as ls -alrt /bin or ls -alrt /etc, which scan your /bin and /etc directories respectively, and give you a list of all files in reverse order of when they were created or modified, with the most recent files at the bottom of the list. If you do that and discover, for instance, that your /etc/passwd file was last modified yesterday, but you know you haven't added a new user to the system for weeks, you should start to worry. But hackers are getting more and more sophisticated and many rootkits now include software that ensures the file dates don't get changed, and to counteract that you need to use an intrusion-detection system such as Tripwire or Osiris.

Tripwire has been around for years, and again exists in both open-source and commercial versions. When you first run the program, it creates a set of "fingerprints" for all your key files (as defined by you when you configured it), which are generated by inspecting the files and computing a unique checksum value based on file size, modification date and file contents. You store these fingerprints onto some read-only medium such as a protected floppy disk or a CD-ROM, and on each subsequent run of Tripwire it will compare the current fingerprint for each file with its "known good" fingerprint and report any discrepancies. The algorithm by which these fingerprints are generated ensures even a single byte change in a file will result in a different fingerprint, so you should take any reported change seriously.

The only problem we've had with Tripwire - and this would go for any similar program - is that, of course, automatic system updates always result in files being altered, so Tripwire will continually be nagging that those files have been modified. For this reason, it's vital that you keep your "known good" fingerprints up to date. Otherwise, you'll be faced with an ever-growing list of false-positives, you'll no longer remember which have been changed by legitimate updates and, therefore, you won't spot those that have changed as the result of malicious behaviour. Likewise, you need to be quite choosy when it comes to telling Tripwire which files to monitor: for example, log files should never be included, because by definition they change from minute to minute.

Osiris performs a similar function to Tripwire, but it can easily be set up to monitor multiple machines from a single server. A Management Console on the server communicates with Scan Agents on each of the machines you want to monitor and, in a similar way to Tripwire, stores information about the file system based on those files you told it you want monitored. If a change occurs, Osiris can email you with information about what's changed and when. Osiris works on both Windows and Linux/Unix, and source is available, along with Windows binaries.