Linux

How to Detecting and Stopping Attacks in Linux

September 21, 2021 comments off
  • System Auditing
  • System Logging
  • Network Intrusion Detection with Snort
  • Host File Integrity with Tripwire

System Auditing

  • Auditing can track system activities to warn sysadmin of suspicious activity
  • Allows sysadmin to understand the types of access that took place
  • Can identify a security breach, and aid in the research of the breach
  • More than simply logging or system accounting but they are component parts of auditing
  • Other parts are intrusion detection and file verification, resource access, and privilege use
  • Successful & unuccessful events both important
  • Also involves analysis of dts and correlation of related events
  • Some systems(i.e RHEL3 and SuSE Enterprise Linux) have special auditing software included
  • Other distros can use ‘snare’ or ‘auditd’ for auditing functions
  • Ensure audit data files can only be read by security auditors group
  • Ensure the auditing software can record the following for each audit event:
  • Date and time of the event
  • Userid that initiated the event
  • Type of event
  • Success or failure of the event
  • Origin of the request(IP or MAC address, host name ,etc)
  • Retain audit data for at least one year(minimum)
  • Ensure audit fles are backed up at least weekly onto a different system tha the one being audited or backup media

System Logging

  • System logging is used to track events and when they occurred
  • Used to identify system performance trends, keep a historical record of activities, and provide accountability for actions
  • Logging must be managed, not simply turned and forgotten
  • System log files refer to logs of system activities,such as the /var/log/syslog file, the /var/messages file, and others
  • System logging is done via the sylog facility(syslogd)
  • syslogd reas and forwards system messages to the log files and/or users
  • /etc/syslog.conf is used to configure syslogd
  • syslog can log bto local host or to centralized logging server
  • Advantage of log server is that it allows centralized logging management for monitoring of possible malicious activity on network
  • Many utilities log to syslogd by default or can be configured to do so
  • syslogd should be secured to prevent log compromise, destruction, or unauthorized access
  • Ensure reliable time source isused throghout network for accurate logging
  • System logging normally takes place over port 514; services to this port should be resticated to local hosts at the firewall or premise router
  • syslogd should be configured to accept messages only from designated hosts
  • Ensure logs are reviewed daily
  • Some messages need to be reviewed immediately by responsible sysadmin
  • Archive logs at least daily to ease space requirements and to reduce the time requirements and to resuce the time required or log searches and reviews

Intrusion Detection With Snort

  • Intrustion Detection Systems(IDS) monitor networks and hosts for unusual traffic patterns and behaviors to detect possible attacks
  • IDS consists of sensors, collectors, databases, and analysis consoles
  • Ability to detect attacks based upon knowns attack signatures or unusual activity (anomoly-based)
  • IDS are host-based or Network-based
  • Host-based(HIDS) detects attacks on a particular host
  • Network-based(NIDS) detects unusual network traffic that may be an attack
  • Snort is most popular open source IDS for Linux
  • Signature-based NIDS that detects a wide variety of attacks
  • Detected attacks include buffer overflows, Denial OF Service TCP/IP attacks Distributed DOS attacks, port scans and certain malware attacks
  • Real-time Logging and alerting
  • Highly configureable ruleset
  • Ported to almst allLinux distros
  • Configured through snot.conf file
  • Uses the libpcap library as its packet detection engine
  • Preprocesses packets before analysis to alert,filter,and modify potentailly harmfuyl traffic in advace
  • Many types of preprocessors available.depending upon needed functionality
  • After preprocessing, packets are delivered to the Rules Parsing and Detection Engine
  • Reads configured rules and passes to detection engine for applcation to packets
  • If packet matches a rule, Alerting an Logging engine logs details and fires and alert
  • Logging can be done to centralized logging server
  • Logs cn be text or binary format
  • Alerts can be messages or emails sent to sysadmin
  • Actions can be taken based upon packet type
  • Snort can send output to text and databaes
  • Works with MySQL, Oracle and others
  • Data can be stored for trend analysis

Host File Integrity with Tripwire

  • Host-baed IDS and file-integrity monitor
  • Works by identifying changes to key system files
  • Scans selected files and folders at regular intervals for changes
  • Changes to monitored files result in alerts
  • Alerts in the form of email to sysadmin
  • Logs for only single system, but logs from multiple systems can be centerally managed
  • Easy to use and configure
  • Is not CPU intensive
  • Configured from command line
  • Configuration files stored in /etcx/tripwire
  • Tripwire configuration file is twcfg
  • Policy configurtion file is twpol
  • Enable initail configuration of tripwire, then replaced by encrypted files
  • Configured usung twadmin and tripwire commands
  • Common files and directories to confirue for monitoring include:
  • /root/, /boot, /etdc, and /usr/sbin
  • hosts.allow and host.deny
  • /etc/password and shadow password files
  • /etc/fstab and inittab
  • Initial run should baeline system
  • Re-baseline system after planned patches and upgrades
  • Monitor for unplanned or unauthorized changes to files

Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)