{"id":23702,"date":"2021-09-21T11:51:50","date_gmt":"2021-09-21T11:51:50","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=23702"},"modified":"2022-04-13T15:56:37","modified_gmt":"2022-04-13T15:56:37","slug":"how-to-detecting-and-stopping-attacks-in-linux","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/how-to-detecting-and-stopping-attacks-in-linux\/","title":{"rendered":"How to Detecting and Stopping Attacks in Linux"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li><strong>System Auditing<\/strong><\/li><li><strong>System Logging<\/strong><\/li><li><strong>Network Intrusion Detection with Snort<\/strong><\/li><li><strong>Host File Integrity with Tripwire<\/strong><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">System Auditing<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Auditing can track system activities to warn sysadmin of suspicious activity<\/li><li>Allows sysadmin to understand the types of access that took place<\/li><li>Can identify a security breach, and aid in the research of the breach<\/li><li>More than simply logging or system accounting but they are component parts of auditing<\/li><li>Other parts are intrusion detection and file verification, resource access, and privilege use<\/li><li>Successful &amp; unuccessful events both important<\/li><li>Also involves analysis of dts and correlation of related events<\/li><li>Some systems(i.e RHEL3 and SuSE Enterprise Linux) have special auditing software included<\/li><li>Other distros can use &#8216;snare&#8217; or &#8216;auditd&#8217; for auditing functions<\/li><li>Ensure audit data files can only be read by security auditors group<\/li><li>Ensure the auditing software can record the following for each audit event:<\/li><li>Date and time of the event<\/li><li>Userid that initiated the event<\/li><li>Type of event<\/li><li>Success or failure of the event<\/li><li>Origin of the request(IP or MAC address, host name ,etc)<\/li><li>Retain audit data for at least one year(minimum)<\/li><li>Ensure audit fles are backed up at least weekly onto a different system tha the one being audited or backup media<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">System Logging<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>System logging is used to track events and when they occurred<\/li><li>Used to identify system performance trends, keep a historical record of activities, and provide accountability for actions<\/li><li>Logging must be managed, not simply turned and forgotten<\/li><li>System log files refer to logs of system activities,such as the \/var\/log\/syslog file, the \/var\/messages file, and others<\/li><li>System logging is done via the sylog facility(syslogd)<\/li><li>syslogd reas and forwards system messages to the log files and\/or users<\/li><li>\/etc\/syslog.conf is used to configure syslogd<\/li><li>syslog can log bto local host or to centralized logging server<\/li><li>Advantage of log server is that it allows centralized logging management for monitoring of possible malicious activity on network<\/li><li>Many utilities log to syslogd by default or can be configured to do so<\/li><li>syslogd should be secured to prevent log compromise, destruction, or unauthorized access<\/li><li>Ensure reliable time source isused throghout network for accurate logging<\/li><li>System logging normally takes place over port 514; services to this port should be resticated to local hosts at the firewall or premise router<\/li><li>syslogd should be configured to accept messages only from designated hosts<\/li><li>Ensure logs are reviewed daily<\/li><li>Some messages need to be reviewed immediately by responsible sysadmin<\/li><li>Archive logs at least daily to ease space requirements and to reduce the time requirements and to resuce the time required or log searches and reviews<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Intrusion Detection With Snort<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Intrustion Detection Systems(IDS) monitor networks and hosts for unusual traffic patterns and behaviors to detect possible attacks<\/li><li>IDS consists of sensors, collectors, databases, and analysis consoles<\/li><li>Ability to detect attacks based upon knowns attack signatures or unusual activity (anomoly-based)<\/li><li>IDS are host-based or Network-based<\/li><li>Host-based(HIDS) detects attacks on a particular host<\/li><li>Network-based(NIDS) detects unusual network traffic that may be an attack<\/li><li>Snort is most popular open source IDS for Linux<\/li><li>Signature-based NIDS that detects a wide variety of attacks<\/li><li>Detected attacks include buffer overflows, Denial OF Service TCP\/IP attacks Distributed DOS attacks, port scans and certain malware attacks<\/li><li>Real-time Logging and alerting<\/li><li>Highly configureable ruleset<\/li><li>Ported to almst allLinux distros<\/li><li>Configured through snot.conf file<\/li><li>Uses the libpcap library as its packet detection engine<\/li><li>Preprocesses packets before analysis to alert,filter,and modify potentailly harmfuyl traffic in advace<\/li><li>Many types of preprocessors available.depending upon needed functionality<\/li><li>After preprocessing, packets are delivered to the Rules Parsing and Detection Engine<\/li><li>Reads configured rules and passes to detection engine for applcation to packets<\/li><li>If packet matches a rule, Alerting an Logging engine logs details and fires and alert<\/li><li>Logging can be done to centralized logging server<\/li><li>Logs cn be text or binary format<\/li><li>Alerts can be messages or emails sent to sysadmin<\/li><li>Actions can be taken based upon packet type<\/li><li>Snort can send output to text and databaes<\/li><li>Works with MySQL, Oracle and others<\/li><li>Data can be stored for trend analysis<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Host File Integrity with Tripwire<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Host-baed IDS and file-integrity monitor<\/li><li>Works by identifying changes to key system files<\/li><li>Scans selected files and folders at regular intervals for changes<\/li><li>Changes to monitored files result in alerts<\/li><li>Alerts in the form of email to sysadmin<\/li><li>Logs for only single system, but logs from multiple systems can be centerally managed<\/li><li>Easy to use and configure<\/li><li>Is not CPU intensive<\/li><li>Configured from command line<\/li><li>Configuration files stored in \/etcx\/tripwire<\/li><li>Tripwire configuration file is twcfg<\/li><li>Policy configurtion file is twpol<\/li><li>Enable initail configuration of tripwire, then replaced by encrypted files<\/li><li>Configured usung twadmin and tripwire commands<\/li><li>Common files and directories to confirue for monitoring include:<\/li><li>\/root\/, \/boot, \/etdc, and \/usr\/sbin<\/li><li>hosts.allow and host.deny<\/li><li>\/etc\/password and shadow password files<\/li><li>\/etc\/fstab and inittab<\/li><li>Initial run should baeline system<\/li><li>Re-baseline system after planned patches and upgrades<\/li><li>Monitor for unplanned or unauthorized changes to files<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>System Auditing System Logging Network Intrusion Detection with Snort Host File Integrity with Tripwire System Auditing Auditing can track system activities to warn sysadmin of suspicious activity Allows sysadmin to&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4957],"tags":[460,7055],"class_list":["post-23702","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-linux-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=23702"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23702\/revisions"}],"predecessor-version":[{"id":23703,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23702\/revisions\/23703"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=23702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=23702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=23702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}