Detecting and Countering Server Intrusions - Intrusion Detection (Page 2 of 4 )
It’s a big bad Internet, and many curious people all over the world are interested in seeing what you have. If you put a server on the Internet it will be attacked; the question is whether you will know it.
Sometimes it is obvious. If all the pictures of people have been replaced with monkeys then you might suspect there has been an incident. But not all attacks are so obvious. Sometimes the goal for the attacker was merely to log in, or to place some code on your server to help her out later on. If you want to detect intruders, there are some standard places to start.
Log examination
It’s late, you’re having a hard time getting to sleep, so you fire up vi and start reading through your logs. You get about a third of the way into the http_access.log and notice several odd http requests. These could be attacks. The fact that they are still here may indicate that the server was attacked but not compromised.
File integrity checks
One way to make sure nothing has been altered on the system is to compare the existing file system to that of a stored snapshot. This can be done by using file integrity checkers that keep a database of all the files on the system, their sizes, and other relevant information and use that data to compare against the current running system. If something changes, notifications can be sent to the appropriate people.
One of the more popular of these programs is called Tripwire. Tripwire is a host-based intrusion detection system available for free at http://sourceforge.net/projects/tripwire/. It keeps track of a system’s current file state and reports any changes. If an intruder adds, deletes, or modifies files on the file system, Tripwire can detect and report on the changes.
Tripwire can also serve many other purposes, such as integrity assurance, change management, policy compliance, and more.
Network monitoring
Another way to detect attacks is to inspect the network traffic directly and see if there is anything nefarious going on. Again, we don’t have to reinvent the wheel. Good network inspection programs are available, too.
Snort is perhaps the most popular network monitoring tool. Snort is also available for free on the Internet (http://www.snort.org/). Snort is a network intrusion detection application that can inspect network traffic and react to suspicious activity. Snort acts in realtime, analyzing each packet of data on the wire and can inspect for content matching, probe signatures, OS fingerprinting attempts, buffer overflow attempts, and many other types of behavior.
Snort can be used with other software, such as SnortSnarf, OSSIM, sguil, and Snort’s graphical user interface, the Basic Analysis and Security Engine (BASE).
Make a Copy
Whew! That was a lot of work. Now, quick! Before you do anything else go and make a copy of everything. If you ever want to do this again, it would be easier to make a copy of what you just built than to do it all over again, don’t you think? After the server is fully up to date you should make an image of the entire operating system to serve as a template for future systems.
Partimage
Partimage is a Ubuntu (Universe) package that will copy the entire contents of a Linux partition to a backup file. Creating an image file is great for:
Making a backup of the entire system
Installing the same configuration on several machines
Taking a snapshot in time, so as to record the system’s current state
A very good tutorial on how to back up an Ubuntu partition with Partimage is located at http://www.psychocats.net/ubuntu/partimage.
dd_rescue
dd_rescue is a total system recovery utility designed to copy, byte by byte, the entire contents of a partition.
dd_rescue /dev/hda1 /dev/sda1
This will overwrite the contents of /dev/sda1 with a copy of /dev/hda1. If you do not want to destroy the contents of /dev/sda1 and have enough space you can write it to a file:
dd_rescue /dev/hda1 /dev/sda1/hda1backup.img
Recovery then looks something like this:
sudo mkdir /recovery sudo mount /dev/sda1/hda1backup.img /recovery