ITworld Newsletters <itwnews@itwpub1.com> on 06/30/2000 10:52:52 AM LINUX SECURITY --- July 04, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ********************************************************************* HIGHLIGHTS * Are you monitoring your system logs? ********************************************************************* Monitoring System Logs by Rick Johnson Last week I posed the question, "You are monitoring your servers aren't you?" Well, that elicited quite a response. So I saw it fitting to devote this week to that very topic. I had the wonderful pleasure of assisting with the cleanup of a Denial-of-Service attack recently. After tracking down the origin of the attack, we contacted the administrator for that network. He listened very carefully and said, "I'm sorry, but you are wrong. My system is totally secure and I know for a fact we weren't compromised." Oh great, I thought, he is one of "those". You know the type, the person who is so sure of their abilities that the thought of someone challenging their skill is inconceivable. Finally, he agreed to look at the server and was shocked to discover he was hacked over three weeks ago. To top it off, they had also installed a root kit and were harvesting passwords. It turns out no one was actually watching the log files. He, of course, apologized and then quietly went off to rebuild the network. It saddens me to see a Security Administrator put so much effort into locking down a server, only to have it run unattended. There are a variety of ways to keep an eye on your server. The most important, and most frequently overlooked, areas are the system logs. One of the most useful tools in my arsenal is Logcheck from Psionic Software (http://www.psionic.com). No secure Linux server should be caught without it. Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. It runs from cron at specified intervals and also keeps track of what sections were checked previously. That greatly increases the speed and helps keep the same incident from being reported twice. If any unusual activity is found, the results are emailed to an address specified in the script. The best part is that you can specify which log entries to ignore in case it's not an issue; plus, you can enter specific strings, which will immediately send up the red flag. The default installation comes with a basic set of rules to get you started. Given the chance, your Linux server will try to warn of a possible problem. It's up to you to decide when and how to listen. Resources Firewall-1 vulnerable to denial-of-service attacks http://www2.itworld.com/cma/ett_content_article/0,2849,1_1065,00.html New distributed firewalls emerge http://www2.itworld.com/cma/ett_content_article/0,2849,1_1004,00.html ************************************************************************ About the author ---------------- Rick Johnson is currently the Manager of Security Services for an emerging Managed Service Provider. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. *********************************************************************
<<attachment: winmail.dat>>