LINUX SECURITY --- June 27, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ********************************************************************* HIGHLIGHTS * Paranoia can be a security administrator's best friend. * New columnist Rick Johnson focuses on the security mindset ********************************************************************* Detecting the Hack by Rick Johnson Just imagine, it's late at night and you're sitting at your console trying to finish that project the boss insists must be completed by 8am. For some odd reason, you start browsing around the system and something catches your eye. Maybe it is a log entry, maybe a console message or even a user logged on at an unusual time, but it's no big deal right? Well, curiosity takes over as you look deeper and deeper. Slowly it dawns on you, someone may have compromised the system. Immediately the panic starts. What should I do? First, start with what caught your eye. In my case it was a staff account. The unusual thing was from where the connection originated. I happened to type the "w" command and noticed the discrepancy. The user in question lived about 20 minutes from the office but, on that night, they were logged in from another state. With one phone call to the user, I knew immediately that we were compromised. I feel the most useful tool of any Security Administrator is paranoia. Some may disagree with this, but I feel you can never be too paranoid. Sure, you may upset someone with a late night phone call to check up on his or her account, but this is far better than watching your company's stock drop due to bad publicity about a break-in. My example was a mild case of an account compromise and a very easy one to detect. The most common Linux hacks are in the form of buffer overflows. In the case of a buffer overflow, you will not see a user logged in. It's not that easy. When the hacker runs his or her exploit against, for example, a vulnerable version of the BIND nameserver, they will typically drop out to a root prompt that is still running under the owner and PID of the original service. The easiest way to detect this is when the service stops responding. Of course, that assumes everyone is diligently monitoring all services running on their Linux server. You are monitoring your servers aren't you? So be warned, if a service unexpectedly dies, take a few extra minutes to examine your server with a paranoid eye. The reputation you save may be your own. Resources For security, there's no such thing as crying wolf http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1166,00.html Security managers must fight complacency http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1174,00.html Are you sure that you're secure? Keeping intruders at bay http://www.linuxworld.com/linuxworld/lw-2000-02/lw-02-expo-security.html ******************************************************************THE About the author ---------------- Rick Johnson is currently the Manager of Security Services for an emerging Managed Service Provider. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. *********************************************************************
<<attachment: winmail.dat>>