You might think that you are safe, but something might be lurking on your system…
There are several ways to protect you from being 0wned by 5kr1p7 kiddies or more 1337 crackers. But still, your system might get 0wned, and you might not know it…
First, you should have a system that can update it self with new security patches/fixes. Red Hat/CentOS, Debian/Ubuntu and so on (Most modern systems today), have this functionality. Then you should use it! This is probably the best way to prevent unauthorized access to you systems.
Then you should probably know a thing or two on how to configure your system to be as secure as you need it to be…
If you have a system with lots of user accounts, may it be ssh, ftp, mail etc, then it might just be time, before someone hijacks an account or two…
Say if someone got login to your server as a normal user, they can misuse your system, generating very little noise, and you might not know about it.
Anyways, back to the point of this posting, checking your systems for things you might not know about…
In my basic toolkit, I use chkrootkit, rkhunter (You could also read here), lynis and unix-privesc-check. I also use ClamAV (clamscan) to scan the file system for suspicious files. I also have some one-liners (baked into a bash script) that extracts some interesting things based on system processes and the file system.
For more advanced “Host based Intrusion Detection”, I recommend that you look at OSSEC. You could also look at Aide and tools alike. RPM based distros like Red Hat, Fedora and CentOS can to an extent use the rpm command to verify installed packages and their signatures.
I will not go into details on how to use any of the tools that I mentioned. If you care, you should pursue the links, and even test the tools.
I will give a brief overview (Copy and paste from their websites), so you know a bit what they are all about:
chkrootkit: chkrootkit is a tool to locally check for signs of a rootkit.
rkhunter: Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.
lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).
unix-privesc-check: Unix-privesc-checker is a single bash script that runs on Unix systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
ClamAV: Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.
OSSEC: OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.
Aide: Advanced Intrusion Detection Environment. AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.
If you find any thing suspicious (Like a rootkit), you should probably go into “forensic mode”, as you cant trust your system and the installed binaries. Read more here about computer forensics.
If you still do not trust your system, you can Snort your network traffic, or better yet, have a full blown Sguil installation in front of your network/servers. If you get even more paranoid, you should probably shut down the system, and go fishing….
Any suggestions on other useful tools are welcome!