LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-13-2012, 06:04 PM   #1
linx444
LQ Newbie
 
Registered: Mar 2006
Posts: 21

Rep: Reputation: 1
Lightbulb Using tree to identify hacks?


Hi all

I was wandering if I could get your opinion on identifying intruders. If I took a snapshot of the entire file system using tree command then compare it to one 24 hours later. I can see if any changes made on the files? Would this be a way of identifying new files on the system or any modifications of files? Or am I missing something?

Linx444
 
Old 11-13-2012, 06:59 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by linx444 View Post
If I took a snapshot of the entire file system using tree command then compare it to one 24 hours later. I can see if any changes made on the files? Would this be a way of identifying new files on the system or any modifications of files? Or am I missing something?
Yes wrt the idea but no wrt 'tree': it just lists plain file names. Different attributes can change: inode, MAC times, ownership, access rights, extended attributes, ACLs, context to name a few. And while you are free to re-invent the wheel by storing 'tree' output in a file (what if the file changes? ;-p) and comparing it, tools exist ranging from single purpose hash checkers like 'md5deep' to standalone multi-purpose integrity checking daemons like Samhain.
 
Old 11-14-2012, 08:08 AM   #3
linx444
LQ Newbie
 
Registered: Mar 2006
Posts: 21

Original Poster
Rep: Reputation: 1
Exclamation

Many thanks for your reply unspawn. I am a bit of a linux noob so was trying to understand what is out there to prevent intrusion and thought this would show me if anything has happened manually. The box is only managed by me so nobody should be interfering with any files apart from the ones I use. I was going to do a cron job and get one every 12 hours between each other with the tree diplaying inod, date, file owners and then put them though vimdiff or colour diff to see if there where any major file changes. If there are better programs to do this without having to do a manual intrusion check by using tree then great. What tools would you recommend using??
 
Old 11-14-2012, 09:42 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Kind of depends on your distribution (installation defaults, package management that includes file verification, Mandatory Access Controls), the purpose of the machine (exposed to a network and running services or not) and what hardening took place already and what auditing you have. If you provide the details it would be easier to suggest something suitable for your situation and explain why.
 
Old 11-15-2012, 03:55 AM   #5
linx444
LQ Newbie
 
Registered: Mar 2006
Posts: 21

Original Poster
Rep: Reputation: 1
Well I am running a VPN for clients and providing SSH forwarding the machine is:

- Running Centos 6
- Ports open are 22, 47 (gre) 1723 (PPTP). Also 127.0.0.0(25) is open so mail can be sent only not recieved.
- IPT run only Established or New connections allowed.
- PAM authentication

Not much else is running on machine that I can think off. I am worried about brute force attacks on 22 and 1723 but I guess fail2ban can protect the SSH port but not PPTP?
 
Old 11-15-2012, 06:07 AM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
One thing you could use is
Code:
rpm -Va
http://linux.die.net/man/8/rpm
 
Old 11-15-2012, 08:54 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by chrism01 View Post
One thing you could use is
Code:
rpm -Va
Indeed he can. One of the drawback is the RPMDB only knows about package contents.


Quote:
Originally Posted by linx444 View Post
(..) 127.0.0.0(25) is open so mail can be sent only not recieved.
Well done. Anyone with a local account may be able to send email unrestricted so please set thresholds anyway and ensure you get alerted when something anomalous happens.


Quote:
Originally Posted by linx444 View Post
Not much else is running on machine that I can think off.
Not to lecture you but there's no reason for fuzzy "guess", "think" or "(don't) worry" when you can check conditions: software is installed or it is not, a user may use at or cron services or not, a process can be declared as rogue because the UID it should run under, its argv[0], the binaries or scripts location, the ports it uses etc, etc don't match, etc, etc. Unless a machine is subverted enumerating remains easy with system tools like ps, pgrep, lsof, netstat, chkconfig etc, etc.


Quote:
Originally Posted by linx444 View Post
I am worried about brute force attacks on 22 and 1723 but I guess fail2ban can protect the SSH port but not PPTP?
If your PPTP daemon can be made to log access violations then fail2ban can be configured to filter for them. That easy.


As for recommendations, apart from applying what hardening the distribution documentation and Cisecurity.org RHEL benchmark suggest, you could have the audit service place a watch on critical system binaries and configuration files (canaries like alert on write, generally low maintenance and log volume, logs end up in /var/log/audit/audit.log), you could run a remote OpenVAS scan or equivalent (not nmap) to assess security posture, you should have reporting with for instance Logwatch (the easiest way to be informed of anomalies and errors and covers a whole range of services in one convenient report) and if you want to run a file system integrity checker I suggest Samhain (standalone daemon, versatile, can email reports, various checks not found in similar software).
 
1 members found this post helpful.
Old 11-16-2012, 03:57 AM   #8
linx444
LQ Newbie
 
Registered: Mar 2006
Posts: 21

Original Poster
Rep: Reputation: 1
Many thanks for your reply Unspawn its been really useful. I have also found a security guide from NSA to hardening redhat (ie Centos) and was going to do a lot of the stuff in there. They recommend using AIDE as intrusion detection and using MD5SUM manual checking. With regards to packages installed do I make sure I remove all unnecessary packages that are not needed on system. I just hope not all of them are dependent on the other. Theres quite a lot to do with security it would be nice if there was a visual graphic to see what needs to be done. It seems you have to just be experienced to know these things.
 
Old 11-16-2012, 08:56 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by linx444 View Post
I have also found a security guide from NSA to hardening redhat (ie Centos) and was going to do a lot of the stuff in there.
Yes, good one, I was thinking about that but I couldn't remember the name ;-p


Quote:
Originally Posted by linx444 View Post
They recommend using AIDE as intrusion detection and using MD5SUM manual checking.
In chapter 2.1.3 they only go into configuring AIDE. IMHO that's a suggestion. In the end the choice is yours. And manually verifying the MD5 hashes (chapter 2.1.3.1.5) illustrates how to verify the integrity of AIDE files themselves.


Quote:
Originally Posted by linx444 View Post
With regards to packages installed do I make sure I remove all unnecessary packages that are not needed on system. I just hope not all of them are dependent on the other.
One way to look at packages is to see what group they are in:
Code:
cat /usr/share/doc/rpm-*/GROUPS | while read RPMGRP; do echo "# ${RPMGRP}:"; ( rpm -q -g "${RPMGRP}" --qf="%{NAME} " | xargs ); echo; done
For instance a headless production server shouldn't need an Xserver or compilers installed so you would check the contents of say the Development/Languages and User Interface/X groups.


Quote:
Originally Posted by linx444 View Post
It seems you have to just be experienced to know these things.
Some of it, yes, but you have to start somewhere and the docs listed do provide you with the basics you need.
 
Old 11-20-2012, 05:26 PM   #10
linx444
LQ Newbie
 
Registered: Mar 2006
Posts: 21

Original Poster
Rep: Reputation: 1
Many thanks for your reply has been most helpful. There is only one thing is finding secure repositories. How do I know the repos I am using are ok? I know you can use GPG check but that only checks for the files are ok. But how can I trust the repo. Some programs I need sound unknown.

I am making a script based on the NSA RHEL guide. Heres a sample of the first few I am checking for, its taking some time as dont know bash programming that well, but worked out how to input strings with SED so hopefully get some automation going where possible.

Code:
#!/bin/bash
date=$(date)

echo -e "--------------------------------------------------------------------------------------"
echo -e "         Script based on Secure Configuration of RHEL 5 based on NSA guide"
echo -e "--------------------------------------------------------------------------------------"
echo -e ""

sticky=$(find /dev/xvda1 -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print | wc -l)
echo "$date     : 2.2.3.2 found $sticky all World-Writable have Sticky bits found">> /var/log/nsa.log
if [ $sticky -gt 0 ]; then
    echo -e "2.2.3.2 : All World-Writable have Sticky bits found $sticky                [ \e[1;31mWARNING\e[0m ] "
else
    echo -e "2.2.3.2 : All World-Writable have Sticky bits found $sticky                [ \e[1;37mOK\e[0m ]"
fi

write=$(find / -xdev -type f -perm -0002 -print | wc -l)
echo "$date     : 2.2.3.3 found $write unauthorized Word-Writable files" >> /var/log/nsa.log
if [ $write -gt 0 ]; then
    echo -e "2.2.3.3 : Find unauthorized Word-Writable files found $write                       [ \e[1;31mWARNING\e[0m ] "
else
    echo -e "2.2.3.3 : Find unauthorized Word-Writable files found $write                       [ \e[1;37mOK\e[0m ]"
fi

SUID=$(find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print | wc -l)
echo "$date     : 2.2.3.4 found $SUID unauthorized Word-Writable files" >> /var/log/nsa.log
if [ $SUID -gt 0 ]; then
    echo -e "2.2.3.4 : Find unauthorized SUID/SGID Sys-exec found $SUID                 [ \e[1;31mWARNING\e[0m ] "
else
    echo -e "2.2.3.4 : Find unauthorized SUID/SGID Sys-exec found $SUID                 [ \e[1;37mOK\e[0m ]"
fi

nouser=$(find / -xdev \( -nouser -o -nogroup \) -print | wc -l)
echo "$date     : 2.2.3.5 found $nouser find and repair unknowned files" >> /var/log/nsa.log
if [ $nouser -gt 0 ]; then
    echo -e "2.2.3.5 : Find and repair unknowned files $nouser                          [ \e[1;31mWARNING\e[0m ] "
else
    echo -e "2.2.3.5 : Find and repair unknowned files $nouser                          [ \e[1;37mOK\e[0m ]"
fi

word=$(find / -xdev -type d -perm -0002 -uid +500 -print | wc -l)
echo "$date     : 2.2.3.6 found $word all word directories have proper ownership" >> /var/log/nsa.log
if [ $word -gt 0 ]; then
    echo -e "2.2.3.6 : All word directories have proper ownership $word                 [ \e[1;31mWARNING\e[0m ] " ;
else
    echo -e "2.2.3.6 : All word directories have proper ownership $word                 [ \e[1;37mOK\e[0m ]";
fi
 
Old 11-20-2012, 06:01 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
Quote:
Originally Posted by linx444 View Post
How do I know the repos I am using are ok? I know you can use GPG check but that only checks for the files are ok. But how can I trust the repo.
When you install a RPM package its meta-data gets stored in the database. This means you can verify for example package size, file MD5 hashes, ownership and access permissions later on with what's installed but also against a copy from a known trustworthy repo. On top of that when you install a RPM package the package manager checks the signature the package is signed with against the GnuPG key it already stored in the database. A package being signed means the signer (for example the Linux distribution vendor or repo owner) OK'd it. It's suggested you read up on querying for and verifying of GnuPG keys.


Quote:
Originally Posted by linx444 View Post
Some programs I need sound unknown.
Run 'yum info [packagename]' o run 'yum --downloadonly install [packagename]' and then 'rpm -qpi /path/[packagename].rpm' for more info. Use your favorite search engine. Plenty of ways to check I'd say.


Quote:
Originally Posted by linx444 View Post
I am making a script based on the NSA RHEL guide. Heres a sample of the first few I am checking for
Well done but there's already tools that do such checks: see for instance Tiger.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is the difference strict binary tree nad extended binary tree . tushar_pandey Programming 1 07-18-2012 12:30 PM
How to read "identify" button press event, or state of "identify" blue led with IPMI? iav Linux - Server 0 01-27-2009 02:13 PM
Xscreensaver hacks (looking for old hacks) xr82 Linux - Software 2 01-07-2009 02:32 PM
the bible = the tree of the knowledge of good and evil () Jesus = the tree of life Michael111 General 2 04-14-2004 05:28 PM
need a P-Tree (Patricia Tree) library manaskb Programming 1 11-02-2002 07:15 PM


All times are GMT -5. The time now is 02:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration