How can I detect or see if there is an intruder currently logged onto my server?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I detect or see if there is an intruder currently logged onto my server?
I'm using Ubuntu 14.04 for an email server. Anyway, here are my questions, all related:
1) Is there a fool proof way that cannot be defeated by crafty intruder that will show the open connections to the server, whether it is ssh, or telnet, or html.
2) What are the connection types that would allow crafty intruder to make changes to my server that normally only root user can make. e.g. ssh for sure, but html, others?
3) For ways that crafty intruder might have modified my system, using commands like below or other suggested commands, how can I tell if they (the commands themselves) have been modified?
Is there a fool proof way that cannot be defeated by crafty intruder that will show the open connections to the server, whether it is ssh, or telnet, or html.
First of all: what in this reply was not clear, or what has (seemingly) changed since your subsequent reply?
As for your question: short answer: no. Longer answer: it depends.
You should know that while the threatscape has changed drastically, in the sense that traditional root kits are used less since the start of this millennium, there are enough threats as a lack of knowledge, carelessness, lax (or non-existent!) access restrictions, update schemes, password policies, flaws in service configurations and running outdated software give rise to successful web stack and brute force attacks. Unless a perp has physical access or any other means of subverting a system without leaving a trail (or being able to patch it up), most 'net-based attacks will start with recon and access to lower-privileged resources, leaving a trail. So in essence your question should have been asked prior to any (perceived) security incident. It should have led to properly hardening a server (which provides early warnings and should make it harder for a perp to 0wn a box RSN) and should include creating an audit trail (to log what ops are performed, find anomalous access patterns and be able to respond to early warnings) and the ability to independently verify system integrity.
Quote:
Originally Posted by vRanger
What are the connection types that would allow crafty intruder to make changes to my server that normally only root user can make. e.g. ssh for sure, but html, others?
Basically: any your machine provides, or whatever else means a perp is allowed to inject after gaining a foothold.
Quote:
Originally Posted by vRanger
For ways that crafty intruder might have modified my system, using commands like below or other suggested commands, how can I tell if they (the commands themselves) have been modified?
Like I already said here: the default Debian(-like) way of using debsums unfortunately requires you to modify apt-related configuration files before the event. So another way is to download a copy of any suspect packages onto a known clean machine, generate a list of hashes (md5sum or md5deep) and compare hashes ('md5sum -c') with the "victim" system. Also, if a perp doesn't clean up afterwards, see entries in service and system log files, user login records, shell history, left uploads and changed ownership, hashes and MAC times of files and odd traffic behaviour can be signs of an intrusion.
Obviously, commands such as lastlog, w, and the likes can only be trusted to a certain extent, as they can be modified if the attacker has full system access. Chances are, if they haven't 'rooted' your system, they may show up in these outputs.
Quote:
1) Is there a fool proof way that cannot be defeated by crafty intruder that will show the open connections to the server, whether it is ssh, or telnet, or html.
Monitor the outgoing/incoming traffic from a seperate machine using a live medium that you can trust. Tools like wireshark can be useful for monitoring traffic externally. Live medium is better, in the event that if your routed machine were to also be compromised, it could also be hiding traffic and wouldn't be much use!
Quote:
2) What are the connection types that would allow crafty intruder to make changes to my server that normally only root user can make. e.g. ssh for sure, but html, others?
Any software that is running as the root user. Eg; a webserver running as root, could be taken advantage of by a flawed php script that doesn't sanitize input. Also any software that offers a connection to the outside world, regardless of the user it is running as, if there is a flaw that can be used to escalate privileges on the system... this is why it's best to keep software patched and up to date, as it vastly reduces this risk.
Quote:
3) For ways that crafty intruder might have modified my system, using commands like below or other suggested commands, how can I tell if they (the commands themselves) have been modified?
There is software that can create checksums of system binaries (for instance, everything in /bin and /sbin, and compare them at a later date to see if the checksums have changed. I think tools similar to chkrootkit do this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.