I have a FC4 machine which I believe was compromised over the weekend via a PHP flaw,
And you disabled PHP and fixed the flaw, right?
but I don't believe the attacker was able to modify any of the core files
"Believing" doesn't cut it. Make *sure* the box is clean before you do anything else. Run a filesystem integrity checker like Aide, Samhain or tripwire if you installed any of those, run a systems checker like Chkrootkit or Rootkit hunter (or compile on another box and run), run your distro's package manager if it can verify checksums or else verify against CDR or mirror of "known good" packages. Inspect the systems auth files, login records and system/application logs.
I was able to get the system rebooted
...along the way probably destroying "evidence" as the box went down, but OK...
as a security precaution I would like to log all incoming and outgoing traffic on this machine
First question would be: why would you want to do this?
A compromised box needs to be inspected and sanitised if not 100 percent clean. Everything else is a waste of time.
Logging isn't useful unless you know what to look for, monitor it 24/7, get alerted instantly and know what to do then.
Is there any way to log all this information from the machine or would I need to put a box between this machine and the world
Just prefix iptables rules with -j LOG rules. Run tcpdump if you also want to run payloads through an IDS like Snort.
|