LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-24-2005, 01:06 PM   #1
technick
LQ Newbie
 
Registered: Sep 2005
Location: Atlanta, Ga
Distribution: Dapper Drake
Posts: 10

Rep: Reputation: 0
Exclamation Logging All Incoming / Outbound Traffic


I have a FC4 machine which I believe was compromised over the weekend via a PHP flaw, but I don't believe the attacker was able to modify any of the core files, he was able corrupted the bash shell env. I was able to get the system rebooted, and everything seems to be fine now, but as a security precaution I would like to log all incoming and outgoing traffic on this machine. Is there any way to log all this information from the machine or would I need to put a box between this machine and the world?

Any recommendations would be appreciated.

Thanks in advance.
 
Old 10-24-2005, 02:32 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
I have a FC4 machine which I believe was compromised over the weekend via a PHP flaw,
And you disabled PHP and fixed the flaw, right?


but I don't believe the attacker was able to modify any of the core files
"Believing" doesn't cut it. Make *sure* the box is clean before you do anything else. Run a filesystem integrity checker like Aide, Samhain or tripwire if you installed any of those, run a systems checker like Chkrootkit or Rootkit hunter (or compile on another box and run), run your distro's package manager if it can verify checksums or else verify against CDR or mirror of "known good" packages. Inspect the systems auth files, login records and system/application logs.


I was able to get the system rebooted
...along the way probably destroying "evidence" as the box went down, but OK...


as a security precaution I would like to log all incoming and outgoing traffic on this machine
First question would be: why would you want to do this?
A compromised box needs to be inspected and sanitised if not 100 percent clean. Everything else is a waste of time.
Logging isn't useful unless you know what to look for, monitor it 24/7, get alerted instantly and know what to do then.


Is there any way to log all this information from the machine or would I need to put a box between this machine and the world
Just prefix iptables rules with -j LOG rules. Run tcpdump if you also want to run payloads through an IDS like Snort.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
outbound web traffic load balancing across multiple nics univaco Linux - Networking 5 01-21-2009 01:25 PM
Spike in outbound traffic- where to look? htmlcoder Linux - Security 3 03-19-2005 03:13 PM
Avoid the firewall for outbound traffic on locally-defined virtual IP address? ariebs Linux - Networking 1 08-19-2004 12:05 PM
snort logging all outbound traffic as port-scan? Pcghost Linux - Security 3 04-20-2004 01:12 PM
Force outbound reply traffic to reuse inbound non-gw NIC? Jon- Linux - Networking 2 03-05-2002 04:50 PM


All times are GMT -5. The time now is 03:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration