Security question from a CCDC captain.
 

Hey everybody, this is my first post so I hope I'm doing this right. CCDC stands for Collegiate Cyber Defense Competition. Last year we took second in state from Indiana behind Indiana Tech. This year I am one of the captains. What I believe really took us down was that our CentOS box had been compromised prior to competition and a backdoor was put into the FTP service. I hope someone can inform me on how to check for something like this and, if possible, to correct. Thank you in advance for anyone's help.

Don't run FTP; unmodified, it transmits passwords as clear text making you an easy target. Use sftp via the sshd server instead, which is encrypted.

A couple of things to try:

- A file integrity checking system like AIDE, Samhain, Osiris or Tripwire should be installed and configured before the system is connected to the network. Running those scans could tell you if files have been tampered with. Just be sure that the "good" database is protected so it can't be altered if the machine is compromised.

- Check out the verify option for rpm (rpm -V) as that can tell you if something has happened to any official rpm package.

I know running FTP is not the smart thing to do but in this kind of competition, this service is a must and has a scoring engine attached to it. If the service is down for more than 10-15 mins. points start getting taken from our team. A quick background of what our team comes in to is that the entire IT staff has been fired but before leaving they have compromised machines. There is no reference machine or "good" database. Was curious if FTP Server with TLS would help with security but I haven't tried it yet.

If you're starting with a compromised machine, rpm -Vv should still give you some useful information, unless the RPM database has been compromised as well.

It would help, but you might want to run it in a minimal virtual machine as well. That way, compromising the ftp server doesn't impact the host. With a snapshot or copy of the virtual machine image, in the event it's taken down you can get it back in service in pristine condition in seconds.

Backup as soon as intrusion detected ALL DATA! really all hard drive image
Then run copy of disk image in read-only virtual machine and trace back all steps where taken to compromise system
Why full analysis needed ? because really good attacks include many layers of exploits so there is no guarantee that attack compromised only one system and not left hidden backdoors in other software.
How to check what was modified? Generic method is compare files with default package files and configs. Quick&dirty is to check access logs/filetime modifications/configs.

There is no way on generic work system to maintain security. To run secure box you must use 5-10years tested OS Core(linux kernel) and minimum required amount of services(hand tuned for security) and no bleeding age or new versions. Government and commercial protected systems have even no connection to external networks. Other interesting technologies is honeypot.

You guys are from Indiana? I'm from Indiana and am very interested now. Do you guys have a webpage of some sort?

one time passwords
 

Linux does support one time passwords. It maybe a good time waster for someone sniffing the packets. It would protect from key-loggers.

http://socsinfo.cs.mcgill.ca/wiki/FTP

http://www.linux.com/learn/tutorials...linux-security

Disable ftp.

Problem is there are tons of junk on a distro that all has holes in it. Netbsd is claimed to be almost unhackable but when you start to put apps on it the thing is open to attack.

If this is for a RT/BT or CTF challenge, double check the rules first. Often-times, you have restrictions on which services you can or cannot turn off. If this IS for a challenge, you may be starting with bugged ftp/ssh/whatever application, and it's your job to lock it down and prevent the bug from being exploited.