Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey everybody, this is my first post so I hope I'm doing this right. CCDC stands for Collegiate Cyber Defense Competition. Last year we took second in state from Indiana behind Indiana Tech. This year I am one of the captains. What I believe really took us down was that our CentOS box had been compromised prior to competition and a backdoor was put into the FTP service. I hope someone can inform me on how to check for something like this and, if possible, to correct. Thank you in advance for anyone's help.
- A file integrity checking system like AIDE, Samhain, Osiris or Tripwire should be installed and configured before the system is connected to the network. Running those scans could tell you if files have been tampered with. Just be sure that the "good" database is protected so it can't be altered if the machine is compromised.
- Check out the verify option for rpm (rpm -V) as that can tell you if something has happened to any official rpm package.
I know running FTP is not the smart thing to do but in this kind of competition, this service is a must and has a scoring engine attached to it. If the service is down for more than 10-15 mins. points start getting taken from our team. A quick background of what our team comes in to is that the entire IT staff has been fired but before leaving they have compromised machines. There is no reference machine or "good" database. Was curious if FTP Server with TLS would help with security but I haven't tried it yet.
If you're starting with a compromised machine, rpm -Vv should still give you some useful information, unless the RPM database has been compromised as well.
It would help, but you might want to run it in a minimal virtual machine as well. That way, compromising the ftp server doesn't impact the host. With a snapshot or copy of the virtual machine image, in the event it's taken down you can get it back in service in pristine condition in seconds.
Backup as soon as intrusion detected ALL DATA! really all hard drive image
Then run copy of disk image in read-only virtual machine and trace back all steps where taken to compromise system
Why full analysis needed ? because really good attacks include many layers of exploits so there is no guarantee that attack compromised only one system and not left hidden backdoors in other software.
How to check what was modified? Generic method is compare files with default package files and configs. Quick&dirty is to check access logs/filetime modifications/configs.
There is no way on generic work system to maintain security. To run secure box you must use 5-10years tested OS Core(linux kernel) and minimum required amount of services(hand tuned for security) and no bleeding age or new versions. Government and commercial protected systems have even no connection to external networks. Other interesting technologies is honeypot.
Last edited by sunnydrake; 07-02-2011 at 07:09 PM.
Problem is there are tons of junk on a distro that all has holes in it. Netbsd is claimed to be almost unhackable but when you start to put apps on it the thing is open to attack.
Hey everybody, this is my first post so I hope I'm doing this right. CCDC stands for Collegiate Cyber Defense Competition. Last year we took second in state from Indiana behind Indiana Tech. This year I am one of the captains. What I believe really took us down was that our CentOS box had been compromised prior to competition and a backdoor was put into the FTP service. I hope someone can inform me on how to check for something like this and, if possible, to correct. Thank you in advance for anyone's help.
If this is for a RT/BT or CTF challenge, double check the rules first. Often-times, you have restrictions on which services you can or cannot turn off. If this IS for a challenge, you may be starting with bugged ftp/ssh/whatever application, and it's your job to lock it down and prevent the bug from being exploited.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.