[kwlug-disc] server compromised

[L.D. Paniak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



john at netdirect.ca wrote:
> 
> In an ongoing discussion of compromised servers I'd like to suggest we
> talk about:
> 
> - Prevention,
> - Detection,
> - and Removal
> 

An ounce of prevention is worth a pound of cure:

Leave no (few) open ports to the internet. Use something like Shorewall
or Firestarter to configure and manage iptables/Netfilter.

If you want ssh/sftp remote access for a small number of people, disable
password authentication on their accounts and securely deliver each of
them a key generated by ssh-keygen Eg.

http://www.debianhelp.org/node/1198

This way you will know that the passkey is sufficiently strong and the
remote user won't change it to "abc123" at their earliest convenience.
In order to protect your system from breakins at the guest end, you
probably want to set a reasonable passphrase when generating the key.


Detection:

Turn on all logging on the system.  Disk space is cheap. Install
logwatch on all servers and have it send reports to an external e-mail
account daily.  Read the logs and look for anything out of the ordinary,
especially network activity.  Look for numerous failed logon attempts, etc.

Here is a snippet of an entertaining log from my home trixbox:

> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"100"<sip:100 at 76.64.107.18>' failed for '212.174.78.60' - No matching
peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"101"<sip:101 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"102"<sip:102 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"103"<sip:103 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"104"<sip:104 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"105"<sip:105 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"106"<sip:106 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"107"<sip:107 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"108"<sip:108 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"109"<sip:109 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"110"<sip:110 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"111"<sip:111 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found
> [Feb 16 07:59:14] NOTICE[17157] chan_sip.c: Registration from '"112"<sip:112 at 76.64.107.18>' failed for '212.174.78.60' - No matching peer found

Someone connecting from Turkey wanted to make a free phone call.

You can also install rkhunter - a rootkit hunter and configure it to
mail daily reports.  It does a superficial check if the state of various
system files have changed.  rkhunter would probably be the first thing
to be hacked by a savvy intruder.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKDDRj8h2PnOHbiQcRAjB/AJ9cwwiQWoEV7A1Xffpz98AVCCqmHQCfeLcA
kIfk0wKm4BZ3hhidrVaAw1I=
=eYNg
-----END PGP SIGNATURE-----