Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 40
- Pagina / 82
- Indice
- SEGNALIBRI
Valutato. / 5. Basato su recensioni clienti
The first thing an intruder typically does is install a "rootkit". There are many prepackaged rootkits available
on the Internet. The rootkit is essentially a script, or set of scripts, that makes quick work of modifying the
system so the intruder is in control, and he is well hidden. He does this by installing modified binaries of
common system utilities and tampering with log files. Or by using special kernel modules that achieve
similar results. So common commands like ls may be modified so as to not show where he has his files
stored. Clever!
A well designed rootkit can be quite effective. Nothing on the system can really be trusted to provide accurate
feedback. Nothing! But sometimes the modifications are not as smooth as intended and give hints that
something is not right. Some things that might be warning signs:
Login acts weird. Maybe no one can login. Or only root can login. Any login weirdness at all should
be suspicious. Similarly, any weirdness with adding or changing passwords.
•
Wierdness with other system commands (e.g. top or ps) should be cause for concern as well.
System utilities are slower, or awkward, or show strange and unexpected results. Common utilities
that might be modified are: ls, find, who, w, last, netstat, login, ps, top. This is not a definitive list!
•
Files or directories named "..." or ".. " (dot dot space). A sure bet in this case. Files with haxor
looking names like "r00t−something".
•
Unexplained bandwidth usage, or connections. Script kiddies have a fondness for IRC, so such
connections should raise a red flag.
•
Logs that are missing completely, or missing large sections. Or a sudden change in syslog behavior. •
Mysterious open ports, or processes. •
Files that cannot be deleted or moved. Some rootkits use chattr to make files "immutable", or not
changable. This kind of change will not show up with ls, or rpm −V, so the files look normal at first
glance. See the man pages for chattr and lsattr on how to reverse this. Then see the next section
below on restoring your system as the jig is up at this point.
•
This is becoming a more and more common script kiddie trick. In fact, one quick test to run on a
suspected system (as root):
/usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep i−−
This will look for any "immutable" files in root's PATH, which is almost surely a sign of trouble since
no standard distributions ship files in this state. If the above command turns up anything at all, then
plan on completely restoring the system (see below). A quick sanity check:
# chattr +i /bin/ps
# /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i−−"
−−−i−−−−−−−−−− /bin/ps
# chattr −i /bin/ps
This is just to verify the system is not tampered with to the point that lsattr is completely unreliable.
The third line is exactly what you should see.
Indications of a "sniffer", such as log messages of an interface entering "promiscuous" mode. •
Modifications to /etc/inetd.conf, rc.local, rc.sysint or /etc/passwd. Especially,
any additions. Try using cat or tail to view these files. Additions will most likely be appended to the
•
Security Quick−Start HOWTO for Red Hat Linux
6. Intrusion Detection 37
- Hal Burgiss 1
- Table of Contents 2
- 1. Introduction 4
- 1.2. Notes 5
- 1.3. Copyright 5
- 1.4. Credits 6
- 1.5. Disclaimer 6
- 1.7. Feedback 7
- 2. Foreword 8
- 2.2. Before We Start 9
- 3.1. System Audit 10
- 3.3. Stopping Services 12
- 3.3.1. Stopping Init Services 13
- 3.3.2. Inetd 14
- 3.3.2. Inetd 12 15
- 3.3.3. Xinetd 16
- 3.3.4. When All Else Fails 17
- 3.4. Exceptions 18
- 4. Step 2: Updating 20
- 4. Step 2: Updating 18 21
- 5.1. Strategy 22
- 5.2.1. ipchains 23
- 5.2.1. ipchains 21 24
- 5.2.2. iptables 26
- 5.2.2. iptables 24 27
- 5.3. Tcpwrappers (libwrap) 29
- 5.3.1. xinetd 31
- 5.4. PortSentry 32
- 5.5. Proxies 32
- 5.6. Individual Applications 33
- 5.7. Verifying 35
- 5.8. Logging 36
- 5.9. Where to Start 37
- 6. Intrusion Detection 39
- # chattr +i /bin/ps 40
- −−−i−−−−−−−−−− /bin/ps 40
- # chattr −i /bin/ps 40
- 7. General Tips 43
- # must exist 44
- root: hal@bigcat 44
- 8. Appendix 46
- 8.2. Common Ports 48
- 8.3. Netstat Tutorial 51
- 8.4. Attacks and Threats 59
- 8.4.2. Rootkits 60
- 8.4.3. Worms and Zombies 60
- 8.4.4. Script Kiddies 61
- 8.4.5. Spoofed IPs 61
- 8.4.6. Targeted Attacks 61
- 8.4.8. Brute Force 62
- 8.5. Links 63
- 8.6. Editing Text Files 65
- 8.7. nmap 68
- 8.8. Sysctl Options 71
- 8.8. Sysctl Options 69 72
- 8.9. Secure Alternatives 73
- 8.9. Secure Alternatives 71 74
- 8.9. Secure Alternatives 72 75
- 8.9. Secure Alternatives 73 76
- 8.10.2. iptables II 77
- 8.10.2. iptables II 75 78
- 8.10.2. iptables II 76 79
- 8.10.2. iptables II 77 80
- 8.10.3. Summary 81
- 8.10.4. iptables mini−me 82
© 2020, manymanuals.it. Tutti i diritti riservati | 0.032 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commenti su questo manuale