Linux (Centos, Red-Hat) searching intrusions

[pablovalcarcel]

Hi there again.

I was looking for some advice in order to search, detect intrusions on redhat systems.

I know some kind of intrusions as drive by download, php shells, redirections to external urls, Have I forgetting something?

Usually I check for ftp uploads and ip country, look into online websites analyzer, scan websites with updated antivirus, ...

How can I detect that intrusions and malware? What tools do you use?

Thanks in advance

[jggimi]

Years ago, I used to use snort; its a commonly used IDS.

[pablovalcarcel]

Thanks.

I have hear about IDS as snort and others sniffers (whireshark, tcpdump), but I must recognize I´m not to familiarized with them.

I would search for tutorials to use it.

Regards!!!

[J65nko]

My first advice would be to get rid of ftp. Just like telnet, ftp should not be used on a web or application server. ftp sends passwords as well data unencrypted over the Internet. Use ftp over ssh2, as supported by Filezilla and WinSCP.

My second advice is to run a tight packet filter on the server to protect itself and disable all unused services.

A higher level defence against your website or application would be to use a web application firewall like mod_security.

If you want to be sure your server has not been cracked, tools like Tripwire or Aide will help.

[pablovalcarcel]

Thanks you too.

I was thinking using a ftp with file integrity checker

aide
diskfilemon
Gamin file alteration monitor
integrit
kfsmd
tripwire
yafic
or subversion which I could find a very interesting installation article right here:

http://www.ebswift.com/Wiki/wikka.ph...=SubversionFTP

If you use a filezilla client or Winscp, you just only need connect with the server through ssh port, isn´t it?

Monitoring ftp uploads is a good advice, but what happens if the hacker tries to connect from the usual computer where uploads come from or jumps to a any other server or computer which is in a geographically zone seems to be legal?

Regards,

[jggimi]

An IDS alerts you to intrusions as they occur, or, after they occur. It will also show you failed attempted incursions. I stopped using snort, because I was running OpenBSD and snort only showed failed attempts, never a success.

I may install an IDS and do some penetration tests for a web based application of mine that is designed, but is not yet in production. That design is for a High Availability (HA) geographically dispersed suite of servers. Some of the security decisions already in place are:

• All server to server communications for this application are encapsulated inside IPSec VPN tunnels.
• OpenBSD's PF blocks server-server application connections except those via IPSec. (e.g.: SQL connections to the database servers are only open to IPSec authenticated/encrypted connections)
• The application servers execute code from a filesystem mounted read/only.
• End user connections (on the webservers) are forced to use HTTPS through URL rewrite of HTTP.
• Administrative access to all servers - for consoles, X (if needed), and file transfers - is conducted via SSH. SSH public key authentication is the only authentication form used; password authentication is explicitly disabled.

FTP is not used, either by admins or by users. Admins expect to use SSH file transfer applications -- sftp or scp -- for administrative file transfers. Server-to-server bulk data transfers (such as database synchronization between servers) are encapsulated within IPSec VPN.