DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Other OS

Other OS Any other OS such as Microsoft Windows, BeOS, Plan9, Syllable, and whatnot.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Thanked 0 Times in 0 Posts
Default Linux (Centos, Red-Hat) searching intrusions

Hi there again.

I was looking for some advice in order to search, detect intrusions on redhat systems.

I know some kind of intrusions as drive by download, php shells, redirections to external urls, Have I forgetting something?

Usually I check for ftp uploads and ip country, look into online websites analyzer, scan websites with updated antivirus, ...

How can I detect that intrusions and malware? What tools do you use?

Thanks in advance
Reply With Quote
  #2   (View Single Post)  
Old 15th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,431
Thanked 214 Times in 189 Posts
Default

Years ago, I used to use snort; its a commonly used IDS.
Reply With Quote
  #3   (View Single Post)  
Old 15th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Thanked 0 Times in 0 Posts
Default

Thanks.

I have hear about IDS as snort and others sniffers (whireshark, tcpdump), but I must recognize I´m not to familiarized with them.

I would search for tutorials to use it.

Regards!!!
Reply With Quote
  #4   (View Single Post)  
Old 15th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

My first advice would be to get rid of ftp. Just like telnet, ftp should not be used on a web or application server. ftp sends passwords as well data unencrypted over the Internet. Use ftp over ssh2, as supported by Filezilla and WinSCP.

My second advice is to run a tight packet filter on the server to protect itself and disable all unused services.

A higher level defence against your website or application would be to use a web application firewall like mod_security.

If you want to be sure your server has not been cracked, tools like Tripwire or Aide will help.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 15th January 2013
pablovalcarcel pablovalcarcel is offline
New User
 
Join Date: Jan 2013
Posts: 7
Thanked 0 Times in 0 Posts
Default

Thanks you too.

I was thinking using a ftp with file integrity checker

aide
diskfilemon
Gamin file alteration monitor
integrit
kfsmd
tripwire
yafic
or subversion which I could find a very interesting installation article right here:

http://www.ebswift.com/Wiki/wikka.ph...=SubversionFTP

If you use a filezilla client or Winscp, you just only need connect with the server through ssh port, isn´t it?

Monitoring ftp uploads is a good advice, but what happens if the hacker tries to connect from the usual computer where uploads come from or jumps to a any other server or computer which is in a geographically zone seems to be legal?

Regards,
Reply With Quote
  #6   (View Single Post)  
Old 15th January 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,431
Thanked 214 Times in 189 Posts
Default

An IDS alerts you to intrusions as they occur, or, after they occur. It will also show you failed attempted incursions. I stopped using snort, because I was running OpenBSD and snort only showed failed attempts, never a success.

I may install an IDS and do some penetration tests for a web based application of mine that is designed, but is not yet in production. That design is for a High Availability (HA) geographically dispersed suite of servers. Some of the security decisions already in place are:
  • All server to server communications for this application are encapsulated inside IPSec VPN tunnels.
  • OpenBSD's PF blocks server-server application connections except those via IPSec. (e.g.: SQL connections to the database servers are only open to IPSec authenticated/encrypted connections)
  • The application servers execute code from a filesystem mounted read/only.
  • End user connections (on the webservers) are forced to use HTTPS through URL rewrite of HTTP.
  • Administrative access to all servers - for consoles, X (if needed), and file transfers - is conducted via SSH. SSH public key authentication is the only authentication form used; password authentication is explicitly disabled.
FTP is not used, either by admins or by users. Admins expect to use SSH file transfer applications -- sftp or scp -- for administrative file transfers. Server-to-server bulk data transfers (such as database synchronization between servers) are encapsulated within IPSec VPN.

Last edited by jggimi; 15th January 2013 at 05:44 PM. Reason: typos, clarity
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Weeks of searching and no answer yet - is openbsd performance good for web server ? barti FreeBSD General 12 20th August 2012 09:06 PM
NetBSD package searching ? mgreen NetBSD General 5 30th January 2010 11:27 AM
Searching and replacing weird patterns on a file. bigb89 Programming 8 6th December 2008 06:59 PM
searching for a SP/PDA like device, advice needed TerryP Off-Topic 5 26th July 2008 03:54 AM
FreeBSD on Xen (CentOS) deadeyes FreeBSD Installation and Upgrading 3 22nd June 2008 06:46 PM


All times are GMT. The time now is 12:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick