Re: intrusion tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/25/2011 04:34 PM, Wolfgang S. Rupprecht wrote:
> 
> Once again I find myself trying to help someone piece together how an
> intruder managed to get into their system.  The system was way out of
> date (FC6) so it is no surprise that they got compromised.  What I can
> tell, the intruder managed to get root which allowed them to remove the
> iptables file and lower the protection on ssh to allow unix passwords.
> The attacker then installed an ssh-probing client that was installed in
> /root.  That lowered ssh security allowed a second intrusion at user
> level (probably by password guessing) where an IRC bot was installed and
> run from cron with normal user permissions.
> 
> I would have been nice to know when and how they initially got in.  The
> site runs a handful of daemons (postix, named, ntp, apache, dovecot), so
> any of them could have allowed the initial intrution.  They didn't have
> selinux enabled, so that compounded problems.  Clearly the top level
> answer is to just impress upon them the fact that they need to stay
> current and keep selinux enabled.  It still would be nice to know how
> the attackers got in though.
> 
> The real issue is that there isn't a good activity log.  While I can
> install tripwire to watch for changed files, it probably won't tell me
> how they got in.  Is there something that addresses that problem?  Some
> poor sucker always has to be the first victim of a new attack.  It would
> be nice to know which service to disable or reconfigure until a fix is
> distributed.  Is there some way to track intruders that I'm missing?
> 
> -wolfgang

I like OSSEC.  It's pretty good at detecting break in attempts and file
system changes.  At the very least, OSSEC would have said something as
the intruder made changes that would disable it.

-- 
-- Steve
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux