Re: RE : [cobalt-security] Forensics on a hacked server

[Sonny <sonny@xxxxxxxxx>]

Hi Michael,

Have you had experience with any of the ISS products? I would have to 
say that if your budget (or your providers budget) could handle the 
strain of a full commercial security installation, then I would argue 
that you CAN stop intruders.

Without giving them (ISS) too much of a plug, they have some incredibly 
complex monitoring technologies, and some new security appliances which 
can respond to all sorts of threats - among other things you can reset 
tcp sessions, re-configure firewalls and routers on the fly, or even 
click a button that deploys a heavily armed special forces unit 
24x7......

seriously though, security is challenge that you don't overcome by just 
installing one line of defense, (or multiple lines of defense all on 
one box!). If you were going to try to utilize opensource security 
countermeasures only, then the answer is probably that you get what you 
pay for.

Some simple tips would be:

use a standalone firewall
use an application level proxy which has the ability to look into 
traffic streams, and match against known attack signatures
use a stealth network IDS device which has the ability to reset 
unauthorized or suspicious connections and which can update firewall 
rules if an attack occurs
use file system integrity checking and auditing software
use a VPN solution to manage your server instead of the default web 
browser
keep all of your os patching up to date
monitor lists like this to make sure you are aware of the latest 
security threats to your hardware
enforce password policies on your server
manage third party script uploads to your server

hehe one of my colleagues just suggested that if your customers were 
only active during the day, then why not shut off your server at 
night??..... wicked security stuff now


Lastly, the aim is to make your attacker jump through as many hoops as 
it takes for him/her to get bored, or for the time it takes one of your 
security systems to notice him/her and shut down the first hoop, 
reroute the second hoop and block the third and fourth hoop from 
accessing your server and send you a nice message saying sleep tight, 
all is well here - all without spending too much money, wasting too 
many hours, and still giving your customers good service!


Sonny.





On Thursday, May 22, 2003, at 05:13 AM, Michael Stauber wrote:

> Hi Alain,
>
> > One bottom-line question I wonder about is this: is there any way to 
> > be
> > secure from these kinds of attacks ?
>
> No, not really. You can make it more troublesome for an intruder to 
> get in,
> but you can never achive total security. But make it just difficult 
> enough so
> that he rather targets the unsecured box next to yours and you're 
> spared for
> the moment.
>
> It is possible to increase your awareness by adding extra tools like 
> Tripwire
> or Fcheck which check the filesystem for modifications. If some files
> (binaries in/usr/bin for example) change out of the blue, then you 
> instantly
> know something is wrong.
>
> Additional agents like Snort can scan the network traffic for 
> suspicious
> activity and Logcheck can scan the logfiles for unusual activity.
>
> But basically those tools don't prevent an intrusion all by 
> themselves. They
> just act as "tripwires" to alert you if someone has gained unauthorized
> access.
>
> LCAP can prevent the loading of malicious kernel modules once someone 
> gets in.
>
> Denying the compiler GCC to anyone but root is also a good security 
> measure as
> it limits the damage that an intruder can do if he managed to get into 
> your
> box as regular user. Either directly by SSH, or through an exploited 
> service
> which runs as unprivileged user (httpd for instance).
>
> Installing a firewall on the RaQ itself can help to make it more 
> difficult for
> an intruder to get in or to make use of installed backdoors. But a 
> firewall
> doesn't protect you against vulnerabilities in services to which you 
> need to
> allow access to from anywhere (Apache, Sendmail, POP3, IMAP and so on).
> Likewise, a software firewall running on the same server is never as 
> good and
> as reliable as a dedicated - separate - firewall which you put in 
> front of
> your network assets.
>
> Some of these tools and/or procedures can help to get an early warning 
> when
> something fishy is happening. Some carefully implemented procedures 
> can make
> it more difficult for an intruder to get in and to actively use the 
> RaQ for
> his shabby business (ingress & egress filters on a firewall for 
> instance).
>
> But this is a constant struggle. Build a better alarm system and the 
> hacker
> will sooner or later come back with better tools.
>
> So there is no patented solution that works all the way. Even if there 
> were,
> there is still the possibility that the box next to yours in the 
> datacenter
> is hacked and runs a tool that is sniffing your login details while 
> you login
> to your box as admin by POP, IMAP, FTP or HTTP without using an 
> encrypted
> connection instead.
>
> Even if you never ever submit your admin password over an unsecured 
> connection
> there is still the chance that someone gets in by sniffing your users 
> POP3 or
> IMAP passwords to get in with their login details. Once on the command 
> line
> he can then try to exploit services from the inside to get root access.
>
> Disabling and denying shell access to all users but admin is therefore 
> one of
> the first security procedures you should implement.
>
> Finally you should have a good backup solution at hand which allows 
> you to
> quickly restore a compromised server. Hopefully you'll never need it, 
> but
> isn't that true for all security measures?
>
> --
>
> With best regards,
>
> Michael Stauber
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security