Security And Linux
Security is a process, not a thing that has a final solution. How do you secure your system, and how do you detect if someone is trying to compromise your system?
This is an on-going document that is in it's early stages of development.
There are many software packages to help with this (like snort), but here I just show a few simple ways to help you to determine if your system has been compromised...
Most importantly, check your logs:
vi /var/log/messages and
vi /var/log/secure, then you can use these commands to look deeper;
lastlog : show logins
faillog : failed login attempts
last : show login record,
last | head (for latest)
netstat : view active internet connections,
fuser : identify processes using files or sockets,
fuser -v -n tcp 631
lsof : check for open files,
lsof | grep username | less,
lsof -i :631 (list the open file using port 631)
nmap : network mapper/scanner,
nmap -sS 127.0.0.1 (scan for open ports)
tcpdump : dump traffic on a network,
tcpdump -i eth0 -p tcp -n (ctrl-c to stop; shows what every port is connecting to)
If you have found an IP Address mentioned that you wish to investigate, go here to track them down. If you find the ISP from which it came from, you could contact them to complain.
chkrootkit is a utility that determines if any of your root binary files have been compromised.
chkrootkit from here
# substutute xx below with the version number tar -xzvf chkrootkit-xx.tar.gz cd chkrootkit-xx make sense ./chkrootkit
I'll fill out this section with a list of things to make a system more secure, but for now, take a look at these files:
For SSHD, consider changing your port number (in
/etc/ssh/sshd_config) as I document here.
Keeping Your System up-to-date
To avoid vunerabilities found in the software on your system, you should watch for security advisories regularly, and update any software that releases a patch or new version to fix that vunerability. I have documented a couple of methods here and here.
A few additional articles on network security: