» about » content » twitter » github »

Security And Linux

Prelude

Security is a process, not a thing that has a final solution. How do you secure your system, and how do you detect if someone is trying to compromise your system?

This is an on-going document that is in it's early stages of development.

Intrusion Detection

There are many software packages to help with this (like snort), but here I just show a few simple ways to help you to determine if your system has been compromised...

Most importantly, check your logs: vi /var/log/messages and vi /var/log/secure, then you can use these commands to look deeper;

lastlog : show logins

faillog : failed login attempts

last : show login record, last, or last | head (for latest)

netstat : view active internet connections, netstat -tan, netstat -alput

fuser : identify processes using files or sockets, fuser -v -n tcp 631

lsof : check for open files, lsof or lsof | grep username | less, lsof -i :631 (list the open file using port 631)

nmap : network mapper/scanner, nmap -sS 127.0.0.1 (scan for open ports)

tcpdump : dump traffic on a network, tcpdump -i eth0 -p tcp -n (ctrl-c to stop; shows what every port is connecting to)

If you have found an IP Address mentioned that you wish to investigate, go here to track them down. If you find the ISP from which it came from, you could contact them to complain.

chkrootkit is a utility that determines if any of your root binary files have been compromised.

Download chkrootkit from here

# substutute xx below with the version number
tar -xzvf chkrootkit-xx.tar.gz
cd chkrootkit-xx
make sense
./chkrootkit
    

Security settings

I'll fill out this section with a list of things to make a system more secure, but for now, take a look at these files:

/etc/securetty and /etc/login.defs

For SSHD, consider changing your port number (in /etc/ssh/sshd_config) as I document here.

Keeping Your System up-to-date

To avoid vunerabilities found in the software on your system, you should watch for security advisories regularly, and update any software that releases a patch or new version to fix that vunerability. I have documented a couple of methods here and here.

Latest News

A few additional articles on network security:

Removing Unwanted Devices

SSH Brute-Force Attacks

© Roqet 2018 :: 2018-05-11 17:07:10