Root Compromise: Detection, Recovery, and
Prevention/Deterrence
by Rick Moen
(See also files in http://linuxmafia.com/pub/linux/security/
.)
Detection
---------
Explain types of compromise.
Explain rootkits, common paths of compromise, common goals of
intruders.
Quick checks: /usr/bin/login size (disadvantages)
Monitor log files, log analysis: messages, xferlog, utmp, wtmp,
secure,
Check suid/sgid files, root-owned (others?)
Is network port in promiscuous mode? Should be noted on console,
before
reboot/change in runlevel. (VMware uses promiscuous mode.)
Any filesystems much too large? Could be warez collections.
cron, at commands
/etc/passwd, /etc/shadow: Are there strange entries?
/etc/inetd.conf
/etc/hosts.deny, hosts.allow, hosts.equiv. .rhosts
Look for weird dotfiles "..." ".. ", etc.
Audit all nearby hosts, too.
Watch security advisories from CERT, Red Hat.
Recovery
--------
Document all steps. Coordinate with legal & management.
Should you monitor? Notify sysadmins? Prosecute? Report to
authorities?
Create a trap?
Take it slowly and carefully. Have a colleague check your
work.
Isolate system. This might mean cutting the machine's network
connection, or its LAN's. Might switch to runlevel 1.
Examine the initially-running machine state (processes, disk
space,
RAM usage, system load) before changing anything.
Back up. Use boot floppy (e.g. Tom's root-boot), then dd over
ssh, _or_
dd onto 2nd hard drive.
Examine nature & extent of break-in. /etc/* /var/log/*
Don't trust on-system tools, in so doing. Possibly mount
target filesystems on a fresh system, for examination.
Use rpm - ???? Does MD5 check. But this assumes integrity of
system's rpm database. Won't catch jiggered config or
dotfiles.
Are user data files, Web pages, ftp archives, other data files
OK?
Check for breakins to remote systems inside & outside
company. OOB
communication. Look up NIC handles at
http://www.networksolutions.com/cgi-bin/whois/whois
or other
appropriate whois server, use telephone rather than e-mail.
Check for logfiles from password/packet sniffers.
Check for rootkit files, canned-exploit tools. Look in /dev,
/var,
unfamiliar home directories.
Install clean OS build + patches. (Follow prevention steps,
below.
Set new passwords (after doing the above), password aging,
password checking.
Selectively restore from backups (no system binaries or config
files).
Restore home directories, system non-program data (Web pages,
ftp
collections). Watch for .rhosts files.
Don't reconnect to network until the above is done.
Prevention/Deterrence
---------------------
Turn off unused services, CGI binaries
Use pared-down network daemons, if they meet your needs: ???ftpd
instead
of wuftpd, boa instead of Apache, exim instead of sendmail.
Eschew plaintext-authentication network protocols, where
possible. Use
ssh, ssh tunnels, scp. Don't use xhost, let alone "xhost +".
Set up hosts.deny, hosts.allow.
Apply security fixes. VA Linux, Red Hat, kernel.
Read rootshell (cum granum salis), CERT.
Don't allow remote login by root account. (/etc/securetty should
not
include pttys.)
Add creation of root-owned, zero-length, perm. 000 .rhosts
file
to adduser script. Retrofit to existing accounts.
Set selected filesystems read-only.
Run AIDE. Store its database (and rpm's) on write-protected
media.
Install automatic analysis/notification of log contents
Carefully check ftp upload directories. Don't have files in
anonymous
directory owned by ftp user.
Consider filtering routers or proxy gateways ("firewalls").
Write a security policy.
No "joe" or guest account.
No rw NFS exports. Consider exporting to specific IP
addresses.