|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Monday, 13 March 2000||Author: Benjamin D. Thomas|
|Published to: enchance_articles_security/Advanced Security Articles||Page: 1/1 - [Std View]|
Intrusion Detection Primer
Benjamin Thomas, an active LinuxSecurity.com contributor, puts together an Intrusion Detection Primer. It is a collection of six research summaries that outline the basics of Intrusion Detection.
Robert Graham in “FAQ: Network Intrusion Detection Systems” (2000) writes that user passwords can be obtained very easily. Crackers have many techniques of capturing passwords. One way they can be obtained is called clear-text sniffing. The three most popular Internet protocols HTTP, FTP, and TELNET use plain-text passwords that can be intercepted if an intruder installed a protocol analyzer ( aka Packet Sniffer ) between the client and server. Another way crackers can obtain passwords is by capturing the password ( /etc/passwd ) file on the server, and using a cracker program with a dictionary file to uncover passwords. Bruteforce ( programming a computer to try every possibility) cracking can take significant lengths of time especially if users have chosen passwords greater than 8 charters long. Social Engineering is probably the easiest way to obtain passwords. This is simply a method of calling the target and simply conning them into giving out their password. Usually intruders will call large companies, find vulnerable people, claim to be in the IS department, and ask for the password. This technique is very common. Passwords are the foundation of computer security. Keeping them confidential, using a combination of uppercase/lowercase/numbers, and changing periodically is extremely important.
Many administrators spend hours securing network servers, updating software/firmware, and analyzing logs searching for abnormal system activity. Because software is constantly evolving, security is an endless process. Has every intrusion possibly been covered? From time to time systems are compromised because one vulnerability is overlooked. What should be done when a intrusion is detected?
“Practical UNIX & Internet Security,” (1996) written by Simson Garfinkel and Gene Spafford offers much more than security methods. An entire section is devoted to handling events such as break-ins, DoS attacks, and computer security law. When an intrusion is discovered, what steps should be taken? First of all, don’t panic! Events that look like system intrusion may actually be software configuration errors. If an intrusion is suspected, react quickly by terminating the network connection. (This can be done by physically unplugging the Ethernet or modem cable.) Next, document all that you observed, and any actions taken to restore the system. Documentation can prove to be a valuable tool when trying to determine which backups to restore. Finally, plan ahead for the next network intrusion by identifying the problem, determining the damage caused, restoring the system, and reporting the incident to the proper authorities. Unexplained reboots, significant hard drive activity, system crashes, and sluggish network connections may all be signs of an intruder. If any of these symptoms exist it would be wise to review /var/log/syslog and /var/log/messages. (These are the standard log files on UNIX based architecture). If an intrusion occurs, organizations such CERT (Computer Emergency Response Team) and FIRST (Forum of Incident Response and Security Teams) should be notified immediately. They can assist in tracking down the criminal. If handled properly, system damage can be minimized when a network intrusion is discovered.
If a security breach has been detected and reported to authorities, what else should be done? The attacker could potentially return and utilize malicious backdoors he/she installed, or exploit other vulnerabilities. How can the intruder be tracked down?
The February 2000 issue of Network Magazine contains an interesting article titled “ Gauging the Real Hacker Threat to Your Network..” The author, Ramon J. Hontanon, explores incident response, reading intruders’ tracks, ways to avoid intrusion, and information warfare. When a security breach is discovered, disconnect the computer from the network, make an external copy of all log files, look for date modification of “static” system utilities, and search for amendments to the passwd file. Following the filesystem check a full TCP (Transport Control Protocal) system scan should be executed. This will uncover newly opened ports, reconfigured services, or installed trojan horses. After a thorough system examination, the log files should be studied to determine the skill level and geographical location of the intruder. Did he make any mistakes, or leave anything uncovered? Using the logfiles to determine, the time of attack and originating host will help uncover the location of the intruder. When not tracking down an intruder, energy should be devoted to internal system auditing. This includes reviewing log files daily, running periodic port scans, and changing system passwords monthly. Systems administrators should also install and maintain the latest kernel security patches that are available. There is no substitute for quick human response and thorough investigations. Searching security websites, and sifting thorough security news groups should be a normal routine.
Rather than only taking standard security precautions, many administrators feel that installing intrusion detection software can help lessen the burden of network analysis. Additional software can also help remove unneeded modules, better apply permissions, and implement cryptography.
Philppe Biondi, a member of the Linux Intrusion Detection System project, wrote (2000) documentation for LIDS (Linux Intrusion Detection/Defense System). LIDS is a free software package for i386 Linux architecture with the primary goal of protecting against root account intrusions. In order for LIDS to properly secure the server operating system, it must restrict the use of modules, raw memory/disk access, protect boot files, and prevent access to I/O Ports. LIDS will also log every denied access attempt, lock routing tables/firewall rules, and restrict mounting. Another interesting features is it’s ability to hide system processes. Users logged into the system will not be able to execute a simple command such as ‘ps -aux’ to reveal running daemons. After LIDS is installed it is first executed as a boot image initiated by LILO (Linux Loader). This feature guarantees the system remaining secure throughout the entire boot process. LIDS has proven to be an effective tool in both intrusion detection and prevention.
Intrusion detection is a process that must be executed by system administrators in order to maintain secure networks. An administrator must understand the importance of protecting his/her network, how exploited vulnerabilities can bring a system to it’s knees, and how to react to security incidents. System administrators must stay informed of all system advisories, flaws, and software updates. Not taking appropriate actions to fix known problems can prove to be fatal to network servers. The summaries outlined illustrate various methods of intrusion detection and how to react when a breach has occurred. As our society begins depending more on network systems, information security will become more of an issue. If network administrators do not remain informed of software updates and fail to closely monitor their servers, network security will remain to be problematic. Intrusion detection is a necessary process that must be fully understood and executed to maintain network security.