Domain: la-samhna.de
Stories and comments across the archive that link to la-samhna.de.
Comments · 13
-
Re:welcome to the big time
So, have you ever heard of a root kit? Linux has plenty of malware, and I have personally rebuilt compromised hosts. "Oh but that bug was in sendmail" or whatever you say. Cop out.
-
Which is the best for the Windows OS?
Which of those integrity checkers do you recommend for a shop that mostly uses the Windows OS? An extensive comparison says Samhain is the best.
The FAQsays Samhain works under Windows XP with Cygwin.
In Windows 7 there is a hidden, non-standard partition. I'm guessing that Samhain would not be able to check that partition. Does the design of Windows 7 prevent thorough integrity checking? Microsoft makes more money if Windows is vulnerable to malware. See the New York Times article Corrupted PC's Find New Home in the Dumpster. -
Which is the best for the Windows OS?
Which of those integrity checkers do you recommend for a shop that mostly uses the Windows OS? An extensive comparison says Samhain is the best.
The FAQsays Samhain works under Windows XP with Cygwin.
In Windows 7 there is a hidden, non-standard partition. I'm guessing that Samhain would not be able to check that partition. Does the design of Windows 7 prevent thorough integrity checking? Microsoft makes more money if Windows is vulnerable to malware. See the New York Times article Corrupted PC's Find New Home in the Dumpster. -
Re:I know what caused it
It doesn't. There's some infrastructure in place, but nothing close to the out of box simplicity and functionality of AD and Group Policy.
While agreed, it's not out of the box, there are AD solutions for LInux. http://www.quest.com/identity-management/
There's also distribution tools and models for ease of distribution. http://www.puppetlabs.com/
And let's not forget a centralized intrusion detection system. http://www.la-samhna.de/samhain/
Plenty of tools available for system distribution, and no need to 're-invent the wheel' or 'roll their own' to do so. So productivity generally includes installing these tools, configuring them, then globally distributing them based on preset configurations to all the other servers.
We use a lot of the tools above, and many others, to be able to rebuild a system, with a unique configuration, unique mount points, unique application and databases, and can generally go from bare-bone box to live server in under 20 minutes.
-
rootkit detectors
He says that the only detectors he is aware of are chrootkit and Rootkit Hunter. As he correctly points out, these are signature based - they look e.g. for specific files in userspace (chrootkit also does a generic check for hidden processes). However, the samhain integrity checker also has two different modules to check for kernel-mode rootkits. First, it can check the kernel syscall table to detect syscall redirection within the kernel (on FreeBSD and Linux), and second, it can detect hidden processes (basically in the same way as chrootkit). Also, if checking file integrity, samhain compares the number of hardlinks of a directory with the number of subdirectories to detect hidden subdirectories.
-
Re:I've always wondered...Wouldn't it be pretty trivial to
cp /mnt/cdrom/md5 /sbin/
each night before running the tool? Or, as someone else suggested, leave md5 on with another name? I'm sure most rootkits wouldn't notice if 'zsh' was actually a copy of 'md5.'Yes, it would be trivial. Unfortunately, it wouldn't do you much good these days. Modern rootkits (on Windows, Linux, what have you), are kernel based. It doesn't matter how trusted your md5, ls, ps, and other binaries are if your kernel is not reporting accurate information.
See e.g. http://www.la-samhna.de/library/rootkits/index.ht
m l for example.noah
-
Re:Pointless
indeed there is plenty of kernel modules that may rootkit your system hard: they hide themselves, hide selected files from the FS, redirect commands, can give root privileges. can execute commands sent from a remote host. If someone can install modules in the kernel , then security is skrwd. (std-disclaimer: I did not RTFA)
-
My list as a professional adminOverarching principle of making-your-life-easy: if you support more than three systems, treat them as a cluster.
- This means you have a dedicated admin machine that only a few very trustworthy admins have access to, that is very secure (no root logins, firewalled heavily, patched often, etc). I highly recommend running
SuSE Enterprise Linux 9 with the IBM EAL4+ Security Configuration
All maintenance activities are run from this management server. - Use the Parallel Distributed SHell (PDSH) utilities: http://www.llnl.gov/linux/pdsh/pdsh.html. These allow you run commands or copy files to a single system, a group of systems, or all systems at the same time. Wondering what kernel all your systems are running? Just issue a `pdsh -a uname -a`. Need to copy out the sudoers file? `pdcp -a
/home/admin/node_files/sudoers /etc/sudoers` - Run Ganglia for resource monitoring: http://ganglia.info/
- Run Samhain for filesystem integrity scanning on all servers: http://la-samhna.de/samhain/
- Host based firewalls for all servers: http://www.shorewall.net/
- Power supplies have caused more instability in my experience than any other single hardware component. Buy both good equipment and buy systems with dual redundant hot-swappable power supplies for the important machines
- Good deals can be had from the big vendors. Although we run a lot of whitebox and IBM equipment, Sun currently has a great system for a very cheap price (starts at $745): http://www.sun.com/servers/entry/x2100/.
- NFS sucks, but is the best filesystem glue-layer available. It is very sensitive to high latency environments, so run it over Infiniband (it has very low latency, and massive bandwidth (5us, 1.25GB/s) if you need to sqeeze out the best performance.
- Every system should have an electronic "system book", which contains the full hardware specs, including where each part gets service from (if bought separately), how long the warranty lasts (give end dates), contact info, etc. If you are managing 50 or less systems, keep track of all changes in a central location, otherwise track all changes by using a system which scales (even a handwritten script and DB table would be sufficient).
- Good enough is the enemy of the Best, but that is a good thing. Never overengineer a solution, this only means that other problems go unsolved.
- This means you have a dedicated admin machine that only a few very trustworthy admins have access to, that is very secure (no root logins, firewalled heavily, patched often, etc). I highly recommend running
SuSE Enterprise Linux 9 with the IBM EAL4+ Security Configuration
-
Oh yes, and Linux is free from all evil
from today, Linux worm: http://linux.slashdot.org/linux/05/11/08/140203.s
h tml?tid=220&tid=106 and of course, rootkits don't exist for Linux, oh no: http://la-samhna.de/library/rootkits/list.html MS are trying to do something about security, Vista will not stick you straight in as admin. Shame you /. types can't see passed the end of your biggoted noses. I love Linux, and I stroke my OpenBSD box goodnight, but come on Bill is not the anti christ, XP/VS/SQL/Exchange are all fine products, not everything MS does sucks or made out of spite, they really are trying to make improvements with each iteration. Stop the madness pls, it doesn't do "the cause" any good if you all act like spoilt children. At least Vista will tell you that you have a rootkit installed, will your Linux distribution do this out of the box? Exactly. -
Monitoring is expensiveWhile actively monitoring is always preferred, not everybody has the luxury of time to sit in front of the server monitoring every minor detail. Especially on projects for humanitarian organisations you do on your spare time. To be honest, some automation SHOULD be implemented, because a human is simply not a robot and will tire over time. The purpose of computing is exactly that - to alleviate humans of doing boring tasks.
I set up my scripts so I am emailed ONLY on new activity not seen before. So I find ways to silence minor attacks/alerts which does not interest me in conjunction with finding automatic ways to react on attempts.
I can recommend this setup:
- Snort (Network packet sniffer)
Enough is said about this. Absolutely needed, but useless without intervention. Oinkmaster is nice to use for automatic downloading of new rules.
- Narc Firewall
Perl script for iptables/ipchains. Fast and easy to set up, however any decent firewall will do. Narc allows for user-customization/hacking, which is a plus for those who wants to learn ipchains/iptables and do more advanced stuff than a GUI can offer. I like to fiddle with the rules myself for outgoing packets, which very few firewalls supports. It's nice to know your computer is not sending out traffic you don't know what is. By blocking everything outgoing by default, I will catch stuff in the logs and adjust the rules when I know what it is (not recommended while in production).
- BlockIt (Perl script for reactive firewalling)
Blocks hosts temporarily and permanently based on SSH-logs, snort-alerts and firewall-logs. Nice and easy to extend even if you don't know perl, but have patience to test alot. The maintainer is cool about accepting patches. Yes, you need a list of hosts to never block, and yes a dedicated cracker can spoof IP addresses to DOS you. However, I'll deal with that when somebody does just that. It depends how important your service is I guess.
- Samhain (Rootkit and file change detection)
I set up Samhain to email me of EVERY change in the root filesystem. However, I run Samhain with the silent option just after every upgrade at night. So upgrades are done automatically and silently without alerting me (Debian Stable - Sarge).
- chkrootkit (Another rootkit checker)
It's in the Debian-tree. Can't hurt to use more than one checker. This one is less spammy than Samhain and checks for other kinds of signatures in the system.
This might seem much, but I consider it a bare minimum for an install I'm not going to watch over continuously. Running Linux doesn't make you secure, and even with all this, I know I'm still vulnerable to:
A) Crackers hacking over time. Little by little they may do a portscan and find out enough to do a:
B) Full-scale successful attack. Reactive firewalls just won't stop it, and then you're cracked.
C) DOS. Automatic blocking based on IP and DSL-connection is just not enough to stop DOS and DDOS.
However, with a hardware firewall in front, I feel a bit more secure.. ;*) All emails to root is forwarded to my email-account, cron-jobs and all, and believe me, with the pruning-job done, hardly any email is sent. Days can go without any emails, oh wait, maybe..... *shiver*
One interesting project is a firewall based on snort: Hogwash. The project is in need of maintainers though. However the idea is cool: To block based on snort-alerts in real-time. This can actually be useful to block intrusions before they can do harm other than DDOSing. I for one will accept the increase in latency if it means my network is that much more secure. I really hope this one will take off one day. - Snort (Network packet sniffer)
-
Re:Must've been a real buggerIntrustion cleanup is a real bastard to carry out with any degree of success. There's really no way to prove that there isn't just one more subtle little backdoor hiding in the system, in your repository or in your
/home area.Basically, what you generally do is to rebuild from scratch, then carefully check and restore your repository.
How well would TripWire have worked in this kind of situation? Or is that ineffective against an all-out rooting?
This is why the authors of the host-based IDS recommend that you keep your database on media that is read-only or kept off of the machine. At that point, it becomes an administrative problem.
- How do you write the updated database to read-only media on a remote box?
- When on a shared box that is not your own, especially with a development box, what changes are valid?
- Who/how many admins do you need or use for the boxes?
You could use something like Samhain, which automates a lot of the detection of changes, and supports a management console.
Remember, if it were easy, anybody could do it. Microsoft has tried this approach to system administration, and look how successful its been.
:) -
Re:well...
Depends on the file integrity checker. E.g. with samhain, you can have the baseline database on a remote server. So you can just re-install the client, and run a check against the baseline that the client will retrieve from the server.
-
Where I work...
We use samhain. It's very nice because it can log to a remote host and store the filesystem database on a remote host as well. It also runs as a deamon and scans at a set interval. You can even make it change its name and hide its code in image files so as to trick hax0rs into thinking that its not installed.
The only thing I don't like about it is that I have it scheduled to check the machines every 10 mins, so if one of the junior admins changes something and forgets to reset the database I get an email every 10 mins until I reset it.
The homepage for samhain is http://la-samhna.de/samhain/