Watching Your System

In the preceding paragraphs, I detailed many of the holes that are used to break into a system. I also addressed the methods that hackers use to gain information about your system to exploit these holes. In this section, I am going to talk about specific methods people have used (including myself) to circumvent normal security.

One aspect of watching your system that can cause the most problems is what to do when you do see that someone is hacking your system. Remember that in many places the mere fact that someone has gained unauthorized access to your system, they have committed a crime. Like any criminal, they will want to cover their tracks. If you let them know you have caught them, they might end up removing all the files on your hard disk (rm -rf /) and then disappear.

Takes a look at the holes we talked about in the
previous section. Use those as a guideline for determining what security
measure you want to implement on your system.

A prefect crime is more than just one where the perpetrator gets away clean. It is one where the crime is not even detected. If an intruder can access a system undetected he is safe. If you do detect an intruder, your company security policy (see below) should detail what to do. If you are monitoring his activity to see what other machines he is trying to break into, don’t let him know you are there. If he is clever enough, he might have built in a backdoor, like one of those we discussed earlier.

Certain auditing packages like COPS will monitor and report on changes to key files. Even a shell script that simply compares values is sufficient to catch these kind of changes. Since hackers are aware of these kinds of tools, it is not a good idea to run them automatically from cron jobs. A hacker could look in the cron tabs and see what programs are being executed and either disable them or work around them.

Another thing you can use is SATAN (System Administration Tool for Analyzing Networks). This is an interactive, complex application that checks a wide range of security “issues.” Although it didn’t find any more security holes than I did by hand (in fact, I found more), it doesn’t matter. SATAN is based on HTML and perl. You have all the source code and you can quickly expand it to exploit other holes that you know about. The problem is that as of this writing, certain browsers give it problems. You may have to change the way the browser reacts to the perl scripts. Its available at a lost of places, such as

Know your system. Know what kind of activity is normal for every hour of the day. Imagine it’s late Friday night and you know no one is still working. However one computer is busily working on some process. Is it an ‘at’ job that someone started? Or is it a crack program that’s going through a password file? This is how one system administrator was able to detect a person trying to crack passwords.

What processes are normal? If suddenly a new program appears on your system and you are the only one who has access to a compiler or can install software, where did it come from? What processes run with UID of 1? Is someone’s shell suddenly starts running with a UID of 1, you know you have a problem.

Excessive processes can result in a denial of service. That is, the system is so busy doing work for the hacking, that it doesn’t have time do do other things. Although you can limit the number of processes each user has, if those processes are disk intensive, a hacker could bring the system to a standstill. If the hacker were to keep writing to the file system, you could run out of space or inodes which might cause the system to panic. Even if the system doesn’t panic, cleaning up after this will cost a great deal of time and money.