Server security and integrity

If you have presence in internet, whether it is a server you fully manage or hosted, even shared by somebody else, you need to think how you can secure yourself from potential malicious attack.

Truth is simple, you will be a target at some point. It may be directed at you, it may be that you are only collateral damage, this will happen. The only sure way to prevent your assets from being attacked from internet is to not connect them to it.

One of the tools that can certainly help is OSSEC. It is a host-based intrusion detection system, HIDS in short. It monitors log files, system binaries, generic files and kernel for changes that may potentially be indication of the intrusion.

It is intended to run in server-agent architecture, where server controls several agents and gathers all events that occurring on them. It then can notify administrator about them, as well as instruct agent what to do based on rules for example to add suspicious IP to a firewall.

OSSEC can be useful as well for stand alone hosts, for example single server or even post-mortem investigation on a compromised server.

You can install OSSEC in local mode and then use it via command line, for example:

/var/ossec/bin/syscheck_control -i 000

Integrity checking changes for local system 'localhost -':

Changes for 2012 Dec 19:
2012 Dec 19 11:40:01,0 - /etc/blkid/
2012 Dec 19 11:40:01,0 - /etc/blkid/
2012 Dec 19 11:40:21,0 - /etc/apf/internals/.apf.restore
2012 Dec 19 11:40:21,0 - /etc/apf/internals/.last.full
2012 Dec 19 11:41:41,0 - /etc/passwd.nouids.cache
2012 Dec 19 11:42:03,0 - /etc/sysconfig/hwconf
2012 Dec 19 11:46:22,0 - /usr/sbin/r1soft/log/cdp.log
2012 Dec 19 12:24:48,0 - /etc/blkid/
2012 Dec 19 12:24:48,0 - /etc/blkid/
2012 Dec 19 12:25:08,0 - /etc/apf/internals/.apf.restore
2012 Dec 19 12:25:08,0 - /etc/apf/internals/.last.full
2012 Dec 19 12:26:32,0 - /etc/passwd.nouids.cache
2012 Dec 19 12:26:52,0 - /etc/sysconfig/hwconf
2012 Dec 19 12:31:22,0 - /usr/sbin/r1soft/log/cdp.log

/var/ossec/bin/rootcheck_control -i 000

Policy and auditing events for local system 'localhost -':

Resolved events:

** No entries found.

Outstanding events:

** No entries found.

This is a limited insight to the IDS events, much better is to have mail notifications about them send to admin address, along with possibility to execute a command via agent, for example iptables block.

This entry was posted in Managed Hosting. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>