 |
 Admin Lab Net Security SystemConsistency |
System Consistency Security UNIX Tool
$MyVersion: 0.017 - Sun Aug 2 15:35:18 EDT 1998 - kiwi$
In July 1998 we got attacked on one of our servers, and as result we had to learn a hard lesson: Pay Attention To Security.
Don't start to care about it when it's too late and you end up reinstalling the OS even several times to get rid of Trojan horses if they keep using the same security-hole over and over.
system-consistency-package.tar.gz
Follow these steps:
- Run make
- system-consistency is a perl-script, the main script.
- system-dirs contains the list of directories to watch over, feel free to extent it, ie. your /etc/init.d/ or other dirs:
# --- List the directories you like to watch over: /usr/local/bin /usr/sbin /sbin /bin /etc /lib /usr/lib /usr/local/lib # --- those lines starting with : are ignored to check # ie. in case some of the files changes intentionally very # often, put it below. :/etc/hosts :/etc/resolv.conf
Start it with
./system-consistency & in the same directory. It will scan all directories every 5 minutes.
By default any possible intrusion will be emailed to root, and all users are notified on the system using wall. You might like to disable the wall messaging (within system-consistency) when you have users direct on your server, they might get very scared see that notice in case you do intentional changes (ie. adding new users).
Don't add /etc/passwd into non-checking files, leave it as file to check for. Even when you add new users system-consistency alerts you of possible system-intrusion.
Important Note: Rename system-consistency and file-ident (need to edit system-consistency perl-source then), before you really run it on your system. Make potential hackers difficult to know what program takes care to find them.
For creating the file-signature: file-ident.c is a small program, it uses following simple file-content scrambler:
unsigned char *buff; /* data-content */ int fileid[256]; /* 1024 bit initialized with 0 */ for(i=0; i<len; i++) { fileid[buff[i]]++; fileid[i&0xff] += fileid[buff[i]]; }
The first line keeps track of occurances itself, it does not check where what appears, ie. exchange of two bytes in a file won't be noticed. Therefore the 2nd line is added, it scrambles the data-content regarding its position. Since the 2nd lines has fileid[] assigned to fileid[] again, the scrambling gets very complex.
System-Consistency was a 2h programming session I did after I discovered a break-in of one of our servers. By no means reflects a state-of-the-art commercial security tool, but it works for us.This packages doesn't prevent you to pay attention to security. Subscribe Netspace.Org: BugTraq mailing-list. It gives you a good summary of security holes and fixes discovered by the net community.
Don't think hackers type non-stop in front of their computers to hack sites, they run IP-scanners, scripts which run different intrusion programs, they run non-stop 24h a day to find volunrable sites. In the moment your system is connected to the net, via leased-line, dial-up ISP, or satellite-antenna, doesn't matter. You have an IP-no, and therefore are reachable for email or receiving webpages, but also get attacked.
Don't think this is paranoia, I have dial-up ISP and everytime I login to the net I get a different IP-number, and my log-files showed three break-in attempts within two weeks . . .
See in the Net & Unix Security of this site.
 Net Security |
All Rights Reserved - (C) 1997 - 2008 by The Labs.Com
Top of PageThe Labs.Com