Intrusion Dectection and Recovery
objectives
Intrusion Risks
Security Policy
Dectecting Possible Intrusions
Dectecting Possible Intrusions(continued)
Monitoring Network Traffic
Monitoring Open Ports
Dectecting Modified Files
Investigating and Verifying Detected Intrusions
Create a Disk Image
Dectecting and Defeating Backdoors
Dectecting and Dectecting Root Kits
Recovering from an Intrusion
------------------
Objectives
Upon completion of this unit, you should be able to:
. Intrusion risks
. Developing a security policy
. Investigating and documenting intrusions
. Recovering from intrusions
Intrusion Risks
. System downtime
. Theft fo data
. Modification or destruction of data
. Installation of hostile software
. Bad publicity and financial impacts # 不良宣传和财务影响
Security Policy
. Your organization should have a policy on
Detection of possible intrusions
Verification and investigation of intrusions
Recovery from intrusions
Reporting of intrusions
Documentation of the policy's execution
. The policy should be developed with support of managemnet and legal counsel
Dectecting Possible Intrusions
. Regular monitoring of ...
Log files
Network traffic
Open ports
Modified files
# iptables -t filter -A INPUT -p tcp --syn -dport 80 -j LOG
Dectecting Possible Installations(continued)
. Monitoring log files
Systems should log to local files and to a dedicated remote host
logs should be analyzed on at least a daily basis using logwatch
logwatch results should be delivered to a separate system
Look for signs of subverted services
# yum -y install logwatch
[root@sh_proxy cron.daily]# rpm -qc logwatch
/etc/cron.daily/0logwatch
/etc/logwatch/conf/ignore.conf
/etc/logwatch/conf/logwatch.conf
/etc/logwatch/conf/override.conf
/usr/share/logwatch/default.conf/logwatch.conf
[root@sh_proxy cron.daily]#
Monitoring Network Traffic
. Intrusion Detected Systems
. Use iptables rules to log suspicious access attempts
. Use tools like tcpdump and wireshark to capture and store suspicious traffic
. Implements a honeypot
Monitoring Open Ports
. netstat (from the local system)
show listening daemons: #netstat -tullpn
show active connections: # netstat -tupn
. nmap (from a remote system)
Scan a host: # nmap -P0 server1.example.completion
Scan a subnet: # nmap -sV 1921.168.1.0/24
GUI front-end: nmapfe
Dectecting Modified Files
. md5sum
compare to listing at rhn.redhat.com
Fingerprints can be stored in a file for later comparision
. cmp
Byte-by-Byte comparison of two files
Slower than md5sum, but harder to fool
Must have known-good version of file available
. prelink modifies ELF shared libraries and ELF dynamically linked binaries
. aide
file integrity checker
Highly configurable catalog of file properties
shipped with Redhat Enerprise Linux version 5
. rpm
Keep a backup databases as a baseline
# rpm -V package
# rpm -Vf /path/to/file
# rpm -Va
Investigating and Verifying Detected Intrusions
. Work from a secure environment
Rescue mode
Using a trusted system
Linx-on-CD custom distributions
. Image suspect block devices for analysis # 把可疑的硬盘做成镜像,拿去分析
. perform file integrity checks
Create a Disk Image
. Create a copy to study, do not use the orignal evidence
Do this from a trusted rescue enviroment
# dd if=/dev/sdb1 of=/evidence/sdb1.img conv=noerror,sync
. Partition images can be mounted for analysis
# mount -o loop sdb1.img /mnt/victim-sdb1/
.Whole disk images can be used to duplicate a system for study
## 还可以通过cat 将远端主机的磁盘,cat到本地
[root@sh_proxy ~]# ssh 192.168.85.252 "cat /dev/sda1" > sda1-252.img
root@192.168.85.252's password:
[root@sh_proxy ~]# mount sda1-252.img /mnt
mount: mount point /mnt does not exist
[root@sh_proxy ~]# mount sda1-252.img /media/
[root@sh_proxy ~]# ls /media/
config-3.10.0-514.el7.x86_64 initrd-plymouth.img
grub symvers-3.10.0-514.el7.x86_64.gz
grub2 System.map-3.10.0-514.el7.x86_64
initramfs-0-rescue-7ca7e99b806a47fcac647ceb281fb05e.img vmlinuz-0-rescue-7ca7e99b806a47fcac647ceb281fb05e
initramfs-3.10.0-514.el7.x86_64.img vmlinuz-3.10.0-514.el7.x86_64
[root@sh_proxy ~]#
Detecting and Defeating Backdoors
.Strict inbound and outbound firewall rules
.Regular checks of listening ports and files compared to a known baseline
. Network traffic monitoring and recording with tools like tcpdump or snort
. Monitoring open files with lsof and fuser
Root kits 是指攻击者提权成功以后,隐藏自己的身份和踪迹的程序
Dectecting and defeat Root Kits
. Regular checks of log files and network traffic for suspicious activity
. Regular checks for promiscuous network interfaces
. Test system binaries on a trusted system
. Break automated root kit install
. Root Kit detectors
. Special considerations for loadable kernel module ("LKM") root kits
can subvert processes without altering files
can hide processes, services, and files from local tools
Defense against LKM rook kits
Investigate from a trusted environment
Use root kit detection tools
Use a static kernel ( not recommended )
Recovering from an Intrusion
. Restore from a known-good backup
Do not attempt to repair the compromised system!
. Monitor the system for further attacks
The attacker may attempt to regain access
The attacker may succed in reaining access
Reporting and Documenting the Intrusion
. How and when the intrusion was detected
. What actions weer taken by whom
. What the nature of the intrusion was
. What was done to recover from the intrusion
were policy changes needed?
Can you detects similar future intrusions like this?
. Notification of law enforcement if necessary
What evidence was gathered?
tripwire
浙公网安备 33010602011771号