This page covers some common first steps for securing systems and recovering from a breakin. We've included cautions and suggestions which have been particularly helpful to us, as well as useful links to other sites where security information is carefully maintained.
Preparing ahead of time will help prevent common forms of attack. An aphorism to remember is, "security is not a product; it's a process". It is not a task that you accomplish once and then check off of your to-do list. System security is an ongoing responsibility.
Where do I begin?
The US-CERT Security Publications are a helpful series of documents on security issues.
What kinds of attacks should I be looking for?
Some common break-in and root-access techniques that we've seen:
- packet sniffing
- ftpd vulnerabilities
- BIND vulnerabilities
- cracking passwords
- sendmail vulnerabilities
- imap vulnerabilities
- /bin/mail bugs
- other SUID program bugs
- ttdbserverd exploit
- buffer overflow vulnerability in POP servers
- sadmind exploit
What is an intruder's goal?
This varies depending on the type of system. Common break-in goals that we've seen:
- Setting up mail or IRC SPAMbots (for a variety of purposes)
- Setting up Denial of Service attacks against other systems, either internal or external to the local network
- Disguising the origins of attacks against other systems, such as website defacement, data theft, etc.
What tools are are available to help secure my system?
Keep current on patches and updates available for the systems you manage:
Here are some tools you may consider installing, most of which are available directly from CERT:
Should I Install a Firewall?
What should I do when I discover my system has been compromised?
First, look at the steps given in the IMSS web page, Your Responsibilities as a Caltech Sysadmin.
If you have discovered a compromised account, you'll want to find out if other systems have been logging into that account (with the "last" command) and also if any systems which have been using the compromised account have been using other accounts on your system.
You should alert the owners of any remote machines seen logging into the compromised account that their own systems may be compromised, or or that one of their authorized users may be breaking into accounts on other systems.
Locally, the most important thing is to confirm that the intruder did not manage to get root access. If they did, this is a serious problem, particularly as they may have left behind mechanisms for collecting local passwords, such as trojan horse versions of commonly-used items (e.g., Telnet, login shells, etc.), or network cards set to "promiscuous mode" (packet-sniffing).
The only certain way to recover from a root break-in is to re-install your system and carefully follow the steps given in the Prevention section.