LINUX SECURITY --- July 04, 2000
Monitoring System Logs
by Rick Johnson
Last week I posed the question, "You are monitoring your servers aren't
you?" Well, that elicited quite a response. So I saw it fitting to devote this
week to that very topic.
I had the wonderful pleasure of assisting with the cleanup of a
Denial-of-Service attack recently. After tracking down the origin of the attack,
we contacted the administrator for that network. He listened very carefully and
said, "I'm sorry, but you are wrong. My system is totally secure and I know for
a fact we weren't compromised." Oh great, I thought, he is one of "those". You
know the type, the person who is so sure of their abilities that the thought of
someone challenging their skill is inconceivable. Finally, he agreed to look at
the server and was shocked to discover he was hacked over three weeks ago. To
top it off, they had also installed a root kit and were harvesting passwords. It
turns out no one was actually watching the log files. He, of course, apologized
and then quietly went off to rebuild the network. It saddens me to see a
Security Administrator put so much effort into locking down a server, only to
have it run unattended.
There are a variety of ways to keep an eye on your server. The most important,
and most frequently overlooked, areas are the system logs.
One of the most useful tools in my arsenal is Logcheck from Psionic Software
(http://www.psionic.com). No secure Linux server should be caught without it.
Logcheck is a software package that is designed to automatically run and check
system log files for security violations and unusual activity. It runs from cron
at specified intervals and also keeps track of what sections were checked
previously. That greatly increases the speed and helps keep the same incident
from being reported twice. If any unusual activity is found, the results are
emailed to an address specified in the script. The best part is that you can
specify which log entries to ignore in case it's not an issue; plus, you can
enter specific strings, which will immediately send up the red flag. The default
installation comes with a basic set of rules to get you started.
Given the chance, your Linux server will try to warn of a possible problem. It's
up to you to decide when and how to listen.
Firewall-1 vulnerable to denial-of-service attacks
New distributed firewalls emerge
Copyright 2000 ITworld.com, Inc., All Rights Reserved.