.png)
9 Suspicious Events that you should investigate while detecting System Intrusion
Linux systems vary greatly in how they operate. One system might normally run with a high CPU load, whereas another might normally run with little or no load. One computer might normally see little network traffic, whereas another might regularly transfer gigabytes of data every day. As a system administrator you should be aware how your system normally behaves.
One method of detecting intruders is to be aware of normal operations of your system and then detecting any deviations from that standard. Even simple signs like higher-than-normal system load, unusual files or changes to configuration files can indicate an intrusion. Looking for odd system behaviors can help you find intruders in the system. Even if the odd behavior is not due to a system intrusion, still it points to a problem that needs fixing.
Unusual Load Averages
A load average is a measure of the demand for CPU time placed on the system by all the programs it runs. Load average can be checked with uptime or top. Many GUI environments now also provide load average meters. Check if the load average changes from its usual range, if it does it might be an indication that a cracker could have broken into the system and is using some CPU-intensive programs or is causing the programs to crash. But, there may also be a possibility that legitimate users are demanding more CPU time for normal reasons or the CPU-intensive programs are crashing for other reasons.
Unusual Network Traffic
Similar to load averages, a system normally sees a certain range of network traffic. One possible cause of changes in network traffic patterns can be an intrusion. A cracker might be using your system as a node in a distributed denial-of-service (DDoS) attack, for instance, chewing up your network bandwidth. On the other hand, you could be seeing an innocent spike in demand for a server's services, or a user could be downloading unusually large files for legitimate reasons. One way to monitor network traffic is to watch the activity LEDs on a NIC, hubs, switches, telephone modems, and broadband modems. Typing ifconfig eth0 (or a similar command for an interface other than eth0) produces a measure of transmitted (TX) and received (RX) packets.
Strange Running Processes
Process monitoring tools (such as ps or top) show the currently running processes. If you see a process that you are not familiar with, take it as a sign of problems or it may be some user running a harmless process. So, you should make sure that you spend enough time with the processes to determine what processes are normal for your system.
Odd Program Crashes
Programs crash, even on Linux. After you have spend sometime with Linux you would be able to notice which programs crash on your system and which don't. If another program starts crashing, it could be that an intruder has changed a configuration file, support libraries, or even the program executable file itself, thereby causing the crashes. Alternatively, it could be that a routine system upgrade or an error on your part caused these problems. Program crashes can also be early signs of deteriorating hardware, such as RAM or a hard disk starting to go bad.
Changes in Program Behavior
n most cases, programs should behave in a very predictable manner. For instance, if your bash shell presents a plain dollar sign ($) prompt today, it should do the same tomorrow unless you change the configuration file. If a program's behavior changes suddenly and without your having updated it or changed its configuration file, an intruder might have fumbled a takeover by inadvertently altering a configuration file detail or by changing a program file. On the other hand, you might have forgotten a legitimate upgrade or change, or the program might be responding to some other change in the system that you don't realize is related. If you share administrative responsibility for the system, perhaps another administrator has made a change.
Peculiar Log Entries
All Linux systems maintain log files, most of which reside in /var/log and its subdirectories. These log files may contain clues concerning an attempted or successful intrusion, such as repeated login failures or reports of unusual server stop/start cycles. Crackers often try to cover their tracks by editing or deleting log files, so even missing log files or gaps in log files can be signs of trouble.
Filled Filesystems
If you notice that a filesystem has filled up, you should investigate the matter. Even if it's due to innocent causes, such as increased user demand for storage space, you must correct the problem. Sometimes an intruder might inadvertently or intentionally fill a filesystem. One type of DoS attack involves causing your system to create huge log files, filling your log file partition. Such attacks aren't intrusions per se, but they do require your attention.
Complaints from Other System Administrators
If you notice unfamiliar usernames in ps or top listings or in /etc/passwd or other system configuration files, investigate immediately. Some servers require special accounts to operate correctly, but for the most part, if an account wasn't present when you installed the system and wasn't added by you or another authorized administrator, it's suspect. Make a backup of /etc/passwd right after you install the system, and keep it for reference.
Strange Running Processes
In many ways the worst-case scenario is receiving a complaint from another system administrator. You might receive a phone call or e-mail complaining of suspicious access attempts from your computer. Another common complaint concerns spam originating from your system. Sometimes these complaints are signs of an intrusion; the intruder is using your system to attack others. Other times these complaints indicate that you have a local user who's a "bad apple" and is attacking others. Sometimes (particularly with spam and e-mail worms) the complaint is spurious; it's easy to forge e-mail headers to indicate a false return address, and a spammer may be attacking you indirectly in this way.
All of the about events demand that you do further investigation of the problem. But looking for above suspicious events you can see if your system is vulnerable or not.
0 comments: