P. 1
Linux System Administration Students Notes

Linux System Administration Students Notes

4.83

|Views: 2,510|Likes:
Published by Hyderabad
Linux System Administration Students Notes.
Some Freat guy did this.You are welcome to Know
Linux System Administration Students Notes.
Some Freat guy did this.You are welcome to Know

More info:

Published by: Hyderabad on Jan 02, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF or read online from Scribd
See more
See less

01/07/2014

Noticing that one of your machines has been compromised is difficult. Attackers will generally do their best to
ensure that the machine looks normal. Luckily for us, their best is often not good enough. In our experience, the
most common way for an administrator to find out their machine’s been compromised is for us to tell them. This
is simply because after a break-in, we usually search for other compromised machines and notify their owners.

Someone, though, has to notice the break-in in the first place. This is usually because something about the system
has changed, so it’s necessary to have a good feel for how the system usually behaves. You should get in the habit
of looking through the system log files, so that you know what they usually look like. The usual sign of a break-in
in the logs is a gap where the attacker’s removed a chunk of them, but they frequently leave something suspicious.

There are also tools that can be used to detect break-ins. tripwire is the most common of these. Of course, the
tools themselves can be tampered with, which means that they need to be obscure enough that the attacker hasn’t
heard of them. Security through obscurity is a bad idea, but in some cases it’s all you’ve got left.

If you’re not certain whether a set of symptoms indicate a real break-in, it’s far better to get in touch with us than
not to. Unless you’re crying “wolf” every month, we won’t mind much.

Don’t panic

Don’t halt or reboot

Disconnect from the network

e-mail

cert@cam.ac.uk¡

and

unix-support@ucs.cam.ac.uk¡

expect to have to re-install the system

expect to have to change everyone’s passwords

Slide 285: So, you’ve been hacked?

First things first

Discovering that a machine’s been broken into is never a relaxing experience, but it’s one you’re likely to have
eventually. If you discover (or even suspect) that a machine you’re responsible for has been broken into, the most
importantthingtodois topreventit causingmoreproblems. Usually,thebestwaytodothis is simplytodisconnect
it from the local network. This prevents its being used to attack other machines, while disturbing any evidence on
the machine as little as possible.

10.8 Dealing with attacks

215

The next thing to do is to tell Cambridge CERT

cert@cam.ac.uk¡

. Assuming it’s a Unix machine that’s

involved, it’s also a good idea to send a copy of your message to us

unix-support@ucs.cam.ac.uk¡

, since we

like to keep an eye on what’s going on, and can help if you’re not sure what to do.

What to do beyond that depends very much on the nature of the attack and the importance of the victim machine.
In most cases, we can advise, but for those occasions when this isn’t possible, and for those who’d like to know
how much grief a break-in will cause, here’s an outline.

Very little can be trusted

tripwire and rpm --verify may help

If in doubt, assume the worst

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->