Complete Guide to Linux server security audit tools and procedures

BKJIA: Many Linux servers are not new machines just deployed. Professional Linux system administrators perform regular maintenance, IT technicians often need to take full responsibility for the security of their servers. If your server is intruded, not only is all sensitive information exposed, but the server itself may cause larger damage to attackers. To avoid the above situation, we must ensure that our servers are correctly configured and updated on a regular basis. Therefore, it is necessary to use the tools and procedures mentioned below to conduct security audits on time.

The most effective way to audit Linux security is to run specially tailored applications and service projects on the server. This means that we must first understand the operating environment we want to audit, and then determine where the security risk may be hidden, and ultimately decide where the security scan should start. For example, the weakest link of a running Web server is undoubtedly a Web script risk, which is one of the most common attack targets of hackers. Not to mention that the Web server itself or any module may have expired, vulnerable, or insecure configurations.

To deploy a set of successful audit processes, we also need to know some knowledge about networks, programming, such as Perl, PHP, or languages supported on other servers) and Linux systems. This may require us to spend time learning technologies that we cannot use. However, in some cases, we do not seem to have a better choice. For example, if you find that your data center has any suspicious activities, such as spam or hacker attacks, in your server complaints, security auditing is essential. It is of course a good choice to set up relevant positions in enterprises and hire professionals familiar with such technologies. However, if you cannot afford the economic burden of permanent personnel, you can also consider hiring a Linux Server Management Company temporarily or migrating the entire business platform to a responsible Shared Server vendor.

Once you are ready to implement security audit, follow these steps:

◆ Perform penetration test

◆ Check log files

◆ Comparison and scanning of Files

◆ Check suspicious activities and rootkits

◆ Call the server drive from external Mount

The following is a description.

Penetration Test

Penetration Testing helps you identify vulnerabilities on your servers and evaluate the overall security of your devices. This evaluation is the basis of any form of security audit. It provides practical conclusions on how to improve server security and provides important information about the scanning focus for the upcoming security audit.

To perform penetration testing, we can use vulnerability scanning programs such as Nessus, which provides ports that can access almost any online service project. However, although Nessus is recognized as the most popular and advanced vulnerability scanning tool, you can still try other options, such as Nmap, although it is generally only a port scanner, it cannot be completely called a vulnerability scanner; Metasploit is powerful but complicated to use, expensive; or Backtrack Linux, a large collection of released Linux penetration testing tools. No matter which tool you choose or how to deploy your own penetration testing, some vulnerabilities will always be discovered, although they may not be the most serious and the most influential. This situation actually proves a popular theory: any resource or service project exposed to the public should be considered as a potential security risk and should be monitored closely. This is exactly what security audit will do next: Check logs and scan files.

Check logs

Check the server log file to provide detailed reference information for security events. If you have correctly configured the log records, hacker attacks and traces can be traced completely. If the servers to be audited are rarely used, the entire inspection process is relatively simple. You only need to use simple Linux commands, such as Splunk. Splunk provides an intuitive Web interface for quickly searching a large number of log files in multiple systems. It can also promptly notify you of specific preset events and help prevent security hazards. However, to accurately determine which log files need to be monitored actually requires a high level of technology, especially the situation of each service project. Because of the huge differences between applications and log files, we can only try to focus on Abnormal trends.

Comparison and scanning of Files

The next step of security audit is to compare and scan files on the server. It is never easy to detect malicious content, because the attack code can be easily obfuscated, encoded, and encrypted, making it hard to identify. Even the most selective scanning tools and security products make them the same. In addition, no matter how rich your programming experience is, malicious code snippets hidden in thousands of other codes are very likely to become a fish in the dark. At this time, you can turn to the AIDE Advanced Intrusion Detection Environment), which will track the files whose content has changed between the two security audits. However, we need to run it at least once in the previous security audit so that it can create a database image for the current situation. In addition, you must be able to track all files that have changed. If the file on the server changes a lot, it may be difficult or even impossible to achieve this. In this case, you can directly search for files containing malicious content. Therefore, it is feasible to use general anti-virus applications such as Kaspersky or to create internal tools for malicious code similar to Web scripts. Before performing such a file scan, make sure that the process is system resource-intensive and such work should be conducted during time periods when the server load is low. If necessary, you can set the scan scope to those files that are publicly accessible.

Check suspicious activities and rootkits

The next phase is the most complex part of the security scanning process: Finding suspicious activities and rootkits on the server. This step is necessary, because no matter how rigorous a review of logs and files is conducted, server security cannot be guaranteed by such measures alone. As long as attackers obtain certain resources and permissions, it is quite easy to hide traces. First, we need to use the netstat-ntuap command to Detect TCP and UDP ports or active connections on our servers. Do not forget that the program name can be changed repeatedly. Therefore, attackers often use a name such as "apache 2" to mistakenly think that this is a normal process on the server. If you have any questions about the running program, run the lsof-p XXXX command immediately. XXXX here is the process Number of the suspicious program. This command lists all running files that access this process number, including deleted objects.

In Linux, the first 1000 ports are reserved for applications with super user permissions. Because attackers often do not have such super permissions, this means that most of the scripts they create must run on ports numbered 1000 or above. For example, a program named apache 2 initiated by user johnb is running on port 6667 and its associated files include deleted files) are included in the/tmp directory, it can be preliminarily determined that there is a problem with the program.

It is also important to check suspicious network activities because almost all attackers want to leave a backdoor so that they can easily connect to the victim's computer again. Therefore, we can use the ps auxwf command to search for any suspicious processes including the network. This command displays all running processes and how they are started, including the original files that employ these processes.

If attackers already have Super User Permissions, we may not be able to identify any suspicious activities because they often install rootkit immediately. Rootkit can completely tamper with our environment, change important executable projects such as ps, netstat, and who, and load malicious Linux kernel modules. This is why Rootkit scanning tools such as rootkit Hunter cannot always be dropped in security auditing. This tool is easy to use and efficient, and can ensure the integrity of binary files in the system through MD5 verification. It also scans the server to find the loaded kernel-level rootkit.

Call server drive from external Mount

The steps mentioned above are more than enough to cope with risks in most Linux Server deployments, including web pages, emails, DNS and database tasks. However, if our Linux server stores sensitive information such as financial or important confidential files, further security measures may be required. In the complete security audit process, we can connect our Linux server hard disk to another computer and check all the files on it manually or using mainstream Linux anti-virus software. In some cases, if the server suffers a serious fault, starting the computer through an external hard disk may be the only chance for us to find clues. In some cases, the attacker's last operation on the server is to paralyze and destroy it. Currently, the most popular method for technicians is to activate paralysis devices by using green Linux System disks such as System Rescue CD and using hard disk access. However, the specific implementation of this solution is not simple-it will lead to downtime, however, we may not have additional physical devices to cope with the access during this period-but it is relatively feasible, especially when we use a virtual server, storage files can be directly accessed in this solution.

Experts' summary:Linux server security audit should not be considered a one-time task. On the contrary, such audits must be conducted on a regular basis. Once you really start executing the task, you can definitely find some methods in the process that can simplify task operations through automated processing. Once your Linux server has obtained satisfactory results in security audit, we can devote more energy to data storage and improve the normal service running time, in this way, you are confident in your business operations.

Remarks: PCI Standard

PCI data security standards and evaluations are representative committees established by bank card professionals. Its frequently-released mandatory standards and procedures have contributed a lot in protecting sensitive information, such as the storage of detailed information in the course of a credit card transaction. Most of these standards can be extended to other industries, providing authoritative reference in terms of reasonable network allocation, correct log configuration, effective penetration testing, and software update planning. Penetration Testing is particularly important in the PCI standard and its evaluation process.

Original article: How to Conduct a Linux Server Security Audit