Linux server security audit tools and procedures

Source: Internet
Author: User

Today, many Linux servers are not just deployed on new machines. Professional Linux system administrators perform regular maintenance. It technicians often have to take full responsibility for the security of their own servers. if your server is intruded, not only is all sensitive information exposed, but the server itself may cause larger damage to attackers. to avoid the above situation, we must ensure that our servers are correctly configured and updated on a regular basis. therefore, it is necessary to use the tools and procedures mentioned below to conduct security audits on time.

The most effective way to audit Linux security is to run specially tailored applications and service projects on the server. this means that we must first understand the operating environment we want to audit, and then determine where the security risk may be hidden, and ultimately decide where to proceed with the security scan. for example, the weakest link of a running Web server is undoubtedly a Web script risk, which is one of the most common attack targets of hackers. not to mention that the Web server itself or any module may have expired, vulnerable, or insecure configurations.
 
To deploy a set of successful audit processes, we also need to know some knowledge about networks, programming (such as Perl, PHP, or languages supported on other servers) and Linux systems. this may require us to spend time learning technologies that we cannot use. however, in some cases, we do not seem to have a better choice. for example, if you find that your data center has any suspicious activities, such as spam or hacker attacks, in your server complaints, security auditing is essential. it is of course a good choice to set up relevant positions in enterprises and hire professionals familiar with such technologies. However, if you cannot afford the economic burden of permanent personnel, you can also consider hiring a Linux Server Management Company temporarily or migrating the entire business platform to a responsible Shared Server vendor.
 
Once you are ready to implement security audit, follow these steps:
 
◆ Perform penetration test
 
◆ Check log files
 
◆ Comparison and scanning of Files
 
◆ Check suspicious activities and rootkits
 
◆ Call the server drive from external Mount
 
The following is a description.
 
Penetration Test
 
Penetration Testing helps you identify vulnerabilities on your servers and evaluate the overall security of your devices. this evaluation is the basis of any form of security audit. it provides practical conclusions on how to improve server security and provides important information about the scanning focus for the upcoming security audit.
 
To perform penetration testing, we can use vulnerability scanning programs such as Nessus, which provides ports that can access almost any online service project. however, although Nessus is recognized as the most popular and advanced vulnerability scanning tool, you can still try other options, such as Nmap, although it is generally only a port scanner, it cannot be completely called a vulnerability scanner; Metasploit is powerful but complicated to use, expensive; or Backtrack Linux, a large collection of released Linux penetration testing tools. no matter which tool you choose or how to deploy your own penetration testing, some vulnerabilities will always be discovered, although they may not be the most serious and have the worst impact. this situation actually proves a popular theory: any resource or service project exposed to the public should be considered as a potential security risk and should be monitored closely. this is exactly what security audit will do next: Check logs and scan files.
 
Check logs
 
Check the server log file to provide detailed reference information for security events. if you have correctly configured the log records, hacker attacks and traces can be traced completely. if several servers to be audited are rarely used, the entire check process is relatively simple. You only need to use simple Linux commands, such as Splunk. splunk provides an intuitive Web interface for quickly searching a large number of log files in multiple systems. it can also promptly notify you when detecting specific preset events and help prevent the occurrence of security hazards, to accurately determine which log files need to be monitored, we must have a very high level of technology, especially the situation of each service project. because there are great differences between applications and log files, we can only try to focus on Abnormal trends.
 
Comparison and scanning of Files
 
The next step of security audit is to compare and scan files on the server. it is never easy to detect malicious content, because the attack code can be easily obfuscated, encoded, and encrypted, making it difficult to identify. Even the most selective scanning tools and security products make them the same. in addition, no matter how rich your programming experience is, malicious code snippets hidden in thousands of other codes are very likely to become a fish in the dark. at this time, you can turn to AIDE (Advanced Intrusion Detection Environment), which will track the files whose content has changed between the two security audits. however, we need to run it at least once in the previous security audit so that it can create a database image for the current situation. in addition, you must be able to track all files that have changed. if the files on the server are greatly changed, this may be difficult or even impossible. in this case, you can directly search for files containing malicious content. therefore, it is feasible to use general anti-virus applications such as Kaspersky or to create internal tools for malicious code similar to Web scripts. before performing such a file scan, make sure that the process is system resource-intensive. Try to schedule the task to a time when the server load is low. if necessary, you can set the scan scope to files that are publicly accessible.
 
Check suspicious activities and rootkits
 
The next phase is the most complex part of the security scanning process: Finding suspicious activities and rootkits on the server. this step is necessary, because no matter how rigorous a review of logs and files is conducted, server security cannot be guaranteed by such measures alone. as long as attackers obtain certain resources and permissions, it is quite easy to hide traces. first, we need to use the netstat-ntuap command to Detect TCP and UDP ports or active connections on our servers. do not forget that the program name can be changed repeatedly. Therefore, attackers often use a name such as "apache 2" to mistakenly think that this is a normal process on the server. if you have any questions about the running program, run the lsof-p XXXX command immediately. XXXX here is the process Number of the suspicious program. this command will list all running files that access this process number, including deleted objects.
 
In Linux, the first 1000 ports are reserved for applications with super user permissions. because attackers often do not have such super permissions, this means that most of the scripts they create must run on ports numbered 1000 or above. for example, a program named apache 2 initiated by user johnb is running on port 6667, and the files associated with it (including deleted files) are included in the/tmp directory, it can be preliminarily determined that there is a problem with the program. it is also important to check suspicious network activities because almost all attackers want to leave a backdoor so that they can easily connect to the victim's computer again. therefore, we can use the ps auxwf command to search for any suspicious processes including the network. this command displays all running processes and how they are started, including the original files that employ these processes.
 
If attackers already have Super User Permissions, we may not be able to identify any suspicious activities because they often install rootkit immediately. rootkit can completely tamper with our environment, change important executable projects such as ps, netstat, and who, and load malicious Linux kernel modules. this is why Rootkit scanning tools such as rootkit Hunter cannot always be dropped in security auditing. this tool is easy to use and efficient, and can ensure the integrity of binary files in the system through MD5 verification. it also scans the server to find the loaded rootkit at the kernel level.
 
Call server drive from external Mount
 
The steps mentioned above are more than enough to cope with the risks in most Linux Server deployment, including web pages, emails, DNS and database tasks. however, if our Linux server stores sensitive information such as financial or important confidential files, further security measures may be required. in the complete security audit process, we can connect our Linux server hard disk to another computer and check all the files on it manually or using mainstream Linux anti-virus software. in some cases, if the server suffers a serious fault, starting the computer through an external hard disk may be the only opportunity for us to find clues. in some cases, attackers paralyze and destroy the last operation on the server. currently, the most popular method for technicians is to activate paralysis devices by using green Linux System disks such as System Rescue CD and using hard disk access. however, the specific implementation of this solution is not simple-it will lead to downtime, however, we may not have additional physical devices to cope with the access during this period-but it is relatively feasible, especially when we use a virtual server, storage files can be directly accessed in this solution.
 
Experts' conclusion: Linux server security audit should not be considered a one-time task. on the contrary, such audits must be conducted on a regular basis. once you really start executing the task, you can definitely find some methods in the process that can simplify task operations through automated processing. once your Linux server has obtained satisfactory results in security audit, we can devote more energy to data storage and improve the normal service running time, in this way, we are confident in our business operations.
 
Remarks: PCI Standard
 
PCI data security standards and evaluations are representative committees established by bank card professionals. its frequently-released mandatory standards and procedures have contributed a lot in protecting sensitive information, such as the storage of detailed information in the course of a credit card transaction. most of these standards can be extended to other industries, providing authoritative reference in terms of reasonable network allocation, correct log configuration, effective penetration testing, and software update planning. penetration Testing is particularly important in the PCI standard and evaluation process.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.